Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Created solution with SolutionMetadata.json.

This commit is contained in:
NikTripathi 2021-10-19 15:41:30 +05:30
Родитель 2a60ad7bd9
Коммит 92cf429967
40 изменённых файлов: 5281 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

20
Solutions/AristaAwakeSecurity/Data/Solution_AristaAwakeSecurity.json Normal file
Просмотреть файл

@ -0,0 +1,20 @@
{
"Name": "AristaAwakeSecurity",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/AristaAwakeSecurity/Workbooks/Images/Logos/AristaAwakeSecurity.svg\"width=\"75px\"height=\"75px\">",
"Description": "The [Awake Security](https://awakesecurity.com/) (Arista Networks) / Azure Sentinel integration sends detection model matches from the Awake Security Platform to Azure Sentinel.\n\r Through this integration threats can be remediated faster using the power of network detection and response. Investigation time and effort are reduced with increased visibility, especially into unmanaged users, devices and applications on your network.",
"Data Connectors": [
"Data Connectors/Connector_AristaAwakeSecurity_CEF.json"
],
"Analytic Rules": [
"Analytic Rules/HighMatchCountsByDevice.yaml",
"Analytic Rules/HighSeverityMatchesByDevice.yaml",
"Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml"
],
"Workbooks": [
"Workbooks/AristaAwakeSecurityWorkbook.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\AristaAwakeSecurity",
"Version": "1.1.0"
}

Двоичные данные
Solutions/AristaAwakeSecurity/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

205
Solutions/AristaAwakeSecurity/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,205 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/AristaAwakeSecurity/Workbooks/Images/Logos/AristaAwakeSecurity.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Awake Security](https://awakesecurity.com/) (Arista Networks) / Azure Sentinel integration sends detection model matches from the Awake Security Platform to Azure Sentinel.\n\r Through this integration threats can be remediated faster using the power of network detection and response. Investigation time and effort are reduced with increased visibility, especially into unmanaged users, devices and applications on your network.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for AristaAwakeSecurity. You can get AristaAwakeSecurity CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "AristaAwakeSecurity",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "AristaAwakeSecurity",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for AristaAwakeSecurity that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Awake Security - High Match Counts By Device",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for devices with unexpectedly large number of activity match."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Awake Security - High Severity Matches By Device",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for devices with high severity event(s)."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Awake Security - Model With Multiple Destinations",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for devices with multiple possibly malicious destinations."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

371
Solutions/AristaAwakeSecurity/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/AristaAwakeSecurity/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "arista-networks",
"planId": "awake-security",
"firstPublishDate": "2021-10-18",
"providers": ["Arista Networks"],
"categories": {
"domains" : ["Security – Network"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

12
Solutions/Armorblox/Data/Solution_Armorblox.json Normal file
Просмотреть файл

@ -0,0 +1,12 @@
{
"Name": "Armorblox",
"Author": "Armorblox - support@armorblox.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Armorblox/Data%20Connectors/Logo/armorblox.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Armorblox](https://www.armorblox.com) secures enterprise communications over email and other cloud office applications with the power of Natural Language Understanding. The Armorblox platform connects over APIs and analyzes thousands of signals to understand the context of communications and protect people and data from compromise. Over 56,000 organizations use Armorblox to stop BEC and targeted phishing attacks, protect sensitive PII and PCI, and automate remediation of user-reported email threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a 2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.",
"Data Connectors": [
"Data Connectors/Armorblox_API_FunctionApp.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Armorblox",
"Version": "1.1.0"
}

Двоичные данные
Solutions/Armorblox/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

95
Solutions/Armorblox/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,95 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Armorblox/Data%20Connectors/Logo/armorblox.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Armorblox](https://www.armorblox.com) secures enterprise communications over email and other cloud office applications with the power of Natural Language Understanding. The Armorblox platform connects over APIs and analyzes thousands of signals to understand the context of communications and protect people and data from compromise. Over 56,000 organizations use Armorblox to stop BEC and targeted phishing attacks, protect sensitive PII and PCI, and automate remediation of user-reported email threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a 2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Armorblox. You can get Armorblox custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Armorblox_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

