Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Repackaging for tagged for dependent solutions

This commit is contained in:
v-rusraut 2024-02-08 10:17:36 +05:30
Родитель d80f930594
Коммит 95d6c0e7d5
15 изменённых файлов: 451 добавлений и 371 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Solutions/Apache Log4j Vulnerability Detection/Data/Solution_Log4j.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Apache Log4j Vulnerability Detection",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Workbooks/Images/Logos/Log4j.svg\" width=\"150px\" height=\"75px\">",
"Description": "Microsoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR",
"Description": "Microsoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR",
"Workbooks": [
"Workbooks/Log4jPostCompromiseHunting.json",
"Workbooks/Log4jImpactAssessment.json"
@ -34,7 +34,7 @@
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Apache Log4j Vulnerability Detection",
"Metadata": "SolutionMetadata.json",
"Version": "2.0.5",
"Version": "3.0.2",
"TemplateSpec": true,
"Is1Pconnector": true
}

Двоичные данные
Solutions/Apache Log4j Vulnerability Detection/Package/3.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Workbooks/Images/Logos/Log4j.svg\" width=\"150px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR\n\n**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 10, **Watchlists:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Workbooks/Images/Logos/Log4j.svg\" width=\"150px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR\n\n**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 10, **Watchlists:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

117
Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
Просмотреть файл

@ -57,7 +57,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Apache Log4j Vulnerability Detection",
"_solutionVersion": "3.0.1",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-apachelog4jvulnerability",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@ -182,7 +182,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Log4jPostCompromiseHunting Workbook with template version 3.0.1",
"description": "Log4jPostCompromiseHunting Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -298,7 +298,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Log4jImpactAssessment Workbook with template version 3.0.1",
"description": "Log4jImpactAssessment Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@ -406,7 +406,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Log4jVulnerableMachines_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "Log4jVulnerableMachines_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -443,13 +443,13 @@
],
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "VirtualMachine"
"columnName": "VirtualMachine",
"identifier": "HostName"
}
],
"entityType": "Host"
]
}
]
}
@ -505,7 +505,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AzureWAFmatching_log4j_vuln_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "AzureWAFmatching_log4j_vuln_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -547,13 +547,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "MaliciousHost"
"columnName": "MaliciousHost",
"identifier": "Address"
}
],
"entityType": "IP"
]
}
]
}
@ -609,7 +609,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Log4J_IPIOC_Dec112021_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "Log4J_IPIOC_Dec112021_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -726,39 +726,39 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Name"
"columnName": "Name",
"identifier": "Name"
},
{
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "DnsDomain"
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
],
"entityType": "Host"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPEntity"
"columnName": "IPEntity",
"identifier": "Address"
}
],
"entityType": "IP"
]
}
]
}
@ -814,7 +814,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserAgentSearch_log4j_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "UserAgentSearch_log4j_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -898,31 +898,31 @@
],
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Url"
"columnName": "Url",
"identifier": "Url"
}
],
"entityType": "URL"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
"columnName": "SourceIP",
"identifier": "Address"
}
],
"entityType": "IP"
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Account"
"columnName": "Account",
"identifier": "Name"
}
],
"entityType": "Account"
]
}
]
}
@ -978,7 +978,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "WAF_log4j_vulnerability_HuntingQueries Hunting Query with template version 3.0.1",
"description": "WAF_log4j_vulnerability_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@ -1063,7 +1063,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "NetworkConnectionldap_log4j_HuntingQueries Hunting Query with template version 3.0.1",
