Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Package creation for Network Threat Protection Essentials

This commit is contained in:
v-sabiraj 2022-11-16 18:19:50 +05:30
Родитель 087da5881f
Коммит 9082a14173
10 изменённых файлов: 913 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

0
Detections/MultipleDataSources/NetworkEndpointCorrelation.yaml → Solutions/Network Threat Protection Essentials/Analytic Rules/NetworkEndpointCorrelation.yaml
Просмотреть файл

0
Detections/MultipleDataSources/NewUserAgentLast24h.yaml → Solutions/Network Threat Protection Essentials/Analytic Rules/NewUserAgentLast24h.yaml
Просмотреть файл

20
Solutions/Network Threat Protection Essentials/Data/Solution_NetworkThreatDetection.json Normal file
Просмотреть файл

@ -0,0 +1,20 @@
{
"Name": "Network Threat Protection Essentials",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The **Network Threat Protection Essentials** solution contains queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a[domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutionsand does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1.[Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2.[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3.[Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n4.[Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n5.[Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n6.[ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n7.[Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n8.[Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n9.[Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining",
"Hunting Queries": [
"Hunting Queries/UseragentExploitPentest.yaml",
"Hunting Queries/B64IPInURL.yaml",
"Hunting Queries/RiskyCommandB64EncodedInUrl.yaml"
],
"Analytic Rules": [
"Analytic Rules/NetworkEndpointCorrelation.yaml",
"Analytic Rules/NewUserAgentLast24h.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Network Threat Protection Essentials",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
}

0
Hunting Queries/CommonSecurityLog/B64IPInURL.yaml → Solutions/Network Threat Protection Essentials/Hunting Queries/B64IPInURL.yaml
Просмотреть файл

0
Hunting Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml → Solutions/Network Threat Protection Essentials/Hunting Queries/RiskyCommandB64EncodedInUrl.yaml
Просмотреть файл

0
Hunting Queries/MultipleDataSources/UseragentExploitPentest.yaml → Solutions/Network Threat Protection Essentials/Hunting Queries/UseragentExploitPentest.yaml
Просмотреть файл

Двоичные данные
Solutions/Network Threat Protection Essentials/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

183
Solutions/Network Threat Protection Essentials/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,183 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe **Network Threat Protection Essentials** solution contains queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.\r\n \r\n**Pre-requisites:**\r\n \r\nThis is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n \r\n 1. [Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\r\n \r\n 2. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\r\n \r\n 3. [Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n \r\n 4. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\r\n \r\n 5. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\r\n \r\n 6. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\r\n \r\n 7. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\r\n \r\n 8. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\r\n \r\n 9. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\r\n \r\n**Keywords:** Malicious IP/User agent, DNS, TOR, mining\n\n**Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Network endpoint to host executable correlation",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "New UserAgent observed in last 24 hours",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Exploit and Pentest Framework User Agent",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to \ncompromise an environment and achieve their objective. The query tries to detect suspicious user agent strings \nused by these frameworks in some of the data sources that contain UserAgent field. \nThis is based out of sigma rules described in references.\nReferences: https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_frameworks.yml It depends on the Office365 AWS AzureMonitor(IIS) data connector and OfficeActivity AWSCloudTrail W3CIISLog data type and Office365 AWS AzureMonitor(IIS) parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Base64 encoded IPv4 address in request url",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query will detect when a Base64 IPv4 address is seen in a outbound request URL. This query uses pre-computed base64 offsets for IPv4 sequences allowing detection\nof an IPv4 address under base64 without the need to decode. After identifying a candidate this query will decode the base64 into an array of longs where a regex will extract\nthe ip candidate into plaintext. Finally the query will extract the plaintext IPv4 address pattern from the IP candidate. It depends on the Zscaler Fortinet CheckPoint PaloAltoNetworks data connector and CommonSecurityLog CommonSecurityLog CommonSecurityLog CommonSecurityLog data type and Zscaler Fortinet CheckPoint PaloAltoNetworks parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Risky base64 encoded command in URL",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query will detect risky base64 encoded commands are seen in web requests. Some threat actors transmit base64 commands from the target host\nback to the C2 servers so they know which command has been executed. This query also reguarly illumniates base64 encoded webshells being injected.\nThe limitation of this query is that base64 is case sensitive, so different case versions of each command need generating for full coverage. This query\ncomputes base64 permutations for each command, resulting in 3 possible permutations depending on padding. It depends on the Zscaler Fortinet CheckPoint PaloAltoNetworks data connector and CommonSecurityLog CommonSecurityLog CommonSecurityLog CommonSecurityLog data type and Zscaler Fortinet CheckPoint PaloAltoNetworks parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