225
Solutions/Armorblox/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,225 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Armorblox - support@armorblox.com",
"comments": "Solution template for Armorblox"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "5be10ebd-fb63-41a4-aa47-94ed50ba937f"
}
},
"variables": {
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"ArmorbloxConnector": "ArmorbloxConnector",
"_ArmorbloxConnector": "[variables('ArmorbloxConnector')]",
"sourceId": "armorblox1601081599926.armorblox_sentinel_1",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Armorblox",
"publisher": "Armorblox",
"descriptionMarkdown": "The [Armorblox](https://www.armorblox.com/) data connector provides the capability to ingest incidents from your Armorblox instance into Azure Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, and more.",
"graphQueries": [
{
"metricName": "Armorblox Incidents",
"legend": "Armorblox_CL",
"baseQuery": "Armorblox_CL"
}
],
"sampleQueries": [
{
"description": "Armorblox Incidents",
"query": "Armorblox_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "Armorblox_CL",
"lastDataReceivedQuery": "Armorblox_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Armorblox_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "Armorblox Instance Details",
"description": "**ArmorbloxInstanceName** OR **ArmorbloxInstanceURL** is required"
},
{
"name": "Armorblox API Credentials",
"description": "**ArmorbloxAPIToken** is required"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Armorblox API to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": "**STEP 1 - Configuration steps for the Armorblox API**\n\n Follow the instructions to obtain the API token.\n\n1. Log in to the Armorblox portal with your credentials.\n2. In the portal, click **Settings**.\n3. In the **Settings** view, click **API Keys**\n4. Click **Create API Key**.\n5. Enter the required information.\n6. Click **Create**, and copy the API token displayed in the modal.\n7. Save API token for using in the data connector."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armorblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Use this method for automated deployment of the Armorblox data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-armorblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **ArmorbloxAPIToken**, **ArmorbloxInstanceURL** OR **ArmorbloxInstanceName**, and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
"description": "Use the following step-by-step instructions to deploy the Armorblox data connector manually with Azure Functions (Deployment via Visual Studio Code).",
"title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-armorblox-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. Armorblox).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tArmorbloxAPIToken\n\t\tArmorbloxInstanceName OR ArmorbloxInstanceURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLogAnalyticsUri (optional)\n> - Use LogAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.1.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "Armorblox",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Armorblox",
"email": "support@armorblox.com"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_ArmorbloxConnector')]",
"version": "1.1.0"
}
]
},
"firstPublishDate": "2021-10-18",
"providers": [
"Armorblox"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

16
Solutions/Armorblox/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "armorblox1601081599926",
"planId": "armorblox_sentinel_1",
"firstPublishDate": "2021-10-18",
"providers": ["Armorblox"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

31
Solutions/FalconFriday/Data/Solution_FalconFriday.json Normal file
Просмотреть файл

@ -0,0 +1,31 @@
{
"Name": "FalconFriday",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/falconforce_logo.svg\"width=\"75px\"height=\"75px\">",
"Description": "FalconFriday is a blog post series by FalconForce providing the community with free detection content for various attacks seen and executed in the wild by FalconForce.",
"Analytic Rules": [
"Analytic Rules/AzureADRareUserAgentAppSignin.yaml",
"Analytic Rules/AzureADUserAgentOSmissmatch.yaml",
"Analytic Rules/COMHijacking.yaml",
"Analytic Rules/CertutilIngressToolTransfer.yaml",
"Analytic Rules/CreateProcessWithToken.yaml",
"Analytic Rules/DCOMLateralMovement.yaml",
"Analytic Rules/DLLSideLoading.yaml",
"Analytic Rules/DisableOrModifyWindowsDefender.yaml",
"Analytic Rules/DotNetToJScript.yaml",
"Analytic Rules/ExpiredAccessCredentials.yaml",
"Analytic Rules/MatchLegitimateNameOrLocation.yaml",
"Analytic Rules/OfficeASRFromBrowser.yaml",
"Analytic Rules/OfficeProcessInjection.yaml",
"Analytic Rules/PasswordSprayingWithMDE.yaml",
"Analytic Rules/RecognizingBeaconingTraffic.yaml",
"Analytic Rules/RemoteDesktopProtocol.yaml",
"Analytic Rules/RenameSystemUtilities.yaml",
"Analytic Rules/SMBWindowsAdminShares.yaml",
"Analytic Rules/SuspiciousParentProcessRelationship.yaml",
"Analytic Rules/TrustedDeveloperUtilitiesProxyExecution.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\FalconFriday",
"Version": "1.1.0"
}

