Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Revert "Revert "Merge branch 'master' of https://github.com/rons4/Azure-Sentinel"" 

This reverts commit 7f21eb8ef5.
This commit is contained in:
rons4 2022-01-03 11:27:36 +01:00
Родитель 76c13e5795
Коммит 965de7409e
504 изменённых файлов: 78465 добавлений и 11467 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

39
.github/pull_request_template.md поставляемый
Просмотреть файл

@ -1,7 +1,36 @@
Fixes #
## Before submitting this PR please ensure that you have read the following sections and then completed the template below:
## Proposed Changes
Thank you for your contribution to the Microsoft Sentinel Github repo.
-
-
-
> The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly.
> Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures, there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.
Change(s):
- Updated syntax for XYZ.yaml
Reason for Change(s):
- New schema used for XYZ.yaml
- Resolves ISSUE #1234
## After the submission has been made, please look at the Validation Checks:
> Check that the validations are passing and address any issues that are present. Let us know if you have tried fixing and need help.
> References:
> - [Guidance for Detection checks](https://github.com/Azure/Azure-Sentinel#pull-request-detection-template-structure-validation-check)
> - [General contribution guidance](https://github.com/Azure/Azure-Sentinel/wiki#what-can-you-contribute-and-how-can-you-create-contributions)
> - [PR validation troubleshooting](https://github.com/Azure/Azure-Sentinel#pull-request)
## PR Template
-----------------------------------------------------------------------------------------------------------
**Description for the PR:**
(Enter the description below)
**Testing Completed:**
Yes/ No :
-----------------------------------------------------------------------------------------------------------

69
.script/tests/KqlvalidationsTests/CustomTables/ApacheHTTPServer.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"Name": "ApacheHTTPServer",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "ClientIdentity",
"Type": "String"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "HttpReferrerOriginal",
"Type": "String"
},
{
"Name": "HttpRequestMethod",
"Type": "String"
},
{
"Name": "HttpResponseBodyBytes",
"Type": "Double"
},
{
"Name": "HttpStatusCode",
"Type": "String"
},
{
"Name": "HttpUserAgentOriginal",
"Type": "String"
},
{
"Name": "HttpVersion",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
}
]
}

24
.script/tests/KqlvalidationsTests/CustomTables/AzurePurview_CustomTable.json
Просмотреть файл

@ -9,10 +9,6 @@
"Name": "PurviewTenantId",
"Type": "String"
},
{
"Name": "PurviewSubscriptionId",
"Type": "String"
},
{
"Name": "PurviewAccountName",
"Type": "String"
@ -46,7 +42,7 @@
"Type": "String"
},
{
"Name": "SourceOwner",
"Name": "SourceScanId",
"Type": "String"
},
{
@ -69,10 +65,6 @@
"Name": "AssetModifiedTime",
"Type": "DateTime"
},
{
"Name": "AssetOwner",
"Type": "String"
},
{
"Name": "AssetLastScanTime",
"Type": "DateTime"
@ -90,7 +82,7 @@
"Type": "String"
},
{
"Name": "ActivityTrigger",
"Name": "ClassificationTrigger",
"Type": "String"
},
{
@ -98,20 +90,20 @@
"Type": "Dynamic"
},
{
"Name": "ClassificationCount",
"Type": "Long"
"Name": "ClassificationDetails",
"Type": "Dynamic"
},
{
"Name": "SensitivityLabelGuid",
"Name": "SensitivityLabelTrigger",
"Type": "String"
},
{
"Name": "SensitivityLabelName",
"Name": "SensitivityLabel",
"Type": "String"
},
{
"Name": "UserId",
"Type": "String"
"Name": "SensitivityLabelDetails",
"Type": "Dynamic"
}
]
}

233
.script/tests/KqlvalidationsTests/CustomTables/CiscoSecureEndpoint.json Normal file
Просмотреть файл

@ -0,0 +1,233 @@
{
"name": "CiscoSecureEndpoint",
"Properties": [
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "ManagementGroupName",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "RawData",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "Double"
},
{
"Name": "timestamp_d",
"Type": "Double"
},
{
"Name": "timestamp_nanoseconds_d",
"Type": "Double"
},
{
"Name": "EventOriginalId",
"Type": "Double"
},
{
"Name": "ThreatName",
"Type": "String"
},
{
"Name": "ThreatId",
"Type": "String"
},
{
"Name": "ConnectorGuid",
"Type": "String"
},
{
"Name": "GroupGuid",
"Type": "String"
},
{
"Name": "ThreatSeverity",
"Type": "String"
},
{
"Name": "SrcDvcId",
"Type": "String"
},
{
"Name": "DstHostname",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "DstUsername",
"Type": "String"
},
{
"Name": "computer_active_b",
"Type": "Boolean"
},
{
"Name": "DstMacAddr",
"Type": "String"
},
{
"Name": "ComputerLinksComputer",
"Type": "String"
},
{
"Name": "ComputerLinksTrajectory",
"Type": "String"
},
{
"Name": "ComputerLinksGroup",
"Type": "String"
},
{
"Name": "IndicatorThreatType",
"Type": "String"
},
{
"Name": "SrcFileName",
"Type": "String"
},
{
"Name": "SrcFilePath",
"Type": "String"
},
{
"Name": "SrcFileSHA256",
"Type": "String"
},
{
"Name": "SrcFileSHA1",
"Type": "String"
},
{
"Name": "SrcFileMD5",
"Type": "String"
},
{
"Name": "ParentProcessId",
"Type": "Double"
},
{
"Name": "ParentProcessFileDescription",
"Type": "String"
},
{
"Name": "ParentProcessName",
"Type": "String"
},
{
"Name": "ParentProcessSHA256",
"Type": "String"
},
{
"Name": "ParentProcessSHA1",
"Type": "String"
},
{
"Name": "ParentProcessMD5",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "audit_log_id_g",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "new_attributes_policy_id_d",
"Type": "Double"
},
{
"Name": "EventProductVersion",
"Type": "Double"
},
{
"Name": "audit_log_id_s",
"Type": "String"
},
{
"Name": "DstDvcHostname",
"Type": "String"
},
{
"Name": "new_attributes_desc_s",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "new_attributes_group_id_d",
"Type": "Double"
},
{
"Name": "DstDvcOsId",
"Type": "Double"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "Hostname",
"Type": "String"
},
{
"Name": "User",
"Type": "String"
}
]
}

157
.script/tests/KqlvalidationsTests/CustomTables/ImpervaWAFCloud.json Normal file
Просмотреть файл

@ -0,0 +1,157 @@
{
"name": "ImpervaWAFCloud",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "String"
},
{
"Name": "Country",
"Type": "String"
},
{
"Name": "City",
"Type": "String"
},
{
"Name": "HttpStatusCode",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "String"
},
{
"Name": "AccountName",
"Type": "String"
},
{
"Name": "RequestId",
"Type": "String"
},
{
"Name": "PoPName",
"Type": "String"
},
{
"Name": "BrowserType",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "String"
},
{
"Name": "NetworkSessionId",
"Type": "String"
},
{
"Name": "PostBody",
"Type": "String"
},
{
"Name": "QueryString",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "HttpUserAgentOriginal",
"Type": "String"
},
{
"Name": "HttpRequestMethod",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "SiteID",
"Type": "String"
},
{
"Name": "DstDomainHostname",
"Type": "String"
},
{
"Name": "DstPortNumber",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "String"
},
{
"Name": "AccountID",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocoVersion",
"Type": "String"
},
{
"Name": "HttpRequestXff",
"Type": "String"
},
{
"Name": "CaptchaSupport",
"Type": "String"
},
{
"Name": "ClientApp",
"Type": "String"
},
{
"Name": "ClientAppSig",
"Type": "String"
},
{
"Name": "CookiesSupport",
"Type": "String"
},
{
"Name": "SrcGeoLatitude",
"Type": "String"
},
{
"Name": "SrcGeoLongitude",
"Type": "String"
},
{
"Name": "VisitorID",
"Type": "String"
}
]
}

37
.script/tests/KqlvalidationsTests/CustomTables/InfobloxCDC.json Normal file
Просмотреть файл

@ -0,0 +1,37 @@
{
"Name": "InfobloxCDC",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "DeviceEventClassID",
"Type": "String"
},
{
"Name": "ThreatLevel_Score",
"Type": "Int"
},
{
"Name": "InfobloxB1PolicyAction",
"Type": "String"
},
{
"Name": "SimplifiedDeviceAction",
"Type": "String"
},
{
"Name": "SourceIP",
"Type": "String"
},
{
"Name": "DeviceName",
"Type": "String"
},
{
"Name": "InfobloxDNSRCode",
"Type": "String"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/LastPass_BYOC_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name":"LastPass_BYOC_CL",
"Properties":[
{
"Name":"MG",
"Type":"String"
},
{
"Name":"ManagementGroupName",
"Type":"String"
},
{
"Name":"TimeGenerated",
"Type":"DateTime"
},
{
"Name":"Computer",
"Type":"String"
},
{
"Name":"RawData",
"Type":"String"
},
{
"Name":"Time_s",
"Type":"String"
},
{
"Name":"Username_s",
"Type":"String"
},
{
"Name":"IP_Address_s",
"Type":"String"
},
{
"Name":"Action_s",
"Type":"String"
},
{
"Name":"Data_s",
"Type":"String"
},
{
"Name":"Type",
"Type":"String"
},
{
"Name":"_ResourceId",
"Type":"String"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/NGINXHTTPServer.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name": "NGINXHTTPServer",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "HttpReferrerOriginal",
"Type": "String"
},
{
"Name": "HttpRequestMethod",
"Type": "String"
},
{
"Name": "HttpResponseBodyBytes",
"Type": "Double"
},
{
"Name": "HttpStatusCode",
"Type": "String"
},
{
"Name": "HttpUserAgentOriginal",
"Type": "String"
},
{
"Name": "HttpVersion",
"Type": "String"
},
{
"Name": "ProcessId",
"Type": "Double"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "ThreadId",
"Type": "Double"
},
{
"Name": "UrlOriginal",
"Type": "String"
}
]
}

81
.script/tests/KqlvalidationsTests/CustomTables/VMwareESXi.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"name": "VMwareESXi",
"Properties": [
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "Facility",
"Type": "String"
},
{
"Name": "HostName",
"Type": "String"
},
{
"Name": "SeverityLevel",
"Type": "String"
},
{
"Name": "SyslogMessage",
"Type": "String"
},
{
"Name": "ProcessID",
"Type": "Int"
},
{
"Name": "HostIP",
"Type": "String"
},
{
"Name": "ProcessName",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
},
{
"Name": "Sub",
"Type": "String"
},
{
"Name": "OpId",
"Type": "String"
},
{
"Name": "UserName",
"Type": "String"
},
{
"Name": "Message",
"Type": "String"
}
]
}

895
.script/tests/KqlvalidationsTests/CustomTables/imNetworkSession.json
Просмотреть файл