"description": "NetworkConnectionldap_log4j_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@ -1148,7 +1148,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Firewall_Disable_Activity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Firewall_Disable_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@ -1233,7 +1233,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Apache_log4j_Vulnerability_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Apache_log4j_Vulnerability_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@ -1318,7 +1318,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Process_Termination_Activity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Process_Termination_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@ -1403,7 +1403,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Suspicious_ShellScript_Activity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Suspicious_ShellScript_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@ -1488,7 +1488,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Base64_Download_Activity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Base64_Download_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@ -1573,7 +1573,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Container_Miner_Activity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Container_Miner_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@ -1658,7 +1658,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Linux_Toolkit_Detected_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Linux_Toolkit_Detected_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@ -1743,7 +1743,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "NetworkConnectionToNewExternalLDAPServer_HuntingQueries Hunting Query with template version 3.0.1",
"description": "NetworkConnectionToNewExternalLDAPServer_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@ -1828,7 +1828,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "BatchImportToSentinel Playbook with template version 3.0.1",
"description": "BatchImportToSentinel Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -2047,7 +2047,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Log4jIndicatorProcessor Playbook with template version 3.0.1",
"description": "Log4jIndicatorProcessor Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -2346,12 +2346,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Apache Log4j Vulnerability Detection",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>Microsoft's security research teams have been tracking threats taking advantage of <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\">CVE-2021-44228</a>, a remote code execution (RCE) vulnerability in <a href=\"https://logging.apache.org/log4j/2.x/\">Apache Log4j 2</a> referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the <a href=\"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\">Microsoft Security Response Center blog</a>. This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.</p>\n<p><strong>Prerequisite :-</strong></p>\n<p>Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.</p>\n<ol>\n<li>Azure Web Application Firewall (WAF)</li>\n<li>Microsoft 365</li>\n<li>Windows Server DNS</li>\n<li>CiscoASA</li>\n<li>PaloAlto-PAN-OS</li>\n<li>Microsoft Entra ID</li>\n<li>Azure Activity</li>\n<li>Amazon Web Services</li>\n<li>Azure Firewall</li>\n<li>SquidProxy</li>\n<li>Zscaler Private Access (ZPA)</li>\n<li>Syslog</li>\n<li>Check Point</li>\n<li>Microsoft Defender XDR</li>\n</ol>\n<p><strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 10, <strong>Watchlists:</strong> 1, <strong>Playbooks:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>Microsoft's security research teams have been tracking threats taking advantage of <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\">CVE-2021-44228</a>, a remote code execution (RCE) vulnerability in <a href=\"https://logging.apache.org/log4j/2.x/\">Apache Log4j 2</a> referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the <a href=\"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\">Microsoft Security Response Center blog</a>. This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.</p>\n<p><strong>Prerequisite :-</strong></p>\n<p>This is a <a href=\"https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&amp;data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&amp;reserved=0\">domain solution</a> and does not include any data connectors. Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.</p>\n<ol>\n<li>Azure Web Application Firewall (WAF)</li>\n<li>Microsoft 365</li>\n<li>Windows Server DNS</li>\n<li>CiscoASA</li>\n<li>PaloAlto-PAN-OS</li>\n<li>Microsoft Entra ID</li>\n<li>Azure Activity</li>\n<li>Amazon Web Services</li>\n<li>Azure Firewall</li>\n<li>SquidProxy</li>\n<li>Zscaler Private Access (ZPA)</li>\n<li>Syslog</li>\n<li>Check Point</li>\n<li>Microsoft Defender XDR</li>\n</ol>\n<p><strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 10, <strong>Watchlists:</strong> 1, <strong>Playbooks:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -2374,7 +2374,6 @@
"link": "https://support.microsoft.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Workbook",
@ -2469,7 +2468,7 @@
{
"kind": "Watchlist",
"contentId": "[variables('_Campaign')]",
"version": "3.0.1"
"version": "3.0.2"
},
{
"kind": "Solution",