Двоичные данные
Solutions/FalconFriday/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

363
Solutions/FalconFriday/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,363 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/falconforce_logo.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nFalconFriday is a blog post series by FalconForce providing the community with free detection content for various attacks seen and executed in the wild by FalconForce.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Analytic Rules:** 20\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for FalconFriday that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Azure AD Rare UserAgent App Sign-in",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query establishes a baseline of the type of UserAgent (i.e. browser, office application, etc) that is typically used for a particular application by looking back for a number of days. \nIt then searches the current day for any deviations from this pattern, i.e. types of UserAgents not seen before in combination with this application."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Azure AD UserAgent OS Missmatch",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query extracts the operating system from the UserAgent header and compares this to the DeviceDetail information present in Azure Active Directory."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Component Object Model Hijacking - Vault7 trick",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection looks for the very specific value of \"Attribute\" in the \"ShellFolder\" CLSID of a COM object. This value (0xf090013d) seems to only link back to this specific persistence method. \nThe blog post linked here (https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse) provides more background on the meaning of this value."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Ingress Tool Transfer - Certutil",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. \nIt attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Access Token Manipulation - Create Process with Token",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. \nAdditionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "DCOM Lateral Movement",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection looks for cases of close-time proximity between incoming network traffic on RPC/TCP, followed by the creation of a DCOM object, followed by the creation of a child process of the DCOM object. \nThe query first identifies incoming network traffic over RPC/TCP, followed by the creation of a DCOM object (process) within 2 seconds, followed by the creation of a child process of this DCOM object."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Hijack Execution Flow - DLL Side-Loading",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection tries to identify all DLLs loaded by \"high integrity\" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. \nOf course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by \"NT Authoriy\\System\" and the \"RID 500\" users aren't interesting. \nAlso, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Disable or Modify Windows Defender",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes. \nNote that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. \nMake the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. \nSee blogpost (https://medium.com/falconforce/falconfriday-av-manipulation-0xff0e-67ed4387f9ab?source=friends_link&sk=3c7c499797bbb4d74879e102ef3ecf8f) \nfor more resilience considerations. The current approach can easily be bypassed by not using the powershell.exe executable. \nConsider adding more ways to detect this behavior."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Detect .NET runtime being loaded in JScript for code execution",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter.\nAll based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Expired access credentials being used in Azure",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for logins with an expired access credential (for example an expired cookie). It then matches the IP address from which the expired credential access occurred with the IP addresses of successful logins.\nIf there are logins with expired credentials, but no successful logins from an IP, this might indicate an attacker has copied the authentication cookie and is re-using it on another machine."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "Match Legitimate Name or Location - 2",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts."
}
}
]
},
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "Office ASR rule triggered from browser spawned office process.",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually \npresents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. \nThis detection looks for Office ASR violations triggered by an Office document opened from a browser.\nNote: be aware that you need to have the proper ASR rules enabled for this detection to work."
}
}
]
},
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
"label": "Suspicious Process Injection from Office application",
"elements": [
{
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)\nthat might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something\nlonger running."
}
}
]
},
{
"name": "analytic14",
"type": "Microsoft.Common.Section",
"label": "Password Spraying",
"elements": [
{
"name": "analytic14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. \nFor each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. \nThe machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint."
}
}
]
},
{
"name": "analytic15",
"type": "Microsoft.Common.Section",
"label": "Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains",
"elements": [
{
"name": "analytic15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches web proxy logs for a specific type of beaconing behavior by joining a number of sources together: \n- Traffic by actual web browsers - by looking at traffic generated by a UserAgent that looks like a browser and is used by multiple users\nto visit a large number of domains.\n- Users that make requests using one of these actual browsers, but only to a small set of domains, none of which are common domains.\n- The traffic is beacon-like; meaning that it occurs during many different hours of the day (i.e. periodic)."
}
}
]
},
{
"name": "analytic16",
"type": "Microsoft.Common.Section",
"label": "Remote Desktop Protocol - SharpRDP",
"elements": [
{
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes."
}
}
]
},
{
"name": "analytic17",
"type": "Microsoft.Common.Section",
"label": "Rename System Utilities",
"elements": [
{
"name": "analytic17-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames.\nThis rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename. \nThis query is really heavy on resources. Use it with care."
}
}
]
},
{
"name": "analytic18",
"type": "Microsoft.Common.Section",
"label": "SMB/Windows Admin Shares",
"elements": [
{
"name": "analytic18-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query is based on detecting incoming RPC/TCP on the SCM, followed by the start of a child process of services.exe. Remotely interacting with the SCM triggers the RPC/TCP traffic on services.exe, and the creation of the child processes is a result of starting the service. \nThe query might look intimidating given its size. That's why we've commented the query per logic block to walk you through the details."
}
}
]
},
{
"name": "analytic19",
"type": "Microsoft.Common.Section",
"label": "Suspicious parentprocess relationship - Office child processes.",
"elements": [
{
"name": "analytic19-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually \npresents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. \nThis detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else."
}
}
]
},
{
"name": "analytic20",
"type": "Microsoft.Common.Section",
"label": "Trusted Developer Utilities Proxy Execution",
"elements": [
{
"name": "analytic20-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