@ -1,386 +1,513 @@
{
"Name": "imNetworkSession",
"Properties": [{
"Name": "TimeGenerated",
"Type": "datetime"
}, {
"Name": "_ResourceId",
"Type": "string"
}, {
"Name": "Type",
"Type": "string"
}, {
"Name": "EventMessage",
"Type": "string"
}, {
"Name": "EventCount",
"Type": "int"
}, {
"Name": "EventStartTime",
"Type": "datetime"
}, {
"Name": "EventEndTime",
"Type": "datetime"
}, {
"Name": "EventType",
"Type": "string"
}, {
"Name": "EventSubType",
"Type": "string"
}, {
"Name": "EventResult",
"Type": "string"
}, {
"Name": "EventResultDetails",
"Type": "string"
}, {
"Name": "EventOriginalResultDetails",
"Type": "string"
}, {
"Name": "EventSeverity",
"Type": "string"
}, {
"Name": "EventOriginalSeverity",
"Type": "string"
}, {
"Name": "EventOriginalUid",
"Type": "string"
}, {
"Name": "EventOriginalType",
"Type": "string"
}, {
"Name": "EventProduct",
"Type": "string"
}, {
"Name": "EventProductVersion",
"Type": "string"
}, {
"Name": "EventVendor",
"Type": "string"
}, {
"Name": "EventSchema",
"Type": "string"
}, {
"Name": "EventSchemaVersion",
"Type": "string"
}, {
"Name": "EventReportUrl",
"Type": "string"
}, {
"Name": "Dvc",
"Type": "string"
}, {
"Name": "DvcIpAddr",
"Type": "string"
}, {
"Name": "DvcHostname",
"Type": "string"
}, {
"Name": "DvcDomain",
"Type": "string"
}, {
"Name": "DvcDomainType",
"Type": "string"
}, {
"Name": "DvcFQDN",
"Type": "string"
}, {
"Name": "DvcId",
"Type": "string"
}, {
"Name": "DvcIdType",
"Type": "string"
}, {
"Name": "DvcMacAddr",
"Type": "string"
}, {
"Name": "DvcZone",
"Type": "string"
}, {
"Name": "Dst",
"Type": "string"
}, {
"Name": "DstIpAddr",
"Type": "string"
}, {
"Name": "DstPortNumber",
"Type": "int"
}, {
"Name": "DstHostname",
"Type": "string"
}, {
"Name": "Hostname",
"Type": "string"
}, {
"Name": "DstDomain",
"Type": "string"
}, {
"Name": "DstDomainType",
"Type": "string"
}, {
"Name": "DstFQDN",
"Type": "string"
}, {
"Name": "DstDvcId",
"Type": "string"
}, {
"Name": "DstDvcIdType",
"Type": "string"
}, {
"Name": "DstDeviceType",
"Type": "string"
}, {
"Name": "DstUserId",
"Type": "string"
}, {
"Name": "DstUserIdType",
"Type": "string"
}, {
"Name": "DstUsername",
"Type": "string"
}, {
"Name": "User",
"Type": "string"
}, {
"Name": "DstUsernameType",
"Type": "string"
}, {
"Name": "DstUserType",
"Type": "string"
}, {
"Name": "DstOriginalUserType",
"Type": "string"
}, {
"Name": "DstUserDomain",
"Type": "string"
}, {
"Name": "DstAppName",
"Type": "string"
}, {
"Name": "DstAppId",
"Type": "string"
}, {
"Name": "DstAppType",
"Type": "string"
}, {
"Name": "DstZone",
"Type": "string"
}, {
"Name": "DstInterfaceName",
"Type": "string"
}, {
"Name": "DstInterfaceGuid",
"Type": "string"
}, {
"Name": "DstMacAddr",
"Type": "string"
}, {
"Name": "DstGeoCountry",
"Type": "string"
}, {
"Name": "DstGeoCity",
"Type": "string"
}, {
"Name": "DstGeoLatitude",
"Type": "string"
}, {
"Name": "DstGeoLongitude",
"Type": "string"
}, {
"Name": "Src",
"Type": "string"
}, {
"Name": "SrcIpAddr",
"Type": "string"
}, {
"Name": "SrcPortNumber",
"Type": "int"
}, {
"Name": "SrcHostname",
"Type": "string"
}, {
"Name": "SrcDomain",
"Type": "string"
}, {
"Name": "SrcDomainType",
"Type": "string"
}, {
"Name": "SrcFQDN",
"Type": "string"
}, {
"Name": "SrcDvcId",
"Type": "string"
}, {
"Name": "SrcDvcIdType",
"Type": "string"
}, {
"Name": "SrcDeviceType",
"Type": "string"
}, {
"Name": "SrcUserId",
"Type": "string"
}, {
"Name": "SrcUserIdType",
"Type": "string"
}, {
"Name": "SrcUsername",
"Type": "string"
}, {
"Name": "SrcUsernameType",
"Type": "string"
}, {
"Name": "SrcUserType",
"Type": "string"
}, {
"Name": "SrcOriginalUserType",
"Type": "string"
}, {
"Name": "SrcUserDomain",
"Type": "string"
}, {
"Name": "SrcAppName",
"Type": "string"
}, {
"Name": "SrcAppId",
"Type": "string"
}, {
"Name": "IpAddr",
"Type": "string"
}, {
"Name": "SrcAppType",
"Type": "string"
}, {
"Name": "SrcZone",
"Type": "string"
}, {
"Name": "SrcInterfaceName",
"Type": "string"
}, {
"Name": "SrcInterfaceGuid",
"Type": "string"
}, {
"Name": "SrcMacAddr",
"Type": "string"
}, {
"Name": "SrcGeoCountry",
"Type": "string"
}, {
"Name": "SrcGeoCity",
"Type": "string"
}, {
"Name": "SrcGeoLatitude",
"Type": "string"
}, {
"Name": "SrcGeoLongitude",
"Type": "string"
}, {
"Name": "NetworkApplicationProtocol",
"Type": "string"
}, {
"Name": "NetworkProtocol",
"Type": "string"
}, {
"Name": "NetworkDirection",
"Type": "string"
}, {
"Name": "NetworkDuration",
"Type": "int"
}, {
"Name": "Duration",
"Type": "int"
}, {
"Name": "NetworkIcmpCode",
"Type": "int"
}, {
"Name": "NetworkIcmpType",
"Type": "string"
}, {
"Name": "DstBytes",
"Type": "int"
}, {
"Name": "SrcBytes",
"Type": "int"
}, {
"Name": "NetworkBytes",
"Type": "int"
}, {
"Name": "DstPackets",
"Type": "int"
}, {
"Name": "SrcPackets",
"Type": "int"
}, {
"Name": "NetworkPackets",
"Type": "int"
}, {
"Name": "NetworkSessionId",
"Type": "string"
}, {
"Name": "SessionId",
"Type": "string"
}, {
"Name": "NetworkConnectionHistory",
"Type": "string"
}, {
"Name": "SrcVlanId",
"Type": "string"
}, {
"Name": "DstVlanId",
"Type": "string"
}, {
"Name": "InnerVlanId",
"Type": "string"
}, {
"Name": "OuterVlanId",
"Type": " string"
}, {
"Name": "DstNatIpAddr",
"Type": "string"
}, {
"Name": "DstNatPortNumber",
"Type": "int"
}, {
"Name": "SrcNatIpAddr",
"Type": "string"
}, {
"Name": "SrcNatPortNumber",
"Type": "int"
}, {
"Name": "DvcInboundInterface",
"Type": "string"
}, {
"Name": "DvcOutboundInterface",
"Type": "string"
}, {
"Name": "NetworkRuleName",
"Type": "string"
}, {
"Name": "NetworkRuleNumber",
"Type": "int"
}, {
"Name": "Rule",
"Type": "string"
}, {
"Name": "DvcAction",
"Type": "string"
}, {
"Name": "DvcOriginalAction",
"Type": "string"
}, {
"Name": "ThreatId",
"Type": "string"
}, {
"Name": "ThreatName",
"Type": "string"
}, {
"Name": "ThreatCategory",
"Type": "string"
}, {
"Name": "ThreatRiskLevel",
"Type": "int"
}, {
"Name": "ThreatRiskLevelOriginal",
"Type": "string"
"Name": "imNetworkSession",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "EventMessage",
"Type": "string"
},
{
"Name": "EventCount",
"Type": "int"
},
{
"Name": "EventStartTime",
"Type": "datetime"
},
{
"Name": "EventEndTime",
"Type": "datetime"
},
{
"Name": "EventType",
"Type": "string"
},
{
"Name": "EventSubType",
"Type": "string"
},
{
"Name": "EventResult",
"Type": "string"
},
{
"Name": "EventResultDetails",
"Type": "string"
},
{
"Name": "EventOriginalResultDetails",
"Type": "string"
},
{
"Name": "EventSeverity",
"Type": "string"
},
{
"Name": "EventOriginalSeverity",
"Type": "string"
},
{
"Name": "EventOriginalUid",
"Type": "string"
},
{
"Name": "EventOriginalType",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "EventProductVersion",
"Type": "string"
},
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventSchema",
"Type": "string"
},
{
"Name": "EventSchemaVersion",
"Type": "string"
},
{
"Name": "EventReportUrl",
"Type": "string"
},
{
"Name": "Dvc",
"Type": "string"
},
{
"Name": "DvcIpAddr",
"Type": "string"
},
{
"Name": "DvcHostname",
"Type": "string"
},
{
"Name": "DvcDomain",
"Type": "string"
},
{
"Name": "DvcDomainType",
"Type": "string"
},
{
"Name": "DvcFQDN",
"Type": "string"
},
{
"Name": "DvcId",
"Type": "string"
},
{
"Name": "DvcIdType",
"Type": "string"
},
{
"Name": "DvcMacAddr",
"Type": "string"
},
{
"Name": "DvcZone",
"Type": "string"
},
{
"Name": "Dst",
"Type": "string"
},
{
"Name": "DstIpAddr",
"Type": "string"
},
{
"Name": "DstPortNumber",
"Type": "int"
},
{
"Name": "DstHostname",
"Type": "string"
},
{
"Name": "Hostname",
"Type": "string"
},
{
"Name": "DstDomain",
"Type": "string"
},
{
"Name": "DstDomainType",
"Type": "string"
},
{
"Name": "DstFQDN",
"Type": "string"
},
{
"Name": "DstDvcId",
"Type": "string"
},
{
"Name": "DstDvcIdType",
"Type": "string"
},
{
"Name": "DstDeviceType",
"Type": "string"
},
{
"Name": "DstUserId",
"Type": "string"
},
{
"Name": "DstUserIdType",
"Type": "string"
},
{
"Name": "DstUsername",
"Type": "string"
},
{
"Name": "User",
"Type": "string"
},
{
"Name": "DstUsernameType",
"Type": "string"
},
{
"Name": "DstUserType",
"Type": "string"
},
{
"Name": "DstOriginalUserType",
"Type": "string"
},
{
"Name": "DstUserDomain",
"Type": "string"
},
{
"Name": "DstAppName",
"Type": "string"
},
{
"Name": "DstAppId",
"Type": "string"
},
{
"Name": "DstAppType",
"Type": "string"
},
{
"Name": "DstZone",
"Type": "string"
},
{
"Name": "DstInterfaceName",
"Type": "string"
},
{
"Name": "DstInterfaceGuid",
"Type": "string"
},
{
"Name": "DstMacAddr",
"Type": "string"
},
{
"Name": "DstGeoCountry",
"Type": "string"
},
{
"Name": "DstGeoCity",
"Type": "string"
},
{
"Name": "DstGeoLatitude",
"Type": "string"
},
{
"Name": "DstGeoLongitude",
"Type": "string"
},
{
"Name": "Src",
"Type": "string"
},
{
"Name": "SrcIpAddr",
"Type": "string"
},
{
"Name": "SrcPortNumber",
"Type": "int"
},
{
"Name": "SrcHostname",
"Type": "string"
},
{
"Name": "SrcDomain",
"Type": "string"
},
{
"Name": "SrcDomainType",
"Type": "string"
},
{
"Name": "SrcFQDN",
"Type": "string"
},
{
"Name": "SrcDvcId",
"Type": "string"
},
{
"Name": "SrcDvcIdType",
"Type": "string"
},
{
"Name": "SrcDeviceType",
"Type": "string"
},
{
"Name": "SrcUserId",
"Type": "string"
},
{
"Name": "SrcUserIdType",
"Type": "string"
},
{
"Name": "SrcUsername",
"Type": "string"
},
{
"Name": "SrcUsernameType",
"Type": "string"
},
{
"Name": "SrcUserType",
"Type": "string"
},
{
"Name": "SrcOriginalUserType",
"Type": "string"
},
{
"Name": "SrcUserDomain",
"Type": "string"
},
{
"Name": "SrcAppName",
"Type": "string"
},
{
"Name": "SrcAppId",
"Type": "string"
},
{
"Name": "IpAddr",
"Type": "string"
},
{
"Name": "SrcAppType",
"Type": "string"
},
{
"Name": "SrcZone",
"Type": "string"
},
{
"Name": "SrcInterfaceName",
"Type": "string"
},
{
"Name": "SrcInterfaceGuid",
"Type": "string"
},
{
"Name": "SrcMacAddr",
"Type": "string"
},
{
"Name": "SrcGeoCountry",
"Type": "string"
},
{
"Name": "SrcGeoCity",
"Type": "string"
},
{
"Name": "SrcGeoLatitude",
"Type": "string"
},
{
"Name": "SrcGeoLongitude",
"Type": "string"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "string"
},
{
"Name": "NetworkProtocol",
"Type": "string"
},
{
"Name": "NetworkDirection",
"Type": "string"
},
{
"Name": "NetworkDuration",
"Type": "int"
},
{
"Name": "Duration",
"Type": "int"
},
{
"Name": "NetworkIcmpCode",
"Type": "int"
},
{
"Name": "NetworkIcmpType",
"Type": "string"
},
{
"Name": "DstBytes",
"Type": "int"
},
{
"Name": "SrcBytes",
"Type": "int"
},
{
"Name": "NetworkBytes",
"Type": "int"
},
{
"Name": "DstPackets",
"Type": "int"
},
{
"Name": "SrcPackets",
"Type": "int"
},
{
"Name": "NetworkPackets",
"Type": "int"
},
{
"Name": "NetworkSessionId",
"Type": "string"
},
{
"Name": "SessionId",
"Type": "string"
},
{
"Name": "NetworkConnectionHistory",
"Type": "string"
},
{
"Name": "SrcVlanId",
"Type": "string"
},
{
"Name": "DstVlanId",
"Type": "string"
},
{
"Name": "InnerVlanId",
"Type": "string"
},
{
"Name": "OuterVlanId",
"Type": " string"
},
{
"Name": "DstNatIpAddr",
"Type": "string"
},
{
"Name": "DstNatPortNumber",
"Type": "int"
},
{
"Name": "SrcNatIpAddr",
"Type": "string"
},
{
"Name": "SrcNatPortNumber",
"Type": "int"
},
{
"Name": "DvcInboundInterface",
"Type": "string"
},
{
"Name": "DvcOutboundInterface",
"Type": "string"
},
{
"Name": "NetworkRuleName",
"Type": "string"
},
{
"Name": "NetworkRuleNumber",
"Type": "int"
},
{
"Name": "Rule",
"Type": "string"
},
{
"Name": "DvcAction",
"Type": "string"
},
{
"Name": "DvcOriginalAction",
"Type": "string"
},
{
"Name": "ThreatId",
"Type": "string"
},
{
"Name": "ThreatName",
"Type": "string"
},
{
"Name": "ThreatCategory",
"Type": "string"
},
{
"Name": "ThreatRiskLevel",
"Type": "int"
},
{
"Name": "ThreatRiskLevelOriginal",
"Type": "string"
}
]
}
]
}

2
.script/tests/KqlvalidationsTests/CustomTables/imWebSession.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Name": "imNetworkSession",
"Name": "imWebSession",
"Properties": [{
"Name": "TimeGenerated",
"Type": "datetime"

9
.script/tests/KqlvalidationsTests/CustomTablesSchemasLoader.cs
Просмотреть файл