695
Solutions/Network Threat Protection Essentials/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,695 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Network Threat Protection Essentials"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-networkthreatdetection",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"huntingQueryVersion1": "1.0.0",
"huntingQuerycontentId1": "df75ac6c-7b0b-40d2-82e4-191c012f1a07",
"_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
"huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"huntingQueryVersion2": "1.0.0",
"huntingQuerycontentId2": "39156a1d-c9e3-439e-967b-be7dcba918d9",
"_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
"huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
"huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]",
"huntingQueryVersion3": "1.0.0",
"huntingQuerycontentId3": "c46eeb45-c324-4a84-9df1-248c6d1507bb",
"_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
"huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
"huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]",
"analyticRuleVersion1": "1.1.3",
"analyticRulecontentId1": "01f64465-b1ef-41ea-a7f5-31553a11ad43",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
"analyticRuleVersion2": "1.0.1",
"analyticRulecontentId2": "b725d62c-eb77-42ff-96f6-bdc6745fc6e0",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('huntingQueryTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "HuntingQuery"
},
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 1 with template",
"displayName": "Network Threat Protection Essentials Hunting Query template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "HuntingQuery"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
],
"properties": {
"description": "UseragentExploitPentest_HuntingQueries Hunting Query with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"name": "Network_Threat_Protection_Essentials_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Exploit and Pentest Framework User Agent",
"category": "Hunting Queries",
"query": "\nlet UserAgentList = \"Internet Explorer |Mozilla/4\\\\.0 \\\\(compatible; MSIE 6\\\\.0; Windows NT 5\\\\.1; SV1; InfoPath\\\\.2\\\\)|Mozilla/5\\\\.0 \\\\(Windows NT 10\\\\.0; Win32; x32; rv:60\\\\.0\\\\)|Mozilla/4\\\\.0 \\\\(compatible; Metasploit RSPEC\\\\)|Mozilla/4\\\\.0 \\\\(compatible; MSIE 6\\\\.1; Windows NT\\\\)|Mozilla/4\\\\.0 \\\\(compatible; MSIE 6\\\\.0; Windows NT 5\\\\.1\\\\)|Mozilla/4\\\\.0 \\\\(compatible; MSIE 8\\\\.0; Windows NT 6\\\\.0; Trident/4\\\\.0\\\\)|Mozilla/4\\\\.0 \\\\(compatible; MSIE 7\\\\.0; Windows NT 6\\\\.0; Trident/4\\\\.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; \\\\.N|Mozilla/5\\\\.0 \\\\(Windows; U; Windows NT 5\\\\.1; en-US\\\\) AppleWebKit/525\\\\.13 \\\\(KHTML, like Gecko\\\\) Chrome/4\\\\.0\\\\.221\\\\.6 Safari/525\\\\.13|Mozilla/5\\\\.0 \\\\(compatible; MSIE 9\\\\.0; Windows NT 6\\\\.1; WOW64; Trident/5\\\\.0; MAAU\\\\)|Mozilla/5\\\\.0[^\\\\s]|Mozilla/4\\\\.0 \\\\(compatible; SPIPE/1\\\\.0|Mozilla/5\\\\.0 \\\\(Windows NT 6\\\\.3; rv:39\\\\.0\\\\) Gecko/20100101 Firefox/35\\\\.0|Sametime Community Agent|X-FORWARDED-FOR|DotDotPwn v2\\\\.1|SIPDROID|wordpress hash grabber|exploit|okhttp/\";\n// Excluding for IIS, as the main malicious usage for okhttp that we have seen was in the OfficeActivity logs and this can create noise for IIS.\nlet ExcludeIIS = \"okhttp/\";\n(union isfuzzy=true\n(OfficeActivity\n| where ExtendedProperties has \"UserAgent\"\n| extend UserAgent = extractjson(\"$[0].Value\", ExtendedProperties, typeof(string))\n| where UserAgent matches regex UserAgentList\n| project TimeGenerated, Type, UserAgent, SourceIP\n| extend IPCustomEntity = SourceIP\n),\n(\nW3CIISLog\n| extend UserAgent = replace('\\\\+', ' ', csUserAgent) \n| where UserAgent matches regex UserAgentList\n| where UserAgent !startswith ExcludeIIS\n| extend SourceIP = cIP\n| project TimeGenerated, Type, UserAgent, SourceIP\n| extend IPCustomEntity = SourceIP\n),\n(\nAWSCloudTrail\n| where UserAgent matches regex UserAgentList\n| extend SourceIP = SourceIpAddress\n| project TimeGenerated, Type, UserAgent, SourceIP\n))\n| summarize min(TimeGenerated), max(TimeGenerated), count() by Type, UserAgent, SourceIP\n| extend timestamp = min_TimeGenerated, IPCustomEntity = SourceIP\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "There are several exploit and pen test frameworks that are being used by pen testers as well as attackers to \ncompromise an environment and achieve their objective. The query tries to detect suspicious user agent strings \nused by these frameworks in some of the data sources that contain UserAgent field. \nThis is based out of sigma rules described in references.\nReferences: https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_frameworks.yml"
},
{
"name": "tactics",
"value": "InitialAccess,CommandAndControl,Execution"
},
{
"name": "techniques",
"value": "T1189,T1071,T1203"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 1",
"parentId": "[variables('huntingQueryId1')]",
"contentId": "[variables('_huntingQuerycontentId1')]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryVersion1')]",
"source": {
"kind": "Solution",
"name": "Network Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('huntingQueryTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "HuntingQuery"