846
Solutions/FalconFriday/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/FalconFriday/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "falconfriday_content",
"planId": "falconforcebv1623147592118",
"firstPublishDate": "2021-10-18",
"providers": ["FalconForce"],
"categories": {
"domains" : ["User Behavior (UEBA)", "Security – Insider Threat"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

21
Solutions/Lookout/Data/Solution_Lookout.json Normal file
Просмотреть файл

@ -0,0 +1,21 @@
{
"Name": "Lookout",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Lookout/Workbooks/Images/Logo/lookout.svg\"width=\"75px\"height=\"75px\">",
"Description": "The [Lookout](https://lookout.com) data connector provides the capability to ingest [Lookout](https://enterprise.support.lookout.com/hc/en-us/articles/115002741773-Mobile-Risk-API-Guide#commoneventfields) events into Azure Sentinel through the Mobile Risk API. Refer to [API documentation](https://enterprise.support.lookout.com/hc/en-us/articles/115002741773-Mobile-Risk-API-Guide) for more information. The [Lookout](https://lookout.com) data connector provides ability to get events which helps to examine potential security risks and more.",
"Data Connectors": [
"Data Connectors/Lookout_API_FunctionApp.json"
],
"Analytic Rules": [
"Analytic Rules/LookoutThreatEvent.yaml"
],
"Workbooks": [
"Workbooks/LookoutEvents.json"
],
"Parsers": [
"Parsers/LookoutEvents.txt"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Lookout",
"Version": "1.1.0"
}

Двоичные данные
Solutions/Lookout/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

184
Solutions/Lookout/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,184 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Lookout/Workbooks/Images/Logo/lookout.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Lookout](https://lookout.com) data connector provides the capability to ingest [Lookout](https://enterprise.support.lookout.com/hc/en-us/articles/115002741773-Mobile-Risk-API-Guide#commoneventfields) events into Azure Sentinel through the Mobile Risk API. Refer to [API documentation](https://enterprise.support.lookout.com/hc/en-us/articles/115002741773-Mobile-Risk-API-Guide) for more information. The [Lookout](https://lookout.com) data connector provides ability to get events which helps to examine potential security risks and more.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Lookout. You can get Lookout custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Lookout_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Lookout",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "Lookout",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Lookout that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Lookout - New Threat events found.",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Created to detect new Threat events from the data which is recently synced by Lookout Solution."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

328
Solutions/Lookout/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/Lookout/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "lookoutinc",
"planId": "lookout_mtd_sentinel",
"firstPublishDate": "2021-10-18",
"providers": ["Lookout"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