@ -1,19 +1,22 @@
using Microsoft.Azure.Sentinel.KustoServices.Contract;
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.IO;
using System.Text;
namespace Kqlvalidations.Tests
{
public class CustomTablesSchemasLoader : ITableSchemasLoader
{
private readonly List<TableSchema> _tableSchemas;
private const int TestFolderDepth = 3;
public CustomTablesSchemasLoader()
{
_tableSchemas = new List<TableSchema>();
var jsonFiles = Directory.GetFiles(DetectionsYamlFilesTestData.GetCustomTablesPath(), "*.json");
var jsonFilePath = Path.Combine(Utils.GetTestDirectory(TestFolderDepth), "CustomTables");
var jsonFiles = Directory.GetFiles(jsonFilePath, "*.json");
foreach (var jsonFile in jsonFiles)
{
var tableSchema = ReadTableSchema(jsonFile);

76
.script/tests/KqlvalidationsTests/DetectionsYamlFilesTestData.cs
Просмотреть файл

@ -1,76 +0,0 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Text;
namespace Kqlvalidations.Tests
{
public class DetectionsYamlFilesTestData : TheoryData<string>
{
public DetectionsYamlFilesTestData()
{
List<string> detectionPaths = GetDetectionPaths();
var files = GetDetectionFiles(detectionPaths);
files.ForEach(f => AddData(Path.GetFileName(f)));
}
public static List<string> GetDetectionPaths()
{
List<string> dirPaths = new List<string>() { "Detections", "Solutions"};
var rootDir = Directory.CreateDirectory(GetAssemblyDirectory());
var testFolderDepth = 6;
List<string> detectionPaths = new List<string>();
for (int i = 0; i < testFolderDepth; i++)
{
rootDir = rootDir.Parent;
}
foreach (var dirName in dirPaths)
{
detectionPaths.Add(Path.Combine(rootDir.FullName, dirName));
}
return detectionPaths;
}
public static string GetCustomTablesPath()
{
var rootDir = Directory.CreateDirectory(GetAssemblyDirectory());
var testFolderDepth = 3;
for (int i = 0; i < testFolderDepth; i++)
{
rootDir = rootDir.Parent;
}
var detectionPath = Path.Combine(rootDir.FullName, "CustomTables");
return detectionPath;
}
public static string GetSkipTemplatesPath()
{
var rootDir = Directory.CreateDirectory(GetAssemblyDirectory());
var testFolderDepth = 3;
for (int i = 0; i < testFolderDepth; i++)
{
rootDir = rootDir.Parent;
}
return rootDir.FullName;
}
private static string GetAssemblyDirectory()
{
string codeBase = Assembly.GetExecutingAssembly().CodeBase;
UriBuilder uri = new UriBuilder(codeBase);
string path = Uri.UnescapeDataString(uri.Path);
return Path.GetDirectoryName(path);
}
private static List<string> GetDetectionFiles(List<string> detectionPaths)
{
var files = Directory.GetFiles(detectionPaths[0], "*.yaml", SearchOption.AllDirectories).ToList();
files.AddRange(Directory.GetFiles(detectionPaths[1], "*.yaml", SearchOption.AllDirectories).ToList().Where(s => s.Contains("Analytic Rules")));
return files;
}
}
}

104
.script/tests/KqlvalidationsTests/KqlValidationTests.cs
Просмотреть файл

@ -1,7 +1,5 @@
using Microsoft.Azure.Sentinel.KustoServices.Contract;
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Collections.Generic;
using Microsoft.Azure.Sentinel.KustoServices.Contract;
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
@ -13,7 +11,6 @@ namespace Kqlvalidations.Tests
public class KqlValidationTests
{
private readonly IKqlQueryAnalyzer _queryValidator;
private static readonly List<string> DetectionPaths = DetectionsYamlFilesTestData.GetDetectionPaths();
public KqlValidationTests()
{
_queryValidator = new KqlQueryAnalyzerBuilder()
@ -22,16 +19,14 @@ namespace Kqlvalidations.Tests
.Build();
}
// We pass File name to test because in the result file we want to show an informative name for the test
[Theory]
[ClassData(typeof(DetectionsYamlFilesTestData))]
public void Validate_DetectionQueries_HaveValidKql(string detectionsYamlFileName)
public void Validate_DetectionQueries_HaveValidKql(string fileName, string encodedFilePath)
{
var detectionsYamlFile = getDetectionsYamlFile(detectionsYamlFileName);
var yaml = File.ReadAllText(detectionsYamlFile);
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize<dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
var res = ReadAndDeserializeYaml(encodedFilePath);
var queryStr = (string) res["query"];
var id = (string) res["id"];
//we ignore known issues
if (ShouldSkipTemplateValidation(id))
@ -39,41 +34,61 @@ namespace Kqlvalidations.Tests
return;
}
ValidateKql(id, queryStr);
}
// We pass File name to test because in the result file we want to show an informative name for the test
[Theory]
[ClassData(typeof(DetectionsYamlFilesTestData))]
public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string fileName, string encodedFilePath)
{
var res = ReadAndDeserializeYaml(encodedFilePath);
var queryStr = (string) res["query"];
var id = (string) res["id"];
//Templates that are in the skipped templates should not pass the validation (if they pass, why skip?)
if (ShouldSkipTemplateValidation(id))
{
var validationRes = _queryValidator.ValidateSyntax(queryStr);
Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid.");
}
}
// // We pass File name to test because in the result file we want to show an informative name for the test
// [Theory]
// [ClassData(typeof(InsightsYamlFilesTestData))]
// public void Validate_InsightsQueries_HaveValidKqlBaseQuery(string fileName, string encodedFilePath)
// {
// var res = ReadAndDeserializeYaml(encodedFilePath);
// var queryStr = (string) res["BaseQuery"];
//
// ValidateKql(fileProp.FileName, queryStr);
// }
private void ValidateKql(string id, string queryStr)
{
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line: 0, Col: 0);
if (!validationRes.IsValid)
{
firstErrorLocation = GetLocationInQuery(queryStr, validationRes.Diagnostics.First(d => d.Severity == "Error").Start);
}
Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : $"Template Id:{id} is not valid in Line:{firstErrorLocation.Line} col:{firstErrorLocation.Col} Errors:{validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}");
Assert.True(validationRes.IsValid,
validationRes.IsValid
? string.Empty
: @$"Template Id: {id} is not valid in Line: {firstErrorLocation.Line} col: {firstErrorLocation.Col}
Errors: {validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}");
}
[Theory]
[ClassData(typeof(DetectionsYamlFilesTestData))]
public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string detectionsYamlFileName)
private Dictionary<object, object> ReadAndDeserializeYaml(string encodedFilePath)
{
var detectionsYamlFile = getDetectionsYamlFile(detectionsYamlFileName);
var yaml = File.ReadAllText(detectionsYamlFile);
var yaml = File.ReadAllText(Utils.DecodeBase64(encodedFilePath));
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize<dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
//Templates that are in the skipped templates should not pass the validateion (if they pass, why skip?)
if (ShouldSkipTemplateValidation(id))
{
var validationRes = _queryValidator.ValidateSyntax(queryStr);
Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid.");
}
else
{
return;
}
return deserializer.Deserialize<dynamic>(yaml);
}
private bool ShouldSkipTemplateValidation(string templateId)
{
return TemplatesToSkipValidationReader.WhiteListTemplates
@ -97,23 +112,6 @@ namespace Kqlvalidations.Tests
var col = (pos - curPos + 1);
return (curlineIndex + 1, col);
}
/// <summary>
///Get detection yaml file from Detection or solution analytics rule folder
/// </summary>
/// <param name="detectionsYamlFileName">Detections Yaml File Name</param>
/// <returns>detections yaml file path</returns>
private string getDetectionsYamlFile(string detectionsYamlFileName)
{
try
{
return Directory.GetFiles(DetectionPaths[0], detectionsYamlFileName, SearchOption.AllDirectories).Single();
}
catch
{
return Directory.GetFiles(DetectionPaths[1], detectionsYamlFileName, SearchOption.AllDirectories).Where(s => s.Contains("Analytic Rules")).Single();
}
}
}
}

24
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -112,11 +112,33 @@
{
"id": "4902eddb-34f7-44a8-ac94-8486366e9494",
"templateName": "ExcessiveDenyFromSource.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
"validationFailReason": "The name 'imNetworkSession' does not refer to any known function"
},
{
"id": "3f0c20d5-6228-48ef-92f3-9ff7822c1954",
"templateName": "UnusualUAHackTool.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
},
{
"id": "fcb9d75c-c3c1-4910-8697-f136bfef2363",
"templateName": "PossibleBeaconingActivity.yaml",
"validationFailReason": "The name 'imNetworkSession' does not refer to any known function."
},
// Commenting out for now as the imDNS has been commented out in the referenced query since it was causing customer query failures.
// Once ASIM is fully deployed to all customer environments, this will likely solve the overall issues.
//{
// "id": "6e575295-a7e6-464c-8192-3e1d8fd6a990",
// "templateName": "Log4J_IPIOC_Dec112021.yaml",
// "validationFailReason": "The name 'imDns' does not refer to any known function."
//},
{
"id": "b39e6482-ab7e-4817-813d-ec910b64b26e",
"templateName": "HighlySensitivePasswordAccessed.yaml",
"validationFailReason": "The name '_GetWatchlist' does not refer to any known function."
},
{
"id": "29283b22-a1c0-4d16-b0a9-3460b655a46a",
"templateName": "UserAgentSearch_log4j.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
}
]

3
.script/tests/KqlvalidationsTests/TemplatesToSkipValidationReader.cs
Просмотреть файл

@ -15,10 +15,11 @@ namespace Kqlvalidations.Tests
public static class TemplatesToSkipValidationReader
{
private const string SKipJsonFileName = "SkipValidationsTemplates.json";
private const int TestFolderDepth = 3;
static TemplatesToSkipValidationReader()
{
var jsonFilePath = Path.Combine(DetectionsYamlFilesTestData.GetSkipTemplatesPath(), SKipJsonFileName);
var jsonFilePath = Path.Combine(Utils.GetTestDirectory(TestFolderDepth), SKipJsonFileName);
using (StreamReader r = new StreamReader(jsonFilePath))
{
string json = r.ReadToEnd();

37
.script/tests/KqlvalidationsTests/Utils.cs Normal file
Просмотреть файл

@ -0,0 +1,37 @@
using System;
using System.IO;
using System.Reflection;
namespace Kqlvalidations.Tests
{
public static class Utils
{
public static string GetTestDirectory(int testFolderDepth)
{
var rootDir = Directory.CreateDirectory(GetAssemblyDirectory());
for (int i = 0; i < testFolderDepth; i++)
{
rootDir = rootDir.Parent;
}
return rootDir.FullName;
}
public static string EncodeToBase64(string plainText) {
var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText);
return Convert.ToBase64String(plainTextBytes);
}
public static string DecodeBase64(string base64EncodedData) {
var base64EncodedBytes = Convert.FromBase64String(base64EncodedData);
return System.Text.Encoding.UTF8.GetString(base64EncodedBytes);
}
private static string GetAssemblyDirectory()
{
string codeBase = Assembly.GetExecutingAssembly().CodeBase;
UriBuilder uri = new UriBuilder(codeBase);
string path = Uri.UnescapeDataString(uri.Path);
return Path.GetDirectoryName(path);
}
}
}

19
.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesLoader.cs Normal file
Просмотреть файл

@ -0,0 +1,19 @@
using System.Collections.Generic;
using System.IO;
using System.Linq;
namespace Kqlvalidations.Tests
{
public class DetectionsYamlFilesLoader : YamlFilesLoader
{
protected override List<string> GetDirectoryPaths()
{
var basePath = Utils.GetTestDirectory(TestFolderDepth);
var detectionsDir = new List<string> { Path.Combine(basePath, "Detections")};
var solutionDirectories = Path.Combine(basePath, "Solutions");
var analyticsRulesDir = Directory.GetDirectories(solutionDirectories, "Analytic Rules", SearchOption.AllDirectories);
return analyticsRulesDir.Concat(detectionsDir).ToList();
}
}
}

9
.script/tests/KqlvalidationsTests/YamlFilesTestData/DetectionsYamlFilesTestData.cs Normal file
Просмотреть файл

@ -0,0 +1,9 @@
namespace Kqlvalidations.Tests
{
public class DetectionsYamlFilesTestData : YamlFilesTestData
{
public DetectionsYamlFilesTestData() : base(new DetectionsYamlFilesLoader())
{
}
}
}

13
.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesLoader.cs Normal file
Просмотреть файл

@ -0,0 +1,13 @@
using System.Collections.Generic;
using System.IO;
namespace Kqlvalidations.Tests
{
public class InsightsYamlFilesLoader : YamlFilesLoader
{
protected override List<string> GetDirectoryPaths()
{
return new List<string> { Path.Combine(Utils.GetTestDirectory(TestFolderDepth), "Insights")};
}
}
}

11
.script/tests/KqlvalidationsTests/YamlFilesTestData/InsightsYamlFilesTestData.cs Normal file
Просмотреть файл

@ -0,0 +1,11 @@
using System.IO;
namespace Kqlvalidations.Tests
{
public class InsightsYamlFilesTestData : YamlFilesTestData
{
public InsightsYamlFilesTestData() : base(new InsightsYamlFilesLoader())
{
}
}
}

23
.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs Normal file
Просмотреть файл