},
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 2 with template",
"displayName": "Network Threat Protection Essentials Hunting Query template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "HuntingQuery"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
],
"properties": {
"description": "B64IPInURL_HuntingQueries Hunting Query with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"name": "Network_Threat_Protection_Essentials_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Base64 encoded IPv4 address in request url",
"category": "Hunting Queries",
"query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet ipv4_plaintext_extraction_regex = @\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\";\nlet ipv4_encoded_identification_regex = @\"\\=([a-zA-Z0-9\\/\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\/\\+]{2,4}){3}[a-zA-Z0-9\\/\\+\\=]*)\";\nlet ipv4_decoded_hex_extract = @\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\";\nCommonSecurityLog\n| where TimeGenerated between(starttime .. endtime)\n| where isnotempty(RequestURL)\n// Identify requests with encoded IPv4 addresses\n| where RequestURL matches regex ipv4_encoded_identification_regex\n| project TimeGenerated, RequestURL\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\n// We could have more than one candidate, expand them out\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\n// Pad if we need to\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \"=\"))\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\n// Extract the IP candidates from the array\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\n// Expand, it's still possible that we might have more than 1 IP\n| mv-expand hex_extracted\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\n| extend hex_extracted = trim_end(\",\", tostring(hex_extracted))\n| extend hex_extracted = strcat(\"[\",hex_extracted,\"]\")\n| extend hex_extracted = todynamic(hex_extracted)\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\n// Convert the array back into a string\n| extend decoded_ip_candidate = make_string(hex_extracted)\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\n// If it's not an IP, throw it out\n| where isnotnull(ipmatch)\n| mv-expand ipmatch to typeof(string)\n| extend timestamp = Start, IPCustomEntity = ipmatch\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "This hunting query will detect when a Base64 IPv4 address is seen in a outbound request URL. This query uses pre-computed base64 offsets for IPv4 sequences allowing detection\nof an IPv4 address under base64 without the need to decode. After identifying a candidate this query will decode the base64 into an array of longs where a regex will extract\nthe ip candidate into plaintext. Finally the query will extract the plaintext IPv4 address pattern from the IP candidate."
},
{
"name": "tactics",
"value": "CommandAndControl"
},
{
"name": "techniques",
"value": "T1071.001"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 2",
"parentId": "[variables('huntingQueryId2')]",
"contentId": "[variables('_huntingQuerycontentId2')]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryVersion2')]",
"source": {
"kind": "Solution",
"name": "Network Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('huntingQueryTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "HuntingQuery"
},
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 3 with template",
"displayName": "Network Threat Protection Essentials Hunting Query template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "HuntingQuery"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
],
"properties": {
"description": "RiskyCommandB64EncodedInUrl_HuntingQueries Hunting Query with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"name": "Network_Threat_Protection_Essentials_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Risky base64 encoded command in URL",
"category": "Hunting Queries",
"query": "let mapping = datatable (CommandFound:string, match_list:dynamic) [\n\"whoami\", dynamic(['d2hvYW1p', 'dob2Fta', '3aG9hbW']),\n\"net share\", dynamic(['bmV0IHNoYXJl', '5ldCBzaGFyZ', 'uZXQgc2hhcm']),\n\"net use\", dynamic(['bmV0IHVzZ', '5ldCB1c2', 'uZXQgdXNl']),\n\"net view\", dynamic(['bmV0IHZpZX', '5ldCB2aWV3', 'uZXQgdmlld']),\n\"ipconfig\", dynamic(['aXBjb25maWc', 'lwY29uZmln', 'pcGNvbmZpZ']),\n\"net sh\", dynamic(['bmV0c2gg', '5ldHNoI', 'uZXRzaC']),\n\"schtasks\", dynamic(['2NodGFza3', 'NjaHRhc2tz', 'zY2h0YXNrc']),\n\"Invoke- \", dynamic(['SW52b2tlL', 'ludm9rZS', 'JbnZva2Ut']),\n];\nlet riskyCommandRegex = @\"(d2hvYW1p|dob2Fta|3aG9hbW|bmV0IHNoYXJl|5ldCBzaGFyZ|uZXQgc2hhcm|bmV0IHVzZ|5ldCB1c2|uZXQgdXNl|bmV0IHZpZX|5ldCB2aWV3|uZXQgdmlld|aXBjb25maWc|lwY29uZmln|pcGNvbmZpZ|bmV0c2gg|5ldHNoI|uZXRzaC|2NodGFza3|NjaHRhc2tz|zY2h0YXNrc|SW52b2tlL|ludm9rZS|JbnZva2Ut)\";\nCommonSecurityLog\n| where TimeGenerated > ago(3d)\n| where RequestURL matches regex riskyCommandRegex\n| extend B64MatchData = extract_all(riskyCommandRegex, RequestURL)\n| where isnotempty(B64MatchData)\n| mv-expand B64MatchData to typeof(string)\n| join kind=leftouter ( \n mapping\n | mv-expand match_list to typeof(string)\n) on $left.B64MatchData == $right.match_list\n| project TimeGenerated, B64MatchData, CommandFound, RequestURL, RequestMethod, DestinationHostName, DestinationIP, SourceIP, DeviceVendor, DeviceProduct, Activity\n| extend timestamp = TimeGenerated, DomainCustomEntity = DestinationHostName, IPCustomEntity = DestinationIP\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "This hunting query will detect risky base64 encoded commands are seen in web requests. Some threat actors transmit base64 commands from the target host\nback to the C2 servers so they know which command has been executed. This query also reguarly illumniates base64 encoded webshells being injected.