25
Solutions/SemperisDirectoryServicesProtector/Data/Solution_SemperisDSP.json Normal file
Просмотреть файл

@ -0,0 +1,25 @@
{
"Name": "SemperisDSP",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SemperisDirectoryServicesProtector/Workbooks/Images/Logo/Semperis.svg\"width=\"75px\"height=\"75px\">",
"Description": "Semperis Directory Services Protector (DSP) provides valuable insight into your Active Directory security posture. It queries your Active Directory environment and performs a set of tests against many aspects of Active Directory's security posture, including AD Delegation, Account security, AD Infrastructure security, Group Policy security, and Kerberos security. Each security indicator is mapped to MITRE ATT&CK® framework categories, explains what was evaluated, and indicates how likely an exposure will compromise Active Directory. Each IoE found highlights weak Active Directory configurations and provides actionable guidance on how to close gaps before they are exploited by attackers. Using this workbook, you can determine how you are doing from a security perspective, compared to best practice environments. In case of security regressions, Semperis Directory Services Protector will trigger alerts through Azure Sentinel.",
"Data Connectors": [
"Data Connectors/SemperisDSP-connector.json"
],
"Analytic Rules": [
"Analytic Rules/SemperisDSP_EvidenceOfMimikatzDCShadowAttack.yaml",
"Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml",
"Analytic Rules/SemperisDSP_RecentsIDHistoryChangesOnADObjects.yaml",
"Analytic Rules/SemperisDSP_WellKnownPrivilegedSIDsInsIDHistory.yaml",
"Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml"
],
"Workbooks": [
"Workbooks/SemperisDSPWorkbook.json"
],
"Parsers": [
"Parsers/dsp_parser.txt"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\SemperisDirectoryServicesProtector",
"Version": "1.1.0"
}

Двоичные данные
Solutions/SemperisDirectoryServicesProtector/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

240
Solutions/SemperisDirectoryServicesProtector/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,240 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SemperisDirectoryServicesProtector/Workbooks/Images/Logo/Semperis.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nSemperis Directory Services Protector (DSP) provides valuable insight into your Active Directory security posture. It queries your Active Directory environment and performs a set of tests against many aspects of Active Directory's security posture, including AD Delegation, Account security, AD Infrastructure security, Group Policy security, and Kerberos security. Each security indicator is mapped to MITRE ATT&CK® framework categories, explains what was evaluated, and indicates how likely an exposure will compromise Active Directory. Each IoE found highlights weak Active Directory configurations and provides actionable guidance on how to close gaps before they are exploited by attackers. Using this workbook, you can determine how you are doing from a security perspective, compared to best practice environments. In case of security regressions, Semperis Directory Services Protector will trigger alerts through Azure Sentinel.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 5\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for SemperisDSP. You can get SemperisDSP custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Event (Semperis-DSP-Security) in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "SemperisDSP",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "SemperisDSP",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for SemperisDSP that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Semperis DSP Mimikatz's DCShadow Alert",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Mimikatz's DCShadow switch allows a user who has compromised an AD domain, to inject arbitrary changes into AD using a \"fake\" domain controller. These changes bypass the security event log and can't be spotted using normal AD tools. This rule looks for evidence that a machine has been used in this capacity."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Semperis DSP Kerberos krbtgt account with old password",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Semperis DSP Recent sIDHistory changes on AD objects",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This indicator detects any recent changes to sIDHistory on AD objects, including changes to non-privileged accounts where privileged SIDs are added."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Semperis DSP Well-known privileged SIDs in sIDHistory",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This indicator looks for security principals that contain specific SIDs of accounts from built-in privileged groups within their sIDHistory attribute. This would allow those security principals to have the same privileges as those privileged accounts, but in a way that is not obvious to monitor (e.g. through group membership)."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Semperis DSP Zerologon vulnerability",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

504
Solutions/SemperisDirectoryServicesProtector/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/SemperisDirectoryServicesProtector/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "semperis",
"planId": "directory-services-protector-solution",
"firstPublishDate": "2021-10-18",
"providers": ["Semperis"],
"categories": {
"domains" : ["Security - Threat Protection", "Identity"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