@ -0,0 +1,23 @@
using System.Collections.Generic;
using System.IO;
using System.Linq;
namespace Kqlvalidations.Tests
{
public abstract class YamlFilesLoader
{
protected const int TestFolderDepth = 6;
protected abstract List<string> GetDirectoryPaths();
public List<string> GetFilesNames()
{
var directoryPaths = GetDirectoryPaths();
return directoryPaths.Aggregate(new List<string>(), (accumulator, directoryPath) =>
{
var files = Directory.GetFiles(directoryPath, "*.yaml", SearchOption.AllDirectories).ToList();
return accumulator.Concat(files).ToList();
});
}
}
}

17
.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesTestData.cs Normal file
Просмотреть файл

@ -0,0 +1,17 @@
using System.IO;
namespace Kqlvalidations.Tests
{
public class YamlFilesTestData : TheoryData<string, string>
{
public YamlFilesTestData(YamlFilesLoader yamlFilesLoader)
{
var files = yamlFilesLoader.GetFilesNames();
files.ForEach(filePath =>
{
var fileName = Path.GetFileName(filePath);
Add(fileName, Utils.EncodeToBase64(filePath));
});
}
}
}

4
.script/tests/detectionTemplateSchemaValidation/Models/AttackTactic.cs
Просмотреть файл

@ -14,6 +14,10 @@
Exfiltration,
CommandAndControl,
Impact,
Reconnaissance,
ResourceDevelopment,
ImpairProcessControl,
InhibitResponseFunction,
PreAttack
}
}

5
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -64,12 +64,14 @@
"ForgeRock",
"Fortinet",
"GWorkspaceRAPI",
"ImpervaWAFCloudAPI",
"ImpervaWAFGateway",
"ImportedConnector",
"InfobloxCloudDataConnector",
"InfobloxNIOS",
"IoT",
"JuniperSRX",
"LastPass",
"LookoutAPI",
"McAfeeePO",
"MicrosoftAzurePurview",
@ -132,5 +134,6 @@
"WindowsSecurityEvents",
"IronNetIronDefense",
"GCPIAMDataConnector",
"Illusive"
"Illusive",
"NGINXHTTPServer"
]

2
CODEOWNERS
Просмотреть файл

@ -7,7 +7,7 @@
# This is copied from here: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
/Playbooks/ @dicolanl @Yaniv-Shasha @sarah-yo @sreedharande
/Playbooks/ @dicolanl @Yaniv-Shasha @sarah-yo @sreedharande @lior-tamir
/Workbooks/ @Liatlishams
/Solutions/HoneyTokens @haneuvir
/Solutions/SAP @udidekel @tamirkopitz

6
DataConnectors/CEF/cef_AMA_installer.py
Просмотреть файл

@ -260,7 +260,7 @@ def is_syslog_ng():
def set_syslog_ng_configuration():
'''
syslog ng has a default configuration, which enables the incoming ports and defines that
syslog-ng has a default configuration, which enables the incoming ports and defines that
the source pipe to the daemon will verify it is configured correctly.
'''
comment_line = False
@ -287,11 +287,11 @@ def set_syslog_ng_configuration():
o, e = write_new_content.communicate()
if e is not None:
handle_error(e,
error_response_str="Error: could not change Rsyslog.conf configuration in -" + syslog_ng_conf_path)
error_response_str="Error: could not change syslog-ng.conf configuration in -" + syslog_ng_conf_path)
return False
if not snet_found:
append_content_to_file(line=syslog_ng_source_content, file_path=syslog_ng_conf_path)
print_ok("Rsyslog.conf configuration was changed to fit required protocol - " + syslog_ng_conf_path)
print_ok("syslog-ng.conf configuration was changed to fit required protocol - " + syslog_ng_conf_path)
return True

4
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.funcignore
Просмотреть файл

@ -1,4 +0,0 @@
.git*
.vscode
local.settings.json
test

6
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/.gitignore поставляемый
Просмотреть файл

@ -1,6 +0,0 @@
# Azure Functions artifacts
bin
obj
appsettings.json
local.settings.json

Двоичные данные
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/function.json
Просмотреть файл

@ -4,7 +4,7 @@
"name": "Timer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 */5 * * * *"
"schedule": "%Schedule%"
}
]
}

11
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/readme.md
Просмотреть файл

@ -1,11 +0,0 @@
# TimerTrigger - PowerShell
The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes.
## How it works
For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year".
## Learn more
<TODO> Documentation

62
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/run.ps1
Просмотреть файл

@ -3,13 +3,15 @@
Language: PowerShell
Version: 1.0
Author: Nicholas DiCola
Last Modified: 05/12/2021
Modified By: Sreedhar Ande
Last Modified: 12/16/2021
DESCRIPTION
This Function App calls the MCAS Activity REST API (https://docs.microsoft.com/cloud-app-security/api-activities) to pull the MCAS
Activity logs. The response from the MCAS API is recieved in JSON format. This function will build the signature and authorization header
needed to post the data to the Log Analytics workspace via the HTTP Data Connector API. The Function App will post the data to MCASActivity_CL.
#>
# Input bindings are passed in via param block.
param($Timer)
@ -29,8 +31,6 @@ if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)){
Connect-AzAccount -Identity
}
#Wait-Debugger
$AzureWebJobsStorage = $env:AzureWebJobsStorage
$MCASAPIToken = $env:MCASAPIToken
$workspaceId = $env:WorkspaceId
@ -38,8 +38,8 @@ $workspaceKey = $env:WorkspaceKey
$Lookback = $env:Lookback
$MCASURL = $env:MCASURL
$LAURI = $env:LAURI
$storageAccountContainer = "mcasactivity-logs"
$fileName = "lastrun-MCAS.json"
$TblLastRunExecutions = "MCASLastRunLogs"
$StartTime = (get-date).ToUniversalTime()
$currentStartTime = $StartTime | get-date -Format yyyy-MM-ddTHH:mm:ss:ffffffZ
@ -202,33 +202,28 @@ $headers = @{
}
$EndEpoch = ([int64]((Get-Date -Date $StartTime) - (get-date "1/1/1970")).TotalMilliseconds)
#check for last run file
# Retrieve Timestamp from last executions
# Check if Table has already been created and if not create it to maintain state between executions of Function
$storageAccountContext = New-AzStorageContext -ConnectionString $AzureWebJobsStorage
$checkBlob = Get-AzStorageBlob -Blob $fileName -Container $storageAccountContainer -Context $storageAccountContext
if($checkBlob -ne $null){
#Blob found get data
Get-AzStorageBlobContent -Blob $fileName -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:temp\$fileName" -Force
$lastRunContext = Get-Content "$env:temp\$fileName" | ConvertFrom-Json
$StartEpoch = $lastRunContext.lastRunEpoch
$lastRunContext.lastRunEpoch = $EndEpoch
$lastRunContext | ConvertTo-Json | out-file "$env:temp\$fileName"
$LastExecutionsTable = Get-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext -ErrorAction Ignore
if($null -eq $LastExecutionsTable.Name) {
New-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext
$LastRunExecutionsTable = (Get-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext.Context).cloudTable
Add-AzTableRow -table $LastRunExecutionsTable -PartitionKey "MCASExecutions" -RowKey $workspaceId -property @{"lastRun"="$CurrentStartTime";"lastRunEpoch"="$EndEpoch"} -UpdateExisting
}
Else {
$LastRunExecutionsTable = (Get-AzStorageTable -Name $TblLastRunExecutions -Context $storageAccountContext.Context).cloudTable
}
# retrieve the row
$LastRunExecutionsTableRow = Get-AzTableRow -table $LastRunExecutionsTable -partitionKey "MCASExecutions" -RowKey $workspaceId -ErrorAction Ignore
if($null -ne $LastRunExecutionsTableRow.lastRunEpoch){
$StartEpoch = $LastRunExecutionsTableRow.lastRunEpoch
}
else {
#no blob create the context
#$StartEpoch = ([int64]((Get-Date -Date $StartTime).AddMinutes(-$Lookback) - (get-date "1/1/1970")).TotalMilliseconds)
$StartEpoch = ([int64]((Get-Date -Date $StartTime).AddDays(-$Lookback) - (get-date "1/1/1970")).TotalMilliseconds)
$lastRunContent = @"
{
"lastRun": "$CurrentStartTime",
"lastRunEpoch": $EndEpoch
}
"@
$lastRunContent | Out-File "$env:temp\$fileName"
$lastRunContext = $lastRunContent | ConvertFrom-Json
}
#Build query
$body = @"
@ -246,7 +241,6 @@ $body = @"
"@
#Get the Activities
Write-Host "Starting to process Tenant: $MCASURL"
$uri = $MCASURL+"/api/v1/activities/"
@ -275,7 +269,7 @@ do {
Write-Host "Got some results: "($results.data.Count)
$totalRecords += ($results.data.Count)
Write-Host $totalRecords
#SendToLogA -Data ($results.data) -customLogName "MCASActivity"
SendToLogA -Data ($results.data) -customLogName "MCASActivity"
}
else{
Write-Host "No new logs"
@ -285,7 +279,7 @@ do {
if($loopAgain -ne $false){
# if there is more data update the query
$newBody = $body | ConvertFrom-Json
If($newBody.filters.date.lte -eq $null){
If($null -eq $newBody.filters.date.lte){
$newBody.filters.date | Add-Member -Name lte -Value ($results.nextQueryFilters.date.lte) -MemberType NoteProperty
}
else {
@ -295,10 +289,6 @@ do {
Write-Host $body
}
else {
# no more data write last run to az storage
Set-AzStorageBlobContent -Blob $fileName -Container $storageAccountContainer -Context $storageAccountContext -File "$env:temp\$fileName" -Force
Add-AzTableRow -table $LastRunExecutionsTable -PartitionKey "MCASExecutions" -RowKey $workspaceId -property @{"lastRun"="$CurrentStartTime";"lastRunEpoch"="$EndEpoch"} -UpdateExisting
}
} until ($loopAgain -eq $false)
#clear the temp folder
Remove-Item $env:temp\* -Recurse -Force -ErrorAction SilentlyContinue
} until ($loopAgain -eq $false)

0
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger/sample.dat
Просмотреть файл

1
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/host.json
Просмотреть файл

@ -1,5 +1,6 @@
{
"version": "2.0",
"functionTimeout": "00:10:00",
"logging": {
"applicationInsights": {
"samplingSettings": {

4
DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/proxies.json
Просмотреть файл

@ -1,4 +0,0 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

9
DataConnectors/MCASActivityFunction/CHANGELOG.MD
Просмотреть файл

@ -1,3 +1,10 @@
## 1.0
- Converted MCAS Acitivyt Data connector from Logic Apps to Azure Function
- Splitting the data if it is more than 25MB
- Splitting the data if it is more than 25MB
## 2.0
- Function Schedule (CRON Expression) as parameter
- Updated StorageAccountName and KeyVaultName
- Updated Path for Function Package
- Deleted the usage of Storage Account to write last run executions
- Writing Last Run executions to Azure Storage Table

4
DataConnectors/MCASActivityFunction/Function Dependencies/lastrun-MCAS.json
Просмотреть файл

@ -1,4 +0,0 @@
{
"lastRun": "",
"lastRunEpoch": 0
}

6
DataConnectors/MCASActivityFunction/azuredeploy.json
Просмотреть файл

@ -50,8 +50,8 @@
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')),'-fn', uniqueString(resourceGroup().id, subscription().id))]",
"StorageAccountName": "[concat(substring(variables('FunctionName'), 0, 7), '-sa-', uniqueString(resourceGroup().id, subscription().id))]",
"KeyVaultName": "[concat(substring(variables('FunctionName'), 0, 7), '-kv-', uniqueString(resourceGroup().id, subscription().id))]",
"StorageAccountName": "[substring(concat(substring(variables('FunctionName'), 0, 7), 'sa', uniqueString(resourceGroup().id, subscription().id)), 0, 20)]",
"KeyVaultName": "[substring(concat(substring(variables('FunctionName'), 0, 7), 'kv', uniqueString(resourceGroup().id, subscription().id)), 0, 20)]",
"MCASAPIToken": "MCASAPIToken",
"LogAnalyticsWorkspaceKey": "LogAnalyticsWorkspaceKey",
"StorageContainerName": "mcasactivity-logs",
@ -207,7 +207,7 @@
"Lookback": "[parameters('Lookback')]",
"MCASURL": "[parameters('MCASURL')]",
"LAURI": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/mcasactivityazurefunctionzip"
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/MCASActivityFunction/AzureFunctionMCASActivity/MCASActivityTimerTrigger.zip?raw=true"
}
}
]

8
DataConnectors/MCASActivityFunction/readme.md
Просмотреть файл

@ -32,9 +32,7 @@ A MCAS API Token is required. See the documentation to learn more about the [API
```
## Post Deployment Steps
1. There is a json file (lastrun-MCAS.json) in Function Dependencies folder
2. Upload the file to the storage account "mcasactivity-logs" container from
4. API Token and Workspace Key will be placed as "Secrets" in the Azure KeyVault `<<Function App Name>><<uniqueid>>` with only Azure Function access policy. If you want to see/update these secrets,
1. API Token and Workspace Key will be placed as "Secrets" in the Azure KeyVault `<<Function App Name>><<uniqueid>>` with only Azure Function access policy. If you want to see/update these secrets,
```
a. Go to Azure KeyVault `<<Function App Name>><<uniqueid>>`
@ -48,7 +46,7 @@ A MCAS API Token is required. See the documentation to learn more about the [API
```
6. The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function based on your schedule provided while deploying. If you want to change
2. The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function based on your schedule provided while deploying. If you want to change
the schedule
```
a. Click on Function App "Configuration" under Settings
@ -57,7 +55,7 @@ A MCAS API Token is required. See the documentation to learn more about the [API
```
**Note: For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year".**
7. If you change the TimerTigger you need to configure the Lookback setting to match the number of minutes between runs. If you want to change
3. If you change the TimerTigger you need to configure the Lookback setting to match the number of minutes between runs. If you want to change
the Lookback
```
a. Click on Function App "Configuration" under Settings

Двоичные данные
DataConnectors/Netskope/AzureFunctionNetskope.zip
Просмотреть файл

Двоичный файл не отображается.