\nThe limitation of this query is that base64 is case sensitive, so different case versions of each command need generating for full coverage. This query\ncomputes base64 permutations for each command, resulting in 3 possible permutations depending on padding."
},
{
"name": "tactics",
"value": "CommandAndControl"
},
{
"name": "techniques",
"value": "T1071.001"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
"properties": {
"description": "Network Threat Protection Essentials Hunting Query 3",
"parentId": "[variables('huntingQueryId3')]",
"contentId": "[variables('_huntingQuerycontentId3')]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryVersion3')]",
"source": {
"kind": "Solution",
"name": "Network Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
"description": "Network Threat Protection Essentials Analytics Rule 1 with template",
"displayName": "Network Threat Protection Essentials Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "NetworkEndpointCorrelation_AnalyticalRules Analytics Rule with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('AnalyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.",
"displayName": "Network endpoint to host executable correlation",
"enabled": false,
"query": "let endpointData = \n(union isfuzzy=true\n(SecurityEvent\n | where EventID == 4688\n | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n ),\n (WindowsEvent\n | where EventID == 4688\n | extend NewProcessName = tostring(EventData.NewProcessName)\n | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n | extend TargetUserName = tostring(EventData.TargetUserName)\n ));\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "TrendMicro",
"dataTypes": [
"CommonSecurityLog"
]
},
{
"connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
]
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
]
},
{
"connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
]
}
],
"tactics": [
"Execution"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
"properties": {
"description": "Network Threat Protection Essentials Analytics Rule 1",
"parentId": "[variables('analyticRuleId1')]",
"contentId": "[variables('_analyticRulecontentId1')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion1')]",
"source": {
"kind": "Solution",
"name": "Network Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
"description": "Network Threat Protection Essentials Analytics Rule 2 with template",
"displayName": "Network Threat Protection Essentials Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "NewUserAgentLast24h_AnalyticalRules Analytics Rule with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('AnalyticRulecontentId2')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections.",
"displayName": "New UserAgent observed in last 24 hours",
"enabled": false,
"query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// concatenate extracted words to create a summarized user agent for baseline and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
]
},
{
"connectorId": "Office365",
"dataTypes": [
"OfficeActivity"
]
},
{
"connectorId": "AzureMonitor(IIS)",
"dataTypes": [
"W3CIISLog"
]
}
],
"tactics": [
"InitialAccess",
"CommandAndControl",
"Execution"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
"properties": {
"description": "Network Threat Protection Essentials Analytics Rule 2",
"parentId": "[variables('analyticRuleId2')]",
"contentId": "[variables('_analyticRulecontentId2')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion2')]",
"source": {
"kind": "Solution",
"name": "Network Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Network Threat Protection Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "HuntingQuery",
"contentId": "[variables('_huntingQuerycontentId1')]",
"version": "[variables('huntingQueryVersion1')]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_huntingQuerycontentId2')]",
"version": "[variables('huntingQueryVersion2')]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_huntingQuerycontentId3')]",
"version": "[variables('huntingQueryVersion3')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId1')]",
"version": "[variables('analyticRuleVersion1')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId2')]",
"version": "[variables('analyticRuleVersion2')]"
}
]
},
"firstPublishDate": "2022-11-16",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Threat Protection",
"Security - Network"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

15
Solutions/Network Threat Protection Essentials/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-networkthreatdetection",
"firstPublishDate": "2022-11-16",
"providers": ["Microsoft"],
"categories": {
"domains" : ["Security - Threat Protection","Security - Network"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}