26
Solutions/SonraiSecurity/Data/Solution_SonraiSecurity.json Normal file
Просмотреть файл

@ -0,0 +1,26 @@
{
"Name": "SonraiSecurity",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SonraiSecurity/Workbooks/Images/Logo/Sonrai.svg\"width=\"75px\"height=\"75px\">",
"Description": "The Sonrai Dig Platform runs on a patented graphing technology that continually collects data, applies ML techniques, and finds identity and data risks - and then provides automated (or semi-automated) remediations.",
"Data Connectors": [
"Data Connectors/Connector_REST_API_Sonrai.json"
],
"Analytic Rules": [
"Analytic Rules/SonraiNewTicket.yaml",
"Analytic Rules/SonraiTicketAssigned.yaml",
"Analytic Rules/SonraiTicketClosed.yaml",
"Analytic Rules/SonraiTicketCommentAdded.yaml",
"Analytic Rules/SonraiTicketEscalationExecuted.yaml",
"Analytic Rules/SonraiTicketReopened.yaml",
"Analytic Rules/SonraiTicketRiskAccepted.yaml",
"Analytic Rules/SonraiTicketSnoozed.yaml",
"Analytic Rules/SonraiTicketUpdated.yaml"
],
"Workbooks": [
"Workbooks/Sonrai.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\SonraiSecurity",
"Version": "1.1.0"
}

Двоичные данные
Solutions/SonraiSecurity/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

289
Solutions/SonraiSecurity/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,289 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SonraiSecurity/Workbooks/Images/Logo/Sonrai.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Sonrai Dig Platform runs on a patented graphing technology that continually collects data, applies ML techniques, and finds identity and data risks - and then provides automated (or semi-automated) remediations.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for SonraiSecurity. You can get SonraiSecurity custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Sonrai_Tickets_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "SonraiSecurity",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "SonraiSecurity",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for SonraiSecurity that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "New Sonrai Ticket",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks for new Sonrai tickets. \nIt uses the action type to check if a ticket has been created"
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Assigned",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have been assigned. \nIt uses the action type to check if a ticket has been assigned"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Closed",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have been closed. \nIt uses the action type to check if a ticket has been closed"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Escalation Executed",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have had a comment added. \nIt uses the action type to check if a ticket has had a comment added"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Escalation Executed",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have had an escalation executed. \nIt uses the action type to check if a ticket has had an escalation executed"
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Reopened",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have been reopened. \nIt uses the action type to check if a ticket has been reopened"
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Risk Accepted",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have had their risk accepted. \nIt uses the action type to check if a ticket has had it's risk accepted"
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Snoozed",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have been snoozed. \nIt uses the action type to check if a ticket has been snoozed"
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Sonrai Ticket Updated",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Checks if Sonrai tickets have been updated. \nIt uses the action type to check if a ticket has been updated"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