35
DataConnectors/Netskope/AzureFunctionNetskope/run.ps1
Просмотреть файл

@ -129,6 +129,41 @@ function Netskope () {
Do {
$response = GetLogs -Uri $uri -ApiKey $apikey -StartTime $startTime -EndTime $endTime -LogType $logtype -Page $pageLimit -Skip $skip
$netskopeevents = $response.data
$netskopeevents | Add-Member -MemberType NoteProperty dlp_incidentid -Value ""
$netskopeevents | Add-Member -MemberType NoteProperty dlp_parentid -Value ""
$netskopeevents | Add-Member -MemberType NoteProperty connectionid -Value ""
$netskopeevents | Add-Member -MemberType NoteProperty app_sessionid -Value ""
$netskopeevents | Add-Member -MemberType NoteProperty transactionid -Value ""
$netskopeevents | Add-Member -MemberType NoteProperty browser_sessionid -Value ""
$netskopeevents | Add-Member -MemberType NoteProperty requestid -Value ""
if($null -ne $netskopeevents)
{
$netskopeevents | ForEach-Object{
if($_.dlp_incident_id -ne $NULL){
$_.dlp_incidentid = [string]$_.dlp_incident_id
}
if($_.dlp_parent_id -ne $NULL){
$_.dlp_parentid = [string]$_.dlp_parent_id
}
if($_.connection_id -ne $NULL){
$_.connectionid = [string]$_.connection_id
}
if($_.app_session_id -ne $NULL){
$_.app_sessionid = [string]$_.app_session_id
}
if($_.transaction_id -ne $NULL){
$_.transactionid = [string]$_.transaction_id
}
if($_.browser_session_id -ne $NULL){
$_.browser_sessionid = [string]$_.browser_session_id
}
if($_.request_id -ne $NULL){
$_.requestid = [string]$_.request_id
}
}
}
$dataLength = $response.data.Length
$alleventobjs += $netskopeevents

Двоичные данные
DataConnectors/O365 Data/O365APItoAS-Template.zip
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

1
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConnector/__init__.py
Просмотреть файл

@ -123,6 +123,7 @@ def gen_chunks_to_object(file_in_tmp_path, chunksize=100):
field_names = [x if x != 'type' else 'type_' for x in field_names]
reader = csv.DictReader(open(file_in_tmp_path), fieldnames=field_names)
chunk = []
next(reader)
for index, line in enumerate(reader):
if (index % chunksize == 0 and index > 0):
yield chunk

16
DataConnectors/Templates/Data Connectors Template Guidance.md
Просмотреть файл

@ -2,7 +2,7 @@
To make it easy to build and validate data connectors user experience, we have data connector json templates available for partners to use, validate and submit. This guide provides information on how to fill out the json templates.
The underlying json structure of any of the data connector template is the same, hence this connector template guidance is generalized for CEF, REST or Syslog data connector types in Azure Sentinel. There will be specific recommendations provided for different types as needed.
The underlying json structure of any of the data connector template is the same, hence this connector template guidance is generalized for CEF, REST or Syslog data connector types in Microsoft Sentinel. There will be specific recommendations provided for different types as needed.
# How to use the json template?
@ -13,7 +13,7 @@ Download the json template based on the data connector type and rename it to as
The following nomenclatures appear in the json templates. Note these accordingly to represent your data connector and fill these values accordingly in the template.
1. **PROVIDER NAME** – The name of the vendor who is building the data connector. For e.g. Microsoft, Symantec, Barracuda, etc.
2. **APPLIANCE NAME** – The name of the specific product whose logs or data is being sent to Azure Sentinel via this data connector. For e.g. CloudGen Firewall (from Barracuda), Security Analytics (from Citrix), etc.
2. **APPLIANCE NAME** – The name of the specific product whose logs or data is being sent to Microsoft Sentinel via this data connector. For e.g. CloudGen Firewall (from Barracuda), Security Analytics (from Citrix), etc.
3. **DATATYPE\_NAME** – The name of the default table where the data / logs will be sent to. The location changes for each type of data connector. While naming these:
1. Do **not** have spaces in the data type names.
2. Represent both provider, appliance name and type of data [optionally] as a short name in the data type name. The goal is to be able to disambiguate different data types if there&#39;s going to be separate data types for different appliances from the same provider for different log types (like alerts, events, raw logs, network logs, etc.)
@ -89,7 +89,7 @@ A data connector can have multiple data types and these can be represented by co
3. **permissions** – Represents the required permissions needed for the data connector to be enabled or connected. For e.g. write permissions to the workspace is needed for connector to be enabled, etc. These appear in the connector UX in the prerequisites section. This property value need **not** be updated and can remain as-is.
4. **instructionSteps** – These are the specific instructions to connect to the data connector.
* For CEF and Syslog, leverage the existing text as-is and add anything custom as needed.
* For REST API, either provide a link to your website/documentation that outlines the onboarding guidance to send data to Azure Sentinel **or** provide detailed guidance for customers to send data to Azure Sentinel.
* For REST API, either provide a link to your website/documentation that outlines the onboarding guidance to send data to Microsoft Sentinel **or** provide detailed guidance for customers to send data to Microsoft Sentinel.
* If Connector is dependent on Kusto Function (Parser), **additionalRequirementBanner** and **instruction step** about Parser need to be added in Connector. <p>
# What is the format for redirection/Short links?
@ -100,3 +100,13 @@ A data connector can have multiple data types and these can be represented by co
Expand and add multiple instructions as needed by adding more title and description elements in this block.
## Next steps
Currently in preview, you can also publish your data connector as a Microsoft Sentinel solution.
Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more.
**Tip**: If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR.
For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).

32
DataConnectors/Templates/Doc_Template_CEF_Connector.md
Просмотреть файл

@ -1,21 +1,29 @@
# Connect your <<Partner Appliance Name>> to Azure Sentinel
# Connect your <<Partner Appliance Name>> to Microsoft Sentinel
This article explains how to connect your <<Partner Appliance Name>> appliance to Azure Sentinel. The <<Partner Appliance Name>> data connector allows you to easily connect your <<Partner Appliance Name>> logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. <<Add additional specific insights this data connectivity provides to customers>>
This article explains how to connect your <<Partner Appliance Name>> appliance to Microsoft Sentinel. The <<Partner Appliance Name>> data connector allows you to easily connect your <<Partner Appliance Name>> logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. <<Add additional specific insights this data connectivity provides to customers>>
> [!NOTE]
> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
**Note**: Data will be stored in the geographic location of the workspace on which you are running Microsoft Sentinel.
## Forward <<Partner Appliance Name>> logs to the Syslog agent
Configure <<Partner Appliance Name>> to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent.
1. <Add specific steps on how customers can configure your appliance to send logs to Syslog - refer to 'https://docs.microsoft.com/azure/sentinel/connect-paloalto' as an example for this section. Adjust numbering below as needed for the last two steps that follows.>
1. <Add specific steps on how customers can configure your appliance to send logs to Syslog. For more information, see our generic [CEF data connector documentation](https://docs.microsoft.com/azure/sentinel/connect-common-event-format). Adjust numbering below as needed for the last two steps that follows.>
2. To use the relevant schema in Log Analytics for the <<Partner Appliance Name>>, search for CommonSecurityLog.
3. Continue to [STEP 3: Validate connectivity](connect-cef-verify.md).
3. Continue with [validating your CEF connectivity](https://docs.microsoft.com/azure/sentinel/troubleshooting-cef-syslog?tabs=rsyslog#validate-cef-connectivity).
## Next steps
In this document, you learned how to connect <<Partner Appliance Name>> to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
In this document, you learned how to connect <<Partner Appliance Name>> to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](https://docs.microsoft.com/azure/sentinel/get-visibility).
- Get started [detecting threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in).
- [Use workbooks](https://docs.microsoft.com/azure/sentinel/monitor-your-data) to monitor your data.
<### Install as a solution (Preview)
Include this section if you are planning on publishing your data connector as a Microsoft Sentinel solution. Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more.
- When relevant, add instructions for installing your solution, either from the Azure Marketplace, or from the Microsoft Sentinel content hub.
- If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR.
For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).>

34
DataConnectors/Templates/Doc_Template_REST_API_Connector.md
Просмотреть файл

@ -1,24 +1,19 @@
# Connect your <<Partner Appliance Name>> to Azure Sentinel
# Connect your <<Partner Appliance Name>> to Microsoft Sentinel
<<Partner Appliance Name>> connector allows you to easily connect all your <<Partner Appliance Name>> security solution logs with your Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. <<Add additional specific insights this data connectivity provides to customers>>. Integration between <<Partner Appliance Name>> and Azure Sentinel makes use of REST API.
<<Partner Appliance Name>> connector allows you to easily connect all your <<Partner Appliance Name>> security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. <<Add additional specific insights this data connectivity provides to customers>>. Integration between <<Partner Appliance Name>> and Microsoft Sentinel makes use of REST API.
> [!NOTE]
> Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
> Data will be stored in the geographic location of the workspace on which you are running Microsoft Sentinel.
## Configure and connect <<Partner Appliance Name>>
<<Partner Appliance Name>> can integrate and export logs directly to Azure Sentinel.
1. In the Azure Sentinel portal, click Data connectors and select <<Partner Appliance Name>> and then Open connector page.
2. <If you have documentation to connect on your side link to that - refer to 'https://docs.microsoft.com/azure/sentinel/connect-f5-big-ip' as an example for this section>
ELSE
2. <Provide detailed steps to discover the connection in your product with screenshots - refer to 'https://docs.microsoft.com/azure/sentinel/connect-symantec' as an example for this section>
<<Partner Appliance Name>> can integrate and export logs directly to Microsoft Sentinel.
1. In the Microsoft Sentinel portal, click Data connectors and select <<Partner Appliance Name>> and then Open connector page.
2. <If you have documentation to connect on your side link to that. If you don't, provide detailed steps to discover the connection in your product. For more information, see our [generic REST API-based data connector documentation](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template).>
## Find your data
@ -30,8 +25,17 @@ It may take up to 20 minutes until your logs start to appear in Log Analytics.
## Next steps
In this document, you learned how to connect <<Partner Appliance Name>> to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
In this document, you learned how to connect <<Partner Appliance Name>> to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](https://docs.microsoft.com/azure/sentinel/get-visibility).
- Get started [detecting threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in).
- [Use workbooks](https://docs.microsoft.com/azure/sentinel/monitor-your-data) to monitor your data.
<### Install as a solution (Preview)
Include this section if you are planning on publishing your data connector as a Microsoft Sentinel solution. Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more.
- When relevant, add instructions for installing your solution, either from the Azure Marketplace, or from the Microsoft Sentinel content hub.
- If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR.
For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).>

23
DataConnectors/Templates/Doc_Template_Syslog_Connector.md
Просмотреть файл

@ -1,6 +1,6 @@
# Connect your <<Partner Appliance Name>> to Azure Sentinel
# Connect your <<Partner Appliance Name>> to Microsoft Sentinel
This article explains how to connect your <<Partner Appliance Name>> appliance to Azure Sentinel. The <<Partner Appliance Name>> data connector allows you to easily connect your <<Partner Appliance Name>> logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. <<Add additional specific insights this data connectivity provides to customers>>. Integration between <<Partner Appliance Name>> and Azure Sentinel makes use of Syslog.
This article explains how to connect your <<Partner Appliance Name>> appliance to Microsoft Sentinel. The <<Partner Appliance Name>> data connector allows you to easily connect your <<Partner Appliance Name>> logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. <<Add additional specific insights this data connectivity provides to customers>>. Integration between <<Partner Appliance Name>> and Microsoft Sentinel makes use of Syslog.
> [!NOTE]
@ -10,7 +10,7 @@ This article explains how to connect your <<Partner Appliance Name>> appliance t
Configure <<Partner Appliance Name>> to forward Syslog messages to your Azure workspace via the Syslog agent.
1. <Add specific steps on how customers can configure your appliance to send logs to Syslog. Adjust numbering below as needed for the last steps that follows.>
2. In the Azure portal, navigate to Azure Sentinel > Data connectors and then select the <<Partner Appliance Name>> connector.
2. In the Azure portal, navigate to Azure Microsoft > Data connectors and then select the <<Partner Appliance Name>> connector.
3. Select Open connector page.
4. Follow the instructions on the <<Partner Appliance Name>> page.
@ -22,7 +22,16 @@ After a successful connection is established, the data appears in Log Analytics
It may take upwards of 20 minutes until your logs start to appear in Log Analytics.
## Next steps
In this document, you learned how to connect <<Partner Appliance Name>> to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data.
In this document, you learned how to connect <<Partner Appliance Name>> to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](https://docs.microsoft.com/azure/sentinel/get-visibility).
- Get started [detecting threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in).
- [Use workbooks](https://docs.microsoft.com/azure/sentinel/monitor-your-data) to monitor your data.
<### Install as a solution (Preview)
Include this section if you are planning on publishing your data connector as a Microsoft Sentinel solution. Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. For example, use solutions to deliver your data connector packaged with related analytics rules, workbooks, playbooks, and more.
- When relevant, add instructions for installing your solution, either from the Azure Marketplace, or from the Microsoft Sentinel content hub.
- If your solution is being published to the content hub, also open a PR to have it listed in our [content hub catalog](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-catalog). On the docs page, click Edit to open your PR.
For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).>