1
Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|----------------------------------------------------------------------------|
| 3.0.2 | 07-02-0024 | Updated solution description |
| 3.0.1 | 02-01-2024 | Tagged for dependent solutions for deployment |
| 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |

4
Solutions/Attacker Tools Threat Protection Essentials/Data/Solution_AttackersToolsThreatProtectionEssentials.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Attacker Tools Threat Protection Essentials",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \n\n 4. [Microsoft Entra ID ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire ",
"Description": "The **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. Windows Security Events \n 2. Windows Server DNS \n 3. Windows Forwarded Events \n 4. Microsoft Entra ID \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire ",
"Hunting Queries": [
"Hunting Queries/CobaltDNSBeacon.yaml",
"Hunting Queries/PotentialImpacketExecution.yaml"
@ -14,7 +14,7 @@
"Analytic Rules/powershell_empire.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Attacker Tools Threat Protection Essentials",
"Version": "3.0.1",
"Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true

Двоичные данные
Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \n\n 4. [Microsoft Entra ID ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. Windows Security Events \n 2. Windows Server DNS \n 3. Windows Forwarded Events \n 4. Microsoft Entra ID \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

115
Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json
Просмотреть файл

@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Attacker Tools Threat Protection Essentials",
"_solutionVersion": "3.0.1",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-attackertools",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
@ -86,7 +86,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.1",
"description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@ -171,7 +171,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.1",
"description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@ -256,7 +256,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -309,12 +309,12 @@
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountName"
"columnName": "AccountName",
"identifier": "Name"
},
{
"identifier": "UPNSuffix",
"columnName": "AccountDomain"
"columnName": "AccountDomain",
"identifier": "UPNSuffix"
}
]
},
@ -322,12 +322,12 @@
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "DnsDomain"
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
@ -335,12 +335,12 @@
"entityType": "Process",
"fieldMappings": [
{
"identifier": "ProcessId",
"columnName": "InitiatingProcessFileName"
"columnName": "InitiatingProcessFileName",
"identifier": "ProcessId"
},
{
"identifier": "CommandLine",
"columnName": "ProcessCommandLine"
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
},
@ -348,12 +348,12 @@
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "FileHashAlgorithm"
"columnName": "FileHashAlgorithm",
"identifier": "Algorithm"
},
{
"identifier": "Value",
"columnName": "SHA256"
"columnName": "SHA256",
"identifier": "Value"
}
]
}
@ -411,7 +411,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -459,8 +459,8 @@
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountName"
"columnName": "AccountName",
"identifier": "Name"
}
]
},
@ -468,8 +468,8 @@
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "ImagePath"
"columnName": "ImagePath",
"identifier": "Name"
}
]
},
@ -477,12 +477,12 @@
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "DnsDomain"
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
@ -540,7 +540,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -588,8 +588,8 @@
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "TargetFilename"
"columnName": "TargetFilename",
"identifier": "Name"
}
]
},
@ -597,12 +597,12 @@
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "DnsDomain"
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
@ -610,8 +610,8 @@
"entityType": "Process",
"fieldMappings": [
{
"identifier": "CommandLine",
"columnName": "Image"
"columnName": "Image",
"identifier": "CommandLine"
}
]
}
@ -669,7 +669,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -853,12 +853,12 @@
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "SubjectUserName"
"columnName": "SubjectUserName",
"identifier": "Name"
},
{
"identifier": "NTDomain",
"columnName": "SubjectDomainName"
"columnName": "SubjectDomainName",
"identifier": "NTDomain"
}
]
},
@ -866,12 +866,12 @@
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "DnsDomain"
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
@ -925,12 +925,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Attacker Tools Threat Protection Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <strong>Attacker Tools Threat Protection Essentials</strong> solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions\">domain solution</a> and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.</p>\n<ol>\n<li><p><a href=\"https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents\">Windows Security Events</a></p>\n</li>\n<li><p><a href=\"https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns\"> Windows Server DNS </a></p>\n</li>\n<li><p><a href=\"https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents\">Windows Forwarded Events</a></p>\n</li>\n<li><p><a href=\"https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory\">Microsoft Entra ID </a></p>\n</li>\n</ol>\n<p><strong>Keywords:</strong> attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire</p>\n<p><strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <strong>Attacker Tools Threat Protection Essentials</strong> solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions\">domain solution</a> and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.</p>\n<ol>\n<li>Windows Security Events</li>\n<li>Windows Server DNS</li>\n<li>Windows Forwarded Events</li>\n<li>Microsoft Entra ID</li>\n</ol>\n<p><strong>Keywords:</strong> attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire</p>\n<p><strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -953,7 +953,6 @@
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "HuntingQuery",
@ -984,6 +983,22 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-securityevents"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-dns"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory"
}
]
},

1
Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------|
| 3.0.2 | 07-02-2024 | Tagged for dependent solutions for deployment |
| 3.0.1 | 23-01-2024 | Added subTechniques in Template |
| 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |

4
Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Network Session Essentials",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
"Description": "[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
"Workbooks": [
"Workbooks/NetworkSessionEssentials.json"
],
@ -30,7 +30,7 @@
],
"WatchlistDescription": "Monitor Network Session Essentials Solution's' configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Network Session Essentials",
"Version": "3.0.1",
"Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Network Session Essentials/Package/3.0.2.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Network Session Essentials/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 4, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 4, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

559
Solutions/Network Session Essentials/Package/mainTemplate.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

11
Solutions/Network Session Essentials/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------|
| 3.0.2 | 24-01-2024 |Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection) |
| 3.0.1 | 02-01-2024 |Tagged for dependent solutions for deployment |
| 3.0.0 | 24-07-2023 |Updated ApiVersion for **Watchlist** |
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------------------|
| 3.0.2 | 07-02-2024 |Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection) |
| | |Updated solution description |
| 3.0.1 | 02-01-2024 |Tagged for dependent solutions for deployment |
| 3.0.0 | 24-07-2023 |Updated ApiVersion for **Watchlist** |