550
Solutions/SonraiSecurity/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,550 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for SonraiSecurity"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "c0ee11a5-7378-4353-acb0-1546d2995770"
},
"analytic1-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic2-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic3-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic4-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic5-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic6-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic7-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic8-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic9-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"formattedTimeNow": {
"type": "string",
"defaultValue": "[utcNow('g')]",
"metadata": {
"description": "Appended to workbook displayNames to make them unique"
}
},
"workbook1-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the workbook"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "SonraiSecurity",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
},
"variables": {
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"SonraiDataConnectorConnector": "SonraiDataConnectorConnector",
"_SonraiDataConnectorConnector": "[variables('SonraiDataConnectorConnector')]",
"SonraiNewTicket_AnalyticalRules": "SonraiNewTicket_AnalyticalRules",
"_SonraiNewTicket_AnalyticalRules": "[variables('SonraiNewTicket_AnalyticalRules')]",
"SonraiTicketAssigned_AnalyticalRules": "SonraiTicketAssigned_AnalyticalRules",
"_SonraiTicketAssigned_AnalyticalRules": "[variables('SonraiTicketAssigned_AnalyticalRules')]",
"SonraiTicketClosed_AnalyticalRules": "SonraiTicketClosed_AnalyticalRules",
"_SonraiTicketClosed_AnalyticalRules": "[variables('SonraiTicketClosed_AnalyticalRules')]",
"SonraiTicketCommentAdded_AnalyticalRules": "SonraiTicketCommentAdded_AnalyticalRules",
"_SonraiTicketCommentAdded_AnalyticalRules": "[variables('SonraiTicketCommentAdded_AnalyticalRules')]",
"SonraiTicketEscalationExecuted_AnalyticalRules": "SonraiTicketEscalationExecuted_AnalyticalRules",
"_SonraiTicketEscalationExecuted_AnalyticalRules": "[variables('SonraiTicketEscalationExecuted_AnalyticalRules')]",
"SonraiTicketReopened_AnalyticalRules": "SonraiTicketReopened_AnalyticalRules",
"_SonraiTicketReopened_AnalyticalRules": "[variables('SonraiTicketReopened_AnalyticalRules')]",
"SonraiTicketRiskAccepted_AnalyticalRules": "SonraiTicketRiskAccepted_AnalyticalRules",
"_SonraiTicketRiskAccepted_AnalyticalRules": "[variables('SonraiTicketRiskAccepted_AnalyticalRules')]",
"SonraiTicketSnoozed_AnalyticalRules": "SonraiTicketSnoozed_AnalyticalRules",
"_SonraiTicketSnoozed_AnalyticalRules": "[variables('SonraiTicketSnoozed_AnalyticalRules')]",
"SonraiTicketUpdated_AnalyticalRules": "SonraiTicketUpdated_AnalyticalRules",
"_SonraiTicketUpdated_AnalyticalRules": "[variables('SonraiTicketUpdated_AnalyticalRules')]",
"Sonrai_workbook": "Sonrai_workbook",
"_Sonrai_workbook": "[variables('Sonrai_workbook')]",
"workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]",
"_workbook-source": "[variables('workbook-source')]",
"sourceId": "sonraisecurityllc1584373214489.sonrai_sentinel_offer",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Sonrai Data Connector",
"publisher": "Sonrai",
"descriptionMarkdown": "Use this data connector to integrate with Sonrai Security and get Sonrai tickets sent directly to Azure Sentinel.",
"graphQueries": [
{
"metricName": "Sonrai Tickets",
"legend": "Sonrai_Tickets_CL",
"baseQuery": "Sonrai_Tickets_CL"
}
],
"sampleQueries": [
{
"description": "Query for tickets with AWSS3ObjectFingerprint resource type.",
"query": "Sonrai_Tickets_CL \n| where digest_resourceType_s == \"AWSS3ObjectFingerprint\"\n| limit 10"
}
],
"dataTypes": [
{
"name": "Sonrai_Tickets_CL",
"lastDataReceivedQuery": "Sonrai_Tickets_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Sonrai_Tickets_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "1. Navigate to Sonrai Security dashboard.\n2. On the bottom left panel, click on integrations.\n3. Select Azure Sentinel from the list of available Integrations.\n4. Fill in the form using the information provided below.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
],
"title": "Sonrai Security Data Connector"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks for new Sonrai tickets. \nIt uses the action type to check if a ticket has been created",
"displayName": "New Sonrai Ticket",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 1\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have been assigned. \nIt uses the action type to check if a ticket has been assigned",
"displayName": "Sonrai Ticket Assigned",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 4\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have been closed. \nIt uses the action type to check if a ticket has been closed",
"displayName": "Sonrai Ticket Closed",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 2\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have had a comment added. \nIt uses the action type to check if a ticket has had a comment added",
"displayName": "Sonrai Ticket Escalation Executed",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 9\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have had an escalation executed. \nIt uses the action type to check if a ticket has had an escalation executed",
"displayName": "Sonrai Ticket Escalation Executed",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 8\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic6-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have been reopened. \nIt uses the action type to check if a ticket has been reopened",
"displayName": "Sonrai Ticket Reopened",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 3\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic7-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have had their risk accepted. \nIt uses the action type to check if a ticket has had it's risk accepted",
"displayName": "Sonrai Ticket Risk Accepted",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 7\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic8-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have been snoozed. \nIt uses the action type to check if a ticket has been snoozed",
"displayName": "Sonrai Ticket Snoozed",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 6\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic9-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Checks if Sonrai tickets have been updated. \nIt uses the action type to check if a ticket has been updated",
"displayName": "Sonrai Ticket Updated",
"enabled": false,
"query": "Sonrai_Tickets_CL\n| where action_d == 5\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
},
{
"type": "Microsoft.Insights/workbooks",
"name": "[parameters('workbook1-id')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2020-02-12",
"properties": {
"displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Sonrai_Tickets_CL\\n| summarize count() by digest_criticalResourceName_s\",\"size\":0,\"title\":\"Tickets per Resource (last 30 days)\",\"noDataMessage\":\"No tickets found\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Sonrai_Tickets_CL\\n| where digest_status_s == \\\"NEW\\\"\\n| summarize count() by digest_ticketKeyName_s\",\"size\":0,\"title\":\"Ticket Key Name (last 30 days)\",\"noDataMessage\":\"No tickets found\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Sonrai_Tickets_CL\\n| summarize Count=count() by Date = startofweek(TimeGenerated)\\n| render timechart\",\"size\":1,\"title\":\"Logs over time\",\"noDataMessage\":\"No Tickets Found\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50%\"}}],\"fromTemplateId\":\"sentinel-SonraiSecurityWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('_workbook-source')]",
"category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.1.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "SonraiSecurity",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_SonraiDataConnectorConnector')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiNewTicket_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketAssigned_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketClosed_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketCommentAdded_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketEscalationExecuted_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketReopened_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketRiskAccepted_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketSnoozed_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_SonraiTicketUpdated_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "Workbook",
"contentId": "[variables('_Sonrai_workbook')]",
"version": "1.1.0"
}
]
},
"firstPublishDate": "2021-10-18",
"providers": [
"Sonrai"
],
"categories": {
"domains": [
"Compliance"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