2
DataConnectors/ZPA/README.md
Просмотреть файл

@ -2,4 +2,4 @@
The [Zscaler Private Access (ZPA)](https://help.zscaler.com/zpa/what-zscaler-private-access) data connector provides the capability to ingest [Zscaler Private Access events](https://help.zscaler.com/zpa/log-streaming-service) into Azure Sentinel. Refer to [Zscaler Private Access documentation](https://help.zscaler.com/zpa) for more information.
# Requirements
1. ZPA device log forwarding configuration uses the port "**22033**" by default. Ensure this port is not being used by any other source on your server.
2. If you would like to change the default port for ZPA configuartion(**zpa.conf**) make sure that it should not get conflict with default AMA agent ports i;e (For example CEF uses "**25226**" or "**25224**")
2. If you would like to change the default port for ZPA configuartion(**zpa.conf**) make sure that it should not get conflict with default AMA agent ports i.e. (For example CEF uses "**25226**" or "**25224**")

75
Detections/ASimNetworkSession/PossibleBeaconingActivity.yaml Normal file
Просмотреть файл

@ -0,0 +1,75 @@
id: fcb9d75c-c3c1-4910-8697-f136bfef2363
name: Potential beaconing activity (ASIM Network Session schema)
description: |
This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\<br><br>This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that compiles with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).''
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 2d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
- T1571
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml
ParentVersion: 1.0.0
- Schema: ASIMNetworkSession
SchemaVersion: 0.2.1
query: |
let querystarttime = 2d;
let queryendtime = 1d;
let TimeDeltaThreshold = 10;
let TotalEventsThreshold = 15;
let PercentBeaconThreshold = 80;
imNetworkSession(starttime=querystarttime, endtime=queryendtime)
| where not(ipv4_is_private(DstIpAddr))
| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc
| serialize
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)
| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)
| where SrcIpAddr == nextSrcIpAddr
//Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds)
by TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber
| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes)
by bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber
| where TotalEvents > TotalEventsThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DstIpAddr
alertDetailsOverride:
alertDisplayNameFormat: Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}
alertDescriptionFormat: Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. The recurring frequency is {{MostFrequentTimeDeltaCount}} and the total transferred volume is {{TotalSrcBytes}} bytes. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/)
customDetails:
DstPortNumber: DstPortNumber
FrequenceCount: TotalSrcBytes
FrequencyTime: MostFrequentTimeDeltaCount
TotalDstBytes: TotalDstBytes
version: 1.0.0
kind: Scheduled

107
Detections/ASimWebSession/PossibleDGAContacts.yaml Normal file
Просмотреть файл

@ -0,0 +1,107 @@
id: 9176b18f-a946-42c6-a2f6-0f6d17cd6a8a
name: Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Network Session schema)
description: |
'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. <br>This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that compiles with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).'
severity: Medium
requiredDataConnectors: []
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml
version: 1.0.0
- Schema: ASIMWebSession
SchemaVersion: 0.2.0
relevantTechniques:
- T1568
query: |
let triThreshold = 500;
let querystarttime = 6h;
let dgaLengthThreshold = 8;
// fetch the cisco umbrella top 1M domains
let top1M = (externaldata (Position:int, Domain:string) [@"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip"] with (format="csv", zipPattern="*.csv"));
// extract tri grams that are above our threshold - i.e. are common
let triBaseline = top1M
| extend Domain = tolower(extract("([^.]*).{0,7}$", 1, Domain))
| extend AllTriGrams = array_concat(extract_all("(...)", Domain), extract_all("(...)", substring(Domain, 1)), extract_all("(...)", substring(Domain, 2)))
| mvexpand Trigram=AllTriGrams to typeof(string)
| summarize triCount=count() by Trigram
| sort by triCount desc
| where triCount > triThreshold
| distinct Trigram;
// collect domain information from common security log, filter and extract the DGA candidate and its trigrams
let allDataSummarized = imWebSession
| where isnotempty(Url)
| extend Name = tolower(tostring(parse_url(Url)["Host"]))
| summarize NameCount=count() by Name
| where Name has "."
| where Name !endswith ".home" and Name !endswith ".lan"
// extract DGA candidate
| extend DGADomain = extract("([^.]*).{0,7}$", 1, Name)
| where strlen(DGADomain) > dgaLengthThreshold
// throw out domains with number in them
| where DGADomain matches regex "^[A-Za-z]{0,}$"
// extract the tri grams from summarized data
| extend AllTriGrams = array_concat(extract_all("(...)", DGADomain), extract_all("(...)", substring(DGADomain, 1)), extract_all("(...)", substring(DGADomain, 2)));
// throw out domains that have repeating tri's and/or >=3 repeating letters
let nonRepeatingTris = allDataSummarized
| join kind=leftanti
(
allDataSummarized
| mvexpand AllTriGrams
| summarize count() by tostring(AllTriGrams), DGADomain
| where count_ > 1
| distinct DGADomain
)
on DGADomain;
// find domains that do not have a common tri in the baseline
let dataWithRareTris = nonRepeatingTris
| join kind=leftanti
(
nonRepeatingTris
| mvexpand AllTriGrams
| extend Trigram = tostring(AllTriGrams)
| distinct Trigram, DGADomain
| join kind=inner
(
triBaseline
)
on Trigram
| distinct DGADomain
)
on DGADomain;
dataWithRareTris
// join DGAs back on connection data
| join kind=inner
(
imWebSession
| where isnotempty(Url)
| extend Url = tolower(Url)
| summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url
| extend Name=tostring(parse_url(Url)["Host"])
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url
)
on Name
| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Url
fieldMappings:
- identifier: Url
columnName: Url
alertDetailsOverride:
alertDisplayNameFormat: Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}
alertDescriptionFormat: A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.
customDetails:
DGAPattern: DGADomain
NameCount: NameCount
version: 1.0.0
kind: Scheduled

4
Detections/ASimWebSession/UnusualUACryptoMiners.yaml
Просмотреть файл

@ -22,7 +22,7 @@ query: |
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents)
let fullUAList = array_concat(knownUserAgents,customUserAgents);
imWebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
@ -50,5 +50,5 @@ customDetails:
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.1
version: 1.0.2
kind: Scheduled

4
Detections/ASimWebSession/UnusualUAHackTool.yaml
Просмотреть файл

@ -22,7 +22,7 @@ query: |
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents)
let fullUAList = array_concat(knownUserAgents,customUserAgents);
imWebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername
entityMappings:
@ -48,5 +48,5 @@ customDetails:
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.1
version: 1.0.2
kind: Scheduled

12
Detections/AzureActivity/RareRunCommandPowerShellScript.yaml
Просмотреть файл

@ -15,7 +15,7 @@ requiredDataConnectors:
- DeviceFileEvents
- DeviceEvents
queryFrequency: 1d
queryPeriod: 7d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
@ -79,12 +79,12 @@ query: |
| join kind=leftouter (
hashTotals
) on ScriptFingerprintHash
// Calculate prevelance, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity
| extend Prevelance = toreal(HashCount) / toreal(totals) * 100
// Calculate prevalence, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity
| extend Prevalence = toreal(HashCount) / toreal(totals) * 100
// Where the hash was only ever seen once.
| where HashCount == 1
| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName
| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity
| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity
entityMappings:
- entityType: Account
fieldMappings:
@ -98,5 +98,5 @@ entityMappings:
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.0
kind: scheduled
version: 1.0.1
kind: Scheduled

40
Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
id: 2de8abd6-a613-450e-95ed-08e503369fb3
name: Azure WAF matching for Log4j vuln(CVE-2021-44228)
description: |
'This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.
Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/'
severity: High
requiredDataConnectors:
- connectorId: WAF
dataTypes:
- AzureDiagnostics
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- CVE-2021-44228
- log4j
- log4shell
query: |
AzureDiagnostics
| where details_data_s has "jndi:"
| parse details_data_s with * '${' MaliciousCommand '}' *
| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, "Base64/",1)[0], "}", 0)[0], "")
| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, "base64/",1)[0], "}", 0)[0], "")
| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)
| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))
| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, "Unable to decode")
| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s
| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

2
Detections/AzureDiagnostics/KeyVaultSensitiveOperations.yaml
Просмотреть файл

@ -7,7 +7,7 @@ severity: Low
requiredDataConnectors:
- connectorId: AzureKeyVault
dataTypes:
- AzureDiagnostics
- KeyVaultData
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt

2
Detections/AzureDiagnostics/KeyvaultMassSecretRetrieval.yaml
Просмотреть файл

@ -9,7 +9,7 @@ severity: Low
requiredDataConnectors:
- connectorId: AzureKeyVault
dataTypes:
- AzureDiagnostics
- KeyVaultData
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt

2
Detections/AzureDiagnostics/TimeSeriesKeyvaultAccessAnomaly.yaml
Просмотреть файл

@ -9,7 +9,7 @@ severity: Low
requiredDataConnectors:
- connectorId: AzureKeyVault
dataTypes:
- AzureDiagnostics
- KeyVaultData
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt

75
Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
Просмотреть файл

@ -1,37 +1,38 @@
id: c9b6d281-b96b-4763-b728-9a04b9fe1246
name: Cisco Umbrella - Connection to non-corporate private network
description: |
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- Exfiltration
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
id: c9b6d281-b96b-4763-b728-9a04b9fe1246
name: Cisco Umbrella - Connection to non-corporate private network
description: |
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- Exfiltration
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
query: |
let domain_lookBack= 14d;
let timeframe = 1d;
@ -40,5 +40,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
query: |
let timeframe = 15m;
Cisco_Umbrella
@ -31,5 +31,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
query: |
let timeframe = 15m;
Cisco_Umbrella
@ -31,5 +31,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
query: |
let timeframe = 15m;
let user_agents=dynamic([
@ -79,5 +79,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
- DefenseEvasion
query: |
let timeframe = 15m;
@ -32,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
query: |
let lookBack = 14d;
let timeframe = 1d;
@ -37,5 +37,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
- InitialAccess
query: |
let lbtime = 10m;
@ -50,5 +50,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

6
Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Просмотреть файл

@ -12,7 +12,7 @@ queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- CommandAndControl
query: |
let lbtime = 10m;
Cisco_Umbrella
@ -32,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.1.0
kind: Scheduled

8
Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml
Просмотреть файл

@ -34,10 +34,10 @@ query: |
| where SourceIpAddress != "127.0.0.1"
| summarize count() by SourceIpAddress
| where count_ > signin_threshold
| summarize make_list(SourceIpAddress);
| summarize make_set(SourceIpAddress);
//See if any of those IPs have sucessfully logged into Azure AD.
SigninLogs
| where ResultType !in ("0", "50125", "50140")
| where ResultType in ("0", "50125", "50140")
| where IPAddress in (aws_fails)
| extend Reason = "Multiple failed AWS Console logins from IP address"
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
@ -50,5 +50,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.0.1
kind: Scheduled

207
Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml Normal file
Просмотреть файл

@ -0,0 +1,207 @@
id: 6e575295-a7e6-464c-8192-3e1d8fd6a990
name: Log4j vulnerability exploit aka Log4Shell IP IOC
description: |
'Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228.
References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228'
severity: High
tags:
- Log4j
- Log4Shell
- CVE-2021-44228
- Schema: ASIMDns
SchemaVersion: 0.1.1
- Schema: ASIMNetworkSession
SchemaVersion: 0.2.0
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
- connectorId: AzureMonitor(WireData)
dataTypes:
- WireData
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
- connectorId: AzureActivity
dataTypes:
- AzureActivity
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
//Network logs
let CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;
let CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;
let CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;
let DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;
// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization
//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;
//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;
//Cloud service logs
let officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;
let signinIP = SigninLogs | summarize by IPAddress, Type;
let nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;
let azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;
let awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;
//Device logs
let vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;
let vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;
let iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;
let devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;
//need to parse to get IP
let azureDiagIP = AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule")
| where msg_s has_any (IPList) | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action | summarize by IPAddress = DestinationHost, Type;
let sysEvtIP = Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"])
| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;
// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization
//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP
// If you uncomment above, then comment out the line below
let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP
| summarize by IPAddress
| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in ('0.0.0.0','127.0.0.1');
let ipMatch = ipsort | where IPAddress in (IPList);
(union isfuzzy=true
(CommonSecurityLog
| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)
| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type
| extend MessageIP = extract(IPRegex, 0, Message)
| extend IPMatch = case(SourceIP in (ipMatch), "SourceIP", DestinationIP in (ipMatch), "DestinationIP", MessageIP in (ipMatch), "Message", "No Match")
| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, IPMatch == "Message", MessageIP, "No Match")
),
(OfficeActivity
| where ClientIP in (ipMatch)
| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type
| extend SourceIPAddress = ClientIP, Account = UserId
| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account
),
(DnsEvents
| where IPAddresses has_any (ipMatch)
| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type
| extend DestinationIPAddress = IPAddresses, Host = Computer
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host
),
(VMConnection
| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)
| project TimeGenerated, Computer, SourceIp, DestinationIp, Type
| extend IPMatch = case( SourceIp in (ipMatch), "SourceIP", DestinationIp in (ipMatch), "DestinationIP", "None")
| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == "SourceIP", SourceIp, IPMatch == "DestinationIP", DestinationIp, "None"), Host = Computer
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| where EventData has_any (ipMatch)
| project TimeGenerated, EventData, UserName, Computer, Type
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"])
| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)
| extend IPMatch = case( SourceIP in (ipMatch), "SourceIP", DestinationIP in (ipMatch), "DestinationIP", "None")
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(SigninLogs
| where IPAddress in (ipMatch)
| project TimeGenerated, UserPrincipalName, IPAddress, Type
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
),
(AADNonInteractiveUserSignInLogs
| where IPAddress in (ipMatch)
| project TimeGenerated, UserPrincipalName, IPAddress, Type
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
),
(W3CIISLog
| where cIP in (ipMatch)
| project TimeGenerated, Computer, cIP, csUserName, Type
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
),
(AzureActivity
| where CallerIpAddress in (ipMatch)
| project TimeGenerated, CallerIpAddress, Caller, Type
| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller
),
(
AWSCloudTrail
| where SourceIpAddress in (ipMatch)
| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
),
(
DeviceNetworkEvents
| where RemoteIP in (ipMatch)
| project TimeGenerated, RemoteIP, DeviceName, Type
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName
),
(
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule")
| where msg_s has_any (ipMatch)
| project TimeGenerated, msg_s, Type
| parse msg_s with Protocol 'request from ' SourceIP ':' SourcePort 'to ' DestinationIP ':' DestinationPort '. Action:' Action
| where DestinationIP has_any (ipMatch)
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP
)
// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization
//,
//(imDns (response_has_any_prefix=IPList)
//| project TimeGenerated, ResponseName, SrcIpAddr, Type
//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr
//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host
//),
//(imNetworkSession (dstipaddr_has_any_prefix=IPList)
//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type
//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr
//)
)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 2.0.0
kind: Scheduled