16
Solutions/SonraiSecurity/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "sonraisecurityllc1584373214489",
"planId": "sonrai_sentinel_offer",
"firstPublishDate": "2021-10-18",
"providers": ["Sonrai"],
"categories": {
"domains" : ["Compliance"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

16
Solutions/TenableIO/Data/Solution_TenableIO.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"Name": "TenableIO",
"Author": "Tenable - support@tenable.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/tenableio_logo.svg\"width=\"75px\"height=\"75px\">",
"Description": "[Tenable.io](https://www.tenable.com/products/tenable-io) offers a comprehensive portfolio that helps prevent attacks by identifying the vulnerabilities, configuration issues, and malware that hackers could use to penetrate your environment. Use this solution to export data about your Assets and Vulnerabilities to Azure Sentinel.",
"Data Connectors": [
"Data Connectors/TenableIO.json"
],
"Parsers": [
"Parsers/TenableIOAssets.txt",
"Parsers/TenableIOVulnerabilities.txt"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\TenableIO",
"Version": "1.1.0"
}

Двоичные данные
Solutions/TenableIO/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

102
Solutions/TenableIO/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,102 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/tenableio_logo.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Tenable.io](https://www.tenable.com/products/tenable-io) offers a comprehensive portfolio that helps prevent attacks by identifying the vulnerabilities, configuration issues, and malware that hackers could use to penetrate your environment. Use this solution to export data about your Assets and Vulnerabilities to Azure Sentinel.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for TenableIO. You can get TenableIO custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Tenable_IO_Assets_CL Tenable_IO_Vulns_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

307
Solutions/TenableIO/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/TenableIO/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "azuresentinel",
"planId": "azure-sentinel-solution-tenablenessus",
"firstPublishDate": "2021-10-18",
"providers": ["Tenable"],
"categories": {
"domains" : ["Security – Vulnerability Management"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

15
Solutions/Vectra/Data/Solution_Vectra.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"Name": "Vectra",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\"width=\"75px\"height=\"75px\">",
"Description": "[Vectra Cognito](https://www.vectra.ai/) is a threat detection and response platform that uses artificial intelligence to detect attacker behavior and protect both hosts and users from being compromised. Vectra Cognito provides high fidelity alerts and does not decrypt data so you can be secure and maintain privacy whether thats in the cloud, data center, enterprise networks, or IoT devices.",
"Data Connectors": [
"Data Connectors/Connector_VectraAI_Stream.json"
],
"Parsers": [
"Parsers/VectraStream_function.kql"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Vectra",
"Version": "1.1.0"
}

Двоичные данные
Solutions/Vectra/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

102
Solutions/Vectra/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,102 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Vectra Cognito](https://www.vectra.ai/) is a threat detection and response platform that uses artificial intelligence to detect attacker behavior and protect both hosts and users from being compromised. Vectra Cognito provides high fidelity alerts and does not decrypt data so you can be secure and maintain privacy whether thats in the cloud, data center, enterprise networks, or IoT devices.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Vectra. You can get Vectra custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) VectraStream_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

276
Solutions/Vectra/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/Vectra/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "Vectraiinc",
"planId": "vectra_sentinel_solution",
"firstPublishDate": "2021-10-18",
"providers": ["Vectra AI"],
"categories": {
"domains" : ["Security – Network"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}