105
Detections/MultipleDataSources/UserAgentSearch_log4j.yaml Normal file
Просмотреть файл

@ -0,0 +1,105 @@
id: 29283b22-a1c0-4d16-b0a9-3460b655a46a
name: User agent search for log4j exploitation attempt
description: |
'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in
many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.
Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/'
severity: High
requiredDataConnectors:
- connectorId: WAF
dataTypes:
- AzureDiagnostics
- connectorId: Office365
dataTypes:
- OfficeActivity
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- log4j
- log4shell
- CVE2021-44228
- Schema: ASimWebSession
- SchemaVersion: 0.2.1
- Schema: ASimNetworkSessions
- SchemaVersion: 0.2.1
query: |
let UserAgentString = dynamic (["${jndi:ldap:/", "${jndi:rmi:/", "${jndi:ldaps:/", "${jndi:dns:/", "${jndi:iiop:/","${jndi:","${jndi:nds:/","${jndi:corba/"]);
let UARegex = @'(\\$|%24)(\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\$|%24|}|%7D)';
(union isfuzzy=true
(OfficeActivity
| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP
),
(AzureDiagnostics
| where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog")
| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d
| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s
),
(
W3CIISLog
| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem
),
(
AWSCloudTrail
| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP
),
(SigninLogs
| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP
),
(AADNonInteractiveUserSignInLogs
| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP
),
(imWebSessions
| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL
),
(imNetworkSession
| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url
| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url
)
)
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled

20
Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml
Просмотреть файл

@ -35,35 +35,37 @@ query: |
(
SecurityEvent
| where EventID == '4656'
| where EventData has aadHealthMonAgentRegKey
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)
| extend ObjectName = column_ifexists("ObjectName", ""),
ObjectType = column_ifexists("ObjectType", "")
| where ObjectType == 'Key'
| where ObjectName == aadHealthMonAgentRegKey
| extend SubjectUserName = column_ifexists("SubjectUserName", ""),
SubjectDomainName = column_ifexists("SubjectDomainName", ""),
ObjectName = column_ifexists("ObjectName", ""),
ObjectType = column_ifexists("ObjectType", ""),
ProcessName = column_ifexists("ProcessName", "")
| extend Process = split(ProcessName, '\\', -1)[-1],
Account = strcat(SubjectDomainName, "\\", SubjectUserName)
| where ObjectType == 'Key'
| where ObjectName == aadHealthMonAgentRegKey
| where Process !in (aadConnectHealthProcs)
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName
),
(
SecurityEvent
| where EventID == '4663'
| extend Process = split(ProcessName, '\\', -1)[-1]
| where ObjectType == 'Key'
| where ObjectName == aadHealthMonAgentRegKey
| extend Process = tostring(split(ProcessName, '\\', -1)[-1])
| where Process !in (aadConnectHealthProcs)
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName
)
)
// You can filter out potential machine accounts
//| where AccountType != 'Machine'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
| summarize count() by ProcessName
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
- entityType: Account
fieldMappings:
@ -73,5 +75,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.0.1
kind: Scheduled

6
Detections/SecurityEvent/SecurityEventLogCleared.yaml
Просмотреть файл

@ -18,7 +18,7 @@ triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1107
- T1070
query: |
SecurityEvent
@ -34,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.0.1
kind: Scheduled

37
Detections/SecurityNestedRecommendation/Log4jVulnerableMachines.yaml Normal file
Просмотреть файл

@ -0,0 +1,37 @@
id: 3d71fc38-f249-454e-8479-0a358382ef9a
name: Vulnerable Machines related to log4j CVE-2021-44228
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in
many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal
Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'
severity: High
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1190
- T1203
tags:
- Log4j
- CVE-2021-44228
- Log4shell
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-44228'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0
kind: Scheduled

6
Detections/ThreatIntelligenceIndicator/IPEntity_AppServiceHTTPLogs.yaml
Просмотреть файл

@ -44,7 +44,7 @@ query: |
| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp
| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername,
WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId
| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost
| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost
entityMappings:
- entityType: Host
fieldMappings:
@ -66,5 +66,5 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: _ResourceId
version: 1.2.1
kind: Scheduled
version: 1.2.2
kind: Scheduled

18
Detections/ThreatIntelligenceIndicator/IPEntity_AzureFirewall.yaml
Просмотреть файл

@ -38,16 +38,18 @@ query: |
| join kind=innerunique (
AzureDiagnostics
| where TimeGenerated >= ago(dt_lookBack)
| where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog")
| parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\.? Action:' Action
| extend SourceAddress = extract(@'([\.0-9]+)(:[\.0-9]+)?',1,SourceHost)
| extend DestinationAddress = extract(@'([\.0-9]+)(:[\.0-9]+)?',1,DestinationHost)
| where not(ipv4_is_private(DestinationAddress))
| where OperationName in ("AzureFirewallApplicationRuleLog", "AzureFirewallNetworkRuleLog")
| parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\.? Action: ' Action @'\.' Rest_msg
| extend SourceAddress = extract(@'([\.0-9]+)(:[\.0-9]+)?', 1, SourceHost)
| extend DestinationAddress = extract(@'([\.0-9]+)(:[\.0-9]+)?', 1, DestinationHost)
| extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, "")
// Traffic that involves a public address, and in case this is the source address then the traffic was not denied
| where isnotempty(RemoteIP)
| project-rename AzureFirewall_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.DestinationAddress
on $left.TI_ipEntity == $right.RemoteIP
| where AzureFirewall_TimeGenerated < ExpirationDateTime
| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, DestinationAddress
| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,
TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url
@ -60,5 +62,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: URLCustomEntity
version: 1.1.0
version: 1.1.1
kind: Scheduled

2
Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml
Просмотреть файл

@ -12,7 +12,7 @@ requiredDataConnectors:
- ThreatIntelligenceIndicator
- connectorId: AzureKeyVault
dataTypes:
- AzureDiagnostics
- KeyVaultData
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt

54
Detections/ThreatIntelligenceIndicator/IPEntity_CustomSecurityLog.yaml Normal file
Просмотреть файл

@ -0,0 +1,54 @@
id: 66c81ae2-1f89-4433-be00-2fbbd9ba5ebe
name: TI map IP entity to CommonSecurityLog
description: |
'Identifies a match in CommonSecurityLog from any IP IOC from TI'
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
// Taking the first non-empty value based on potential IOC match availability
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
CommonSecurityLog
| where TimeGenerated >= ago(dt_lookBack)
| extend MessageIP = extract(IPRegex, 0, Message)
| extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
| extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.CS_ipEntity
| where CommonSecurityLog_TimeGenerated < ExpirationDateTime
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity
| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction
| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

5
Exploration Queries/InputEntity_IP/LeastPrevClientIP-DNSNameQueryToIP.yaml
Просмотреть файл

@ -38,7 +38,10 @@ query: |
) on exists
| project-away exists*
};
union isfuzzy=true GetAllIPByClientIP(@'<Address>'), imGetAllIPByClientIP(@'<Address>')
let BCExpansion=(ipaddress:string){
union isfuzzy=true GetAllIPByClientIP(ipaddress), imGetAllIPByClientIP(ipaddress)
};
BCExpansion('<Address>')

5
Exploration Queries/InputEntity_IP/MostPrevClientIP-DNSNameQueryToIP.yaml
Просмотреть файл

@ -38,4 +38,7 @@ query: |
) on exists
| project-away exists*
};
union isfuzzy=true GetAllIPByClientIP(@'<Address>'), imGetAllIPByClientIP(@'<Address>')
let BCExpansion=(ipaddress:string){
union isfuzzy=true GetAllIPByClientIP(ipaddress), imGetAllIPByClientIP(ipaddress)
};
BCExpansion('<Address>')

5
Hunting Queries/ASimProcess/imProcess_Certutil-LOLBins.yaml
Просмотреть файл

@ -4,9 +4,8 @@ description: |
'This detection uses Normalized Process Events to hunt Certutil activities'
requiredDataConnectors: []
tactics:
- Command And Control
- CommandAndControl
relevantTechniques:
- T1105
@ -25,4 +24,4 @@ entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
columnName: HostCustomEntity

12
Hunting Queries/ASimProcess/imProcess_ExchangePowerShellSnapin.yaml
Просмотреть файл

@ -11,11 +11,11 @@ tactics:
relevantTechniques:
- T1119
query: |
imProcessCreate
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct
| extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc
imProcessCreate
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct
| extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc
entityMappings:
- entityType: Account
fieldMappings:
@ -24,4 +24,4 @@ entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
columnName: HostCustomEntity

26
Hunting Queries/ASimProcess/imProcess_HostExportingMailboxAndRemovingExport.yaml
Просмотреть файл

@ -16,19 +16,19 @@ tags:
- NOBELIUM
query: |
// Adjust the timeframe to change the window events need to occur within to alert
let timeframe = 1h;
imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'New-MailboxExportRequest'
| summarize by Dvc, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername, EventVendor, EventProduct
| join kind=inner (imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'Remove-MailboxExportRequest'
| summarize by Dvc, EventProduct, EventVendor, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername) on Dvc, timekey, ActorUsername
| summarize by timekey, Dvc, CommandLine, ActorUsername
| project-reorder timekey, Dvc, ActorUsername, CommandLine
| extend HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
// Adjust the timeframe to change the window events need to occur within to alert
let timeframe = 1h;
imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'New-MailboxExportRequest'
| summarize by Dvc, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername, EventVendor, EventProduct
| join kind=inner (imProcessCreate
| where Process has_any ("powershell.exe", "cmd.exe")
| where CommandLine has 'Remove-MailboxExportRequest'
| summarize by Dvc, EventProduct, EventVendor, timekey = bin(TimeGenerated, timeframe), CommandLine, ActorUsername) on Dvc, timekey, ActorUsername
| summarize by timekey, Dvc, CommandLine, ActorUsername
| project-reorder timekey, Dvc, ActorUsername, CommandLine
| extend HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername
entityMappings:
- entityType: Account

10
Hunting Queries/ASimProcess/imProcess_Invoke-PowerShellTcpOneLine.yaml
Просмотреть файл

@ -8,10 +8,10 @@ tactics:
relevantTechniques:
- T1011
query: |
imProcessCreate
| where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe")
| where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr
imProcessCreate
| where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe")
| where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Dvc, IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
@ -24,4 +24,4 @@ entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
columnName: IPCustomEntity

2
Hunting Queries/ASimProcess/imProcess_NishangReverseTCPShellBase64.yaml
Просмотреть файл

@ -26,4 +26,4 @@ entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
columnName: HostCustomEntity

5
Hunting Queries/ASimProcess/imProcess_ProcessEntropy.yaml
Просмотреть файл

@ -8,8 +8,7 @@ description: |
In general, this should identify processes on a Host that are rare and rare for the environment.
References: https://medium.com/udacity/shannon-entropy-information-gain-and-picking-balls-from-buckets-5810d35d54b4
https://en.wiktionary.org/wiki/Shannon_entropy'
requiredDataConnectors:
- connectorId: []
requiredDataConnectors: []
tactics:
- Execution
query: |
@ -123,5 +122,3 @@ query: |
| project-reorder StartTime, EndTime, ResultCount, EventID, EventVendor, EventProduct, DvcHostname, ActorUserId, Account, AccountType, Weight, ProcessEntropy,TargetProcessFileName, TargetProcessFilePath, TargetProcessCommandLine, ActingProcessFileName, AllHostsProcessCount, ProcessCountOnHost, DistinctHostsProcessCount, _ResourceId, DvcId
| sort by Weight asc, ProcessEntropy asc, TargetProcessFilePath asc
| extend timestamp = StartTime, HostCustomEntity = DvcHostname, AccountCustomEntity = Account

4
Hunting Queries/ASimProcess/imProcess_SolarWindsInventory.yaml
Просмотреть файл

@ -1,4 +1,4 @@
id: c3f1606e-48eb-464e-a60c-d53af5a5796e
id: c3f1606e-48eb-464e-a60c-d53af5a5796e
name: SolarWinds Inventory (Normalized Process Events)
description: |
'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes'
@ -15,4 +15,4 @@ query: |
| where Process has 'solarwinds'
| extend MachineName = DvcHostname , Process = TargetProcessFilePath
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(Dvc), AccountCount = dcount(User), MachineNames = make_set(Dvc),
Accounts = make_set(User) by Process, EventVendor, EventProduct
Accounts = make_set(User) by Process, EventVendor, EventProduct

4
Hunting Queries/ASimProcess/imProcess_Windows System Shutdown-Reboot(T1529).yaml
Просмотреть файл

@ -4,7 +4,7 @@ description: |
'This detection uses Normalized Process Events to detect System Shutdown/Reboot (MITRE Technique: T1529)'
requiredDataConnectors: []
tactics:
- Impact
relevantTechniques:
@ -24,4 +24,4 @@ entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
columnName: HostCustomEntity

32
Hunting Queries/ASimProcess/imProcess_cscript_summary.yaml
Просмотреть файл

@ -6,19 +6,19 @@ requiredDataConnectors: []
tactics:
- Execution
query: |
imProcessCreate
| where Process has "cscript.exe"
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName =~ "cscript.exe"
| extend removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", CommandLine)
| extend CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches)
// handle case where script name is enclosed in " characters or is not enclosed in quotes
| extend ScriptName= iff(CommandLine startswith @"""",
extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine),
extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine))
| extend ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName)
// extract remainder of commandline as script parameters:
| extend ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "")
| summarize min(TimeGenerated), count() by Dvc, User, ScriptName, ScriptParams, EventVendor, EventProduct
| order by count_ asc nulls last
| extend timestamp = min_TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User
imProcessCreate
| where Process has "cscript.exe"
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName =~ "cscript.exe"
| extend removeSwitches = replace(@"/+[a-zA-Z0-9:]+", "", CommandLine)
| extend CommandLine = trim(@"[a-zA-Z0-9\\:""]*cscript(.exe)?("")?(\s)+", removeSwitches)
// handle case where script name is enclosed in " characters or is not enclosed in quotes
| extend ScriptName= iff(CommandLine startswith @"""",
extract(@"([:\\a-zA-Z_\-\s0-9\.()]+)(""?)", 0, CommandLine),
extract(@"([:\\a-zA-Z_\-0-9\.()]+)(""?)", 0, CommandLine))
| extend ScriptName=trim(@"""", ScriptName) , ScriptNameLength=strlen(ScriptName)
// extract remainder of commandline as script parameters:
| extend ScriptParams = iff(ScriptNameLength < strlen(CommandLine), substring(CommandLine, ScriptNameLength +1), "")
| summarize min(TimeGenerated), count() by Dvc, User, ScriptName, ScriptParams, EventVendor, EventProduct
| order by count_ asc nulls last
| extend timestamp = min_TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User

21
Hunting Queries/ASimProcess/imProcess_enumeration_user_and_group.yaml
Просмотреть файл

@ -7,14 +7,13 @@ tactics:
- Discovery
query: |
imProcessCreate
| where (CommandLine has ' user ' or CommandLine has ' group ') and (CommandLine hassuffix ' /do' or CommandLine hassuffix ' /domain')
| where Process has 'net.exe' // performance pre-filtering
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName == 'net.exe' and ActorUsername != "" and CommandLine !contains '\\' and CommandLine !contains '/add'
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, CommandLine)
| where Target != ''
| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by ActorUsername, Target, CommandLine, Dvc, EventVendor, EventProduct
| sort by ActorUsername, Target
| extend timestamp = minTimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc
imProcessCreate
| where (CommandLine has ' user ' or CommandLine has ' group ') and (CommandLine hassuffix ' /do' or CommandLine hassuffix ' /domain')
| where Process has 'net.exe' // performance pre-filtering
| extend FileName=tostring(split(Process, '\\')[-1])
| where FileName == 'net.exe' and ActorUsername != "" and CommandLine !contains '\\' and CommandLine !contains '/add'
| extend Target = extract("(?i)[user|group] (\"*[a-zA-Z0-9-_ ]+\"*)", 1, CommandLine)
| where Target != ''
| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by ActorUsername, Target, CommandLine, Dvc, EventVendor, EventProduct
| sort by ActorUsername, Target
| extend timestamp = minTimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc

23
Hunting Queries/ASimProcess/imProcess_persistence_create_account.yaml
Просмотреть файл

@ -14,15 +14,14 @@ tactics:
relevantTechniques:
- T1110
query: |
imProcessCreate
| where Process has_any ("net.exe", "net1.exe") // preformance pre-filtering
| extend FileName = tostring(split(Process, '\\')[-1])
| extend ActingProcessFileName= tostring(split(ActingProcessName, '\\')[-1])
| where FileName in~ ("net.exe", "net1.exe")
| parse kind=regex flags=iU CommandLine with * "user " CreatedUser " " * "/ad"
| where not(FileName =~ "net1.exe" and ActingProcessFileName =~ "net.exe" and replace("net", "net1", ActingProcessCommandLine) =~ CommandLine)
| extend CreatedOnLocalMachine=(CommandLine !has "/do")
| where CommandLine has "/add" or (CreatedOnLocalMachine == 0 and CommandLine !has "/domain")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(Dvc) by CreatedUser, CreatedOnLocalMachine, ActingProcessFileName, FileName, CommandLine, ActingProcessCommandLine, EventVendor, EventProduct
| extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser
imProcessCreate
| where Process has_any ("net.exe", "net1.exe") // preformance pre-filtering
| extend FileName = tostring(split(Process, '\\')[-1])
| extend ActingProcessFileName= tostring(split(ActingProcessName, '\\')[-1])
| where FileName in~ ("net.exe", "net1.exe")
| parse kind=regex flags=iU CommandLine with * "user " CreatedUser " " * "/ad"
| where not(FileName =~ "net1.exe" and ActingProcessFileName =~ "net.exe" and replace("net", "net1", ActingProcessCommandLine) =~ CommandLine)
| extend CreatedOnLocalMachine=(CommandLine !has "/do")
| where CommandLine has "/add" or (CreatedOnLocalMachine == 0 and CommandLine !has "/domain")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(Dvc) by CreatedUser, CreatedOnLocalMachine, ActingProcessFileName, FileName, CommandLine, ActingProcessCommandLine, EventVendor, EventProduct
| extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser

2
Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml
Просмотреть файл

@ -14,4 +14,4 @@ query: |
| where CommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "Invoke-Shellcode", "http:")
| project TimeGenerated, Dvc, User, InitiatingProcessFileName, FileName, CommandLine, EventVendor, EventProduct
| top 100 by TimeGenerated
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User
| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User

5
Hunting Queries/ASimProcess/imProcess_uncommon_processes.yaml
Просмотреть файл

@ -5,8 +5,7 @@ description: |
These new processes could be benign new programs installed on hosts;
However, especially in normally stable environments, these new processes could provide an indication of an unauthorized/malicious binary that has been installed and run.
Reviewing the wider context of the logon sessions in which these binaries ran can provide a good starting point for identifying possible attacks.'
requiredDataConnectors:
- connectorId: []
requiredDataConnectors: []
tactics:
- Execution
query: |
@ -26,4 +25,4 @@ query: |
| project FileName, frequency, precentile_5, Since, LastSeen , EventVendor, EventProduct
// restrict results to unusual processes seen in last day
| where LastSeen >= ago(1d)
| extend timestamp = LastSeen
| extend timestamp = LastSeen

4
Hunting Queries/ASimProcess/inProcess_SignedBinaryProxyExecutionRundll32.yaml
Просмотреть файл

@ -6,7 +6,7 @@ description: |
requiredDataConnectors: []
tactics:
- Defense Evasion
- DefenseEvasion
relevantTechniques:
- T1218.011
query: |
@ -24,4 +24,4 @@ entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
columnName: HostCustomEntity

2
Hunting Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml
Просмотреть файл

@ -4,7 +4,7 @@ description: |
'An attacker could look to introduce upstream compromised software packages by creating a new package feed within Azure DevOps. This query looks for new Feeds and includes details on any Azure AD Identity Protection alerts related to the user account creating the feed to assist in triage.'
requiredDataConnectors: []
tactics:
- Initial Access
- InitialAccess
relevantTechniques:
- T1195
query: |

35
Hunting Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 1d4d383e-0ca6-4d3a-a861-8f37aeef18cb
name: Azure WAF Log4j CVE-2021-44228 hunting
description: |
'This hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability.
Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/'
requiredDataConnectors:
- connectorId: WAF
dataTypes:
- AzureDiagnostics
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- CVE-2021-44228
- log4j
- log4shell
query: |
let log4jcmdstring = dynamic(["${jndi:ldap","${jndi:dns","${jndi:rmi","${jndi:corba","${jndi:iiop","${jndi:nis","${jndi:nds"]);
let log4jRegex = @'(\\$|%24)(\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\$|%24|}|%7D)';
AzureDiagnostics
| where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog")
//The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.
| where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex log4jRegex
| extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, "Base64/",1)[0], "}", 0)[0], split(split(userAgent_s, "Base64/",1)[0], "}", 0)[0])
| extend CmdLine = base64_decode_tostring(tostring(CmdLine))
| where CmdLine has_any ("wget","curl")
| summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category
| extend IPCustomEntity = clientIP_s, timestamp = TimeGenerated
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1

58
Hunting Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml Normal file
Просмотреть файл

@ -0,0 +1,58 @@
id: bf094505-fd2e-484f-b72a-acd79ee00ce8
name: Network Connection to New External LDAP Server
description: |
'This hunting query looks for outbound network connections using the LDAP protocol to external IP addresses, where that IP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This could indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a malicious LDAP server.
For more details on Apache Log4j Remote Code Execution Vulnerability - https://community.riskiq.com/article/505098fc/description
Find more details on collecting EXECVE data into Microsoft Sentinel - https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431'
requiredDataConnectors:
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog (CheckPoint)
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog (Cisco)
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog (PaloAlto)
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- CVE-2021-44228
- Log4j
- Log4Shell
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let legacy_ldap = (
CommonSecurityLog
| where TimeGenerated between(lookback..starttime)
// Filter to LDAP connections only
| where ApplicationProtocol =~ "ldap"
// Check LDAP server is external
| extend private = ipv4_is_private(DestinationIP)
| where private == false
// Filter out events where network connection was blocked - change this to expand hunt
| where DeviceAction has_any ("allow", "accept", "allowed")
| summarize by DestinationIP);
CommonSecurityLog
| where TimeGenerated between(starttime..endtime)
| where ApplicationProtocol =~ "ldap"
| extend private = ipv4_is_private(DestinationIP)
| where private == false
| where DestinationIP !in (legacy_ldap)
| where DeviceAction has_any ("allow", "accept", "allowed")
| extend timestamp = TimeGenerated
| project-reorder TimeGenerated, SourceIP, DestinationIP, ApplicationProtocol, DestinationPort, SentBytes, ReceivedBytes, DeviceAction
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DestinationIP
version: 1.0.0

53
Hunting Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml Normal file
Просмотреть файл

@ -0,0 +1,53 @@
id: 19abc034-139e-4e64-a05d-cb07ce8b003b
name: Malicious Connection to LDAP port for CVE-2021-44228 vulnerability
description: |
'This hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability.
Log4j is an open-source Apache logging library that is used in many Java-based applications. Awarness of normal baseline traffic of an enviornment for java.exe
while using this query will help detrmine normal from anaomalous.
Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
tactics:
- CommandAndControl
relevantTechniques:
- T1071
tags:
- CVE-2021-44228
- log4j
- log4shell
query: |
let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
let Port = dynamic(['389', '1389']);
(union isfuzzy=true
(DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("javaw.exe","java.exe")
| where ActionType has "ConnectionSuccess"
| where RemotePort in ('389', '1389')
| where InitiatingProcessCommandLine has_any ('curl', 'wget')
| where RemoteIPType =~ 'Public'
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by ActionType, DestinationIP = RemoteIP, RemoteUrl, DestinationPort = RemotePort, SourceIP = LocalIP, Type, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessParentFileName, ProcessName = InitiatingProcessFileName, Computer = DeviceName
| extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer
),
(VMConnection
| where ProcessName has_any ("javaw","java")
| where DestinationPort in ('389', '1389')
| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,"private" ,"public" )
| where DestinationIpType == "public"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by TimeGenerated, SourceIP = SourceIp , DestinationIP = DestinationIp, DestinationPort, BytesReceived, BytesSent, ProcessName, Computer
| extend timestamp = StartTime, IPCustomEntity = DestinationIP, HostCustomEntity = Computer
)
)
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

2
Hunting Queries/MultipleDataSources/UnicodeObfuscationInCommandLine.yaml
Просмотреть файл

@ -12,7 +12,7 @@ requiredDataConnectors:
dataTypes:
- DeviceProcessEvents
tactics:
- DefenceEvasion
- DefenseEvasion
relevantTechniques:
- T1027
query: |

2
Hunting Queries/SecurityEvent/Certutil-LOLBins.yaml
Просмотреть файл

@ -8,7 +8,7 @@ requiredDataConnectors:
dataTypes:
- SecurityEvent
tactics:
- Command And Control
- CommandAndControl
relevantTechniques:
- T1105

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше