Awake Security - Azure Sentinel Solution
The Awake Security solution allows users to send detection model matches from the Awake Security Platform to Azure Sentinel. It helps remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The solution also offers network security-focused custom alerts, incidents and workbooks that align with Azure Sentinel workflows.
This commit is contained in:
adarshb20
Родитель
53f6d2bfed
Коммит
9dbddcb149
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
После Ширина: | Высота: | Размер: 4.9 KiB |
|
|
@ -0,0 +1,16 @@
|
|||
TenantId,SourceSystem,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,Computer,DestinationIP,SourceIP,DeviceVersion,Activity,EventCount,DestinationHostName,SourceHostName,EventType,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,Type
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.084 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_7242dcd6,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+af2ea299-1fce-b38f-2cdb-a0b97242dcd6%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.257 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_70e180c2,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+d524960f-4da0-caeb-e34d-2e4c70e180c2%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.417 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_6871a55c,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+4c85e765-e60b-26bd-4979-dd056871a55c%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.597 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_427567e5,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+7b4353ce-5b4c-dc57-8326-e8e2427567e5%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.777 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_12a6a671,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+40ad6773-170c-a34e-924e-5e8f12a6a671%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:17.957 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_b5568117,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+10724290-7da1-d35c-c408-b637b5568117%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:18.137 PM",Arista Networks,Awake Security,2418947b-33a3-00a2-fdf8-5cd5d24fa1af,6,awakesecurity,178.62.72.123,192.168.122.142,4.1.1,C2: Beacons to Live Posh C2 Servers,14,advertyzing.co.uk,UnnamedDevice_9f9b8efb,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%282418947b-33a3-00a2-fdf8-5cd5d24fa1af%29+%26%26+device.guid+%3D%3D+83ec5aa5-5c3a-d8dd-bb18-cb049f9b8efb%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:18.317 PM",Arista Networks,Awake Security,76cd4c89-1e12-2503-d6f3-cc0ee809b0b6,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Psexec Like Activity,20,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%2876cd4c89-1e12-2503-d6f3-cc0ee809b0b6%29+%26%26+device.guid+%3D%3D+9d21f0f5-3129-cc30-4f13-1afdfa43e2ba%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.177 PM",Arista Networks,Awake Security,76cd4c89-1e12-2503-d6f3-cc0ee809b0b6,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Psexec Like Activity,20,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%2876cd4c89-1e12-2503-d6f3-cc0ee809b0b6%29+%26%26+device.guid+%3D%3D+cec9e413-6a8f-f225-c96a-06dc134d5a6a%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.357 PM",Arista Networks,Awake Security,fdef48bb-87e7-d60d-9a9a-175980a74154,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Suspicious File Creation Attempt in Windows Directory,32,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28fdef48bb-87e7-d60d-9a9a-175980a74154%29+%26%26+device.guid+%3D%3D+cec9e413-6a8f-f225-c96a-06dc134d5a6a%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.537 PM",Arista Networks,Awake Security,fdef48bb-87e7-d60d-9a9a-175980a74154,6,awakesecurity,10.199.100.101,10.199.100.105,4.1.1,Lateral Movement: Suspicious File Creation Attempt in Windows Directory,32,,sys8414-w10,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28fdef48bb-87e7-d60d-9a9a-175980a74154%29+%26%26+device.guid+%3D%3D+9d21f0f5-3129-cc30-4f13-1afdfa43e2ba%29,DeviceUrlPath,,,Server,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.717 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,104.236.16.69,10.1.12.103,4.1.1,Download: Exe Downloaded From Ip,68,,Windows Device_b76ff469,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+0eb7a04f-cfcc-a8f2-2905-922ab76ff469%29,DeviceUrlPath,Windows,OperatingSystem,Windows Device,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:19.898 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,93.79.152.158,192.168.122.126,4.1.1,Download: Exe Downloaded From Ip,68,,Windows Device_ad0e0147,2,1,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+28f3134f-f0e9-6a30-c952-bc51ad0e0147%29,DeviceUrlPath,Windows,OperatingSystem,Windows Device,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:20.077 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,196.0.10.19,192.168.10.37,4.1.1,Download: Exe Downloaded From Ip,68,,UnnamedDevice_2ac7fac2,2,0,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+3b6edf71-c80e-b7e2-8d4c-7f0e2ac7fac2%29,DeviceUrlPath,,,,,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
2ffa99bd-e154-4d04-bacc-20cffa687439,OpsManager,"9/9/2021, 2:09:20.257 PM",Arista Networks,Awake Security,505d0927-3b9f-b028-d15b-4192a6676bb4,5,awakesecurity,93.79.152.158,192.168.122.126,4.1.1,Download: Exe Downloaded From Ip,68,,Windows Device_42369b6b,2,1,AdditionalDestinationCount,awake-dogfood,Customer,/app/workbench?view\=activity&endTime\=2021-09-09T13%3A00%3A00Z&startTime\=2021-09-09T12%3A00%3A00Z&sortBy\=activity.start_time%3Aasc&query\=%28activity.threat_behavior%28505d0927-3b9f-b028-d15b-4192a6676bb4%29+%26%26+device.guid+%3D%3D+ba4daf96-490f-6ffb-be47-a37b42369b6b%29,DeviceUrlPath,Windows,OperatingSystem,Windows Device,DeviceType,2021-09-09T12:00:00Z,StartTime,2021-09-09T13:00:00Z,EndTime,CommonSecurityLog
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
id: 90b7ac11-dd6c-4ba1-a99b-737061873859
|
||||
name: Awake Security - High Match Counts By Device
|
||||
description: This query searches for devices with unexpectedly large number of activity match.
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AristaAwakeSecurity
|
||||
dataTypes:
|
||||
- AwakeSecurity
|
||||
query: |
|
||||
CommonSecurityLog
|
||||
| where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
|
||||
| summarize Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
|
||||
DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
|
||||
| where ModelMatchCount > 1000 and MaxSeverity > 2
|
||||
| extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics: []
|
||||
relevantTechniques: []
|
||||
eventGroupingSettings:
|
||||
aggregationKind: AlertPerResult
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: Awake Security - High Model Match Counts On Device {{SourceHostName}}
|
||||
alertDescriptionFormat: |-
|
||||
The following Awake model(s):
|
||||
|
||||
{{Models}}
|
||||
|
||||
matched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:
|
||||
|
||||
{{DestinationIPs}}
|
||||
alertTacticsColumnName: null
|
||||
alertSeverityColumnName: SeverityName
|
||||
customDetails:
|
||||
Matched_Models: Models
|
||||
Matches_ASP_URLs: ASPMatchURLs
|
||||
Device: SourceHostName
|
||||
Matches_Count: ModelMatchCount
|
||||
Matches_Max_Severity: MaxSeverity
|
||||
Matches_Dest_IPs: DestinationIPs
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: SourceHostName
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPs
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: true
|
||||
lookbackDuration: 3d
|
||||
matchingMethod: Selected
|
||||
groupByEntities:
|
||||
- Host
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails:
|
||||
- Device
|
||||
version: 1.0.0
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
id: d5e012c2-29ba-4a02-a813-37b928aafe2d
|
||||
name: Awake Security - High Severity Matches By Device
|
||||
description: This query searches for devices with high severity event(s).
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AristaAwakeSecurity
|
||||
dataTypes:
|
||||
- AwakeSecurity
|
||||
query: |
|
||||
CommonSecurityLog
|
||||
| where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security" and toint(LogSeverity) > 6
|
||||
| summarize Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
|
||||
DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(todecimal (LogSeverity)) by SourceHostName
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics: []
|
||||
relevantTechniques: []
|
||||
eventGroupingSettings:
|
||||
aggregationKind: AlertPerResult
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: Awake Security - High Severity Matches On Device {{SourceHostName}}
|
||||
alertDescriptionFormat: |
|
||||
Device {{SourceHostName}} matched the following high-severity Awake model(s):
|
||||
|
||||
{{Models}}
|
||||
|
||||
The destination IPs associated with these matches were:
|
||||
|
||||
{{DestinationIPs}}
|
||||
alertTacticsColumnName: null
|
||||
alertSeverityColumnName: MaxSeverity
|
||||
customDetails:
|
||||
Matched_Models: Models
|
||||
Matches_ASP_URLs: ASPMatchURLs
|
||||
Device: SourceHostName
|
||||
Matches_Count: ModelMatchCount
|
||||
Matches_Max_Severity: MaxSeverity
|
||||
Matches_Dest_IPs: DestinationIPs
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: SourceHostName
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPs
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: true
|
||||
lookbackDuration: 3d
|
||||
matchingMethod: Selected
|
||||
groupByEntities:
|
||||
- Host
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails:
|
||||
- Device
|
||||
version: 1.0.0
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
id: dfa3ec92-bdae-410f-b675-fe1814e4d43e
|
||||
name: Awake Security - Model Matches With Multiple Destinations By Device
|
||||
description: This query searches for devices with multiple possibly malicious destinations.
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AristaAwakeSecurity
|
||||
dataTypes:
|
||||
- AwakeSecurity
|
||||
query: |
|
||||
CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
|
||||
| summarize Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
|
||||
DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
|
||||
| where array_length(DestinationIPs) > 1
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics: []
|
||||
relevantTechniques: []
|
||||
eventGroupingSettings:
|
||||
aggregationKind: AlertPerResult
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}
|
||||
alertDescriptionFormat: |
|
||||
Device {{SourceHostName}} communicated with multiple possibly malicious destinations. The destination IPs were:
|
||||
|
||||
{{DestinationIPs}}
|
||||
|
||||
The associated with Awake model(s) were:
|
||||
|
||||
{{Models}}
|
||||
alertTacticsColumnName: null
|
||||
alertSeverityColumnName: null
|
||||
customDetails:
|
||||
Matched_Models: Models
|
||||
Matches_ASP_URLs: ASPMatchURLs
|
||||
Device: SourceHostName
|
||||
Matches_Count: ModelMatchCount
|
||||
Matches_Max_Severity: MaxSeverity
|
||||
Matches_Dest_IPs: DestinationIPs
|
||||
entityMappings:
|
||||
- entityType: Host
|
||||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: SourceHostName
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SourceIPs
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: true
|
||||
lookbackDuration: 3d
|
||||
matchingMethod: Selected
|
||||
groupByEntities:
|
||||
- Host
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails:
|
||||
- Device
|
||||
version: 1.0.0
|
||||
|
|
@ -0,0 +1,137 @@
|
|||
{
|
||||
"id": "AristaAwakeSecurity",
|
||||
"title": "Awake Security",
|
||||
"publisher": "Arista Networks",
|
||||
"descriptionMarkdown": "The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Azure Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. ",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "AwakeSecurity",
|
||||
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\""
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description" : "Top 5 Adversarial Model Matches by Severity",
|
||||
"query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize TotalActivities=sum(EventCount) by Activity,LogSeverity\n| top 5 by LogSeverity desc"
|
||||
},
|
||||
{
|
||||
"description" : "Top 5 Devices by Device Risk Score",
|
||||
"query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize MaxDeviceRiskScore=max(DeviceCustomNumber1),TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\n| top 5 by MaxDeviceRiskScore desc"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "CommonSecurityLog (AwakeSecurity)",
|
||||
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\"\n| where DeviceProduct == \"Awake Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": true
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "1. Linux Syslog agent configuration",
|
||||
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
|
||||
"innerSteps": [
|
||||
{
|
||||
"title": "1.1 Select or create a Linux machine",
|
||||
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
|
||||
},
|
||||
{
|
||||
"title": "1.2 Install the CEF collector on the Linux machine",
|
||||
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId",
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Run the following command to install and apply the CEF collector:",
|
||||
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "2. Forward Awake Adversarial Model match results to a CEF collector.",
|
||||
"description": "Perform the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port **514** at IP **192.168.0.1**:\n- Navigate to the Detection Management Skills page in the Awake UI.\n- Click + Add New Skill.\n- Set the Expression field to,\n>integrations.cef.tcp { destination: \"192.168.0.1\", port: 514, secure: false, severity: Warning }\n- Set the Title field to a descriptive name like,\n>Forward Awake Adversarial Model match result to Azure Sentinel.\n- Set the Reference Identifier to something easily discoverable like,\n>integrations.cef.sentinel-forwarder\n- Click Save.\n\nNote: Within a few minutes of saving the definition and other fields the system will begin sending new model match results to the CEF events collector as they are detected.\n\nFor more information, refer to the **Adding a Security Information and Event Management Push Integration** page from the Help Documentation in the Awake UI."
|
||||
},
|
||||
{
|
||||
"title": "3. Validate connection",
|
||||
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Run the following command to validate your connectivity:",
|
||||
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "4. Secure your machine ",
|
||||
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
|
||||
}
|
||||
],
|
||||
"metadata": {
|
||||
"id": "69203ebb-3834-43bf-9cdd-2936c4e6ae79",
|
||||
"version": "1.0.0",
|
||||
"kind": "dataConnector",
|
||||
"source": {
|
||||
"kind": "solution",
|
||||
"name": "Awake Security"
|
||||
},
|
||||
"author": {
|
||||
"name": "Awake Security"
|
||||
},
|
||||
"support": {
|
||||
"tier": "developer",
|
||||
"name": "Arista - Awake Security",
|
||||
"email": "support-security@arista.com",
|
||||
"link": "https://awakesecurity.com/"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,667 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "96834e0b-c240-4603-b8ce-ab5c8e051a8c",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"label": "Time Range",
|
||||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 43200000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 172800000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "66925847-0d36-4795-bdfe-1ad0e6fa92a8",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "SortBy",
|
||||
"label": "Sort By",
|
||||
"type": 2,
|
||||
"isRequired": true,
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [],
|
||||
"showDefault": false
|
||||
},
|
||||
"jsonData": "[\n\n { \"value\":\"Count\", \"label\":\"Count\"},\n { \"value\":\"Severity\", \"label\":\"Severity\", \"selected\":true}\n]"
|
||||
},
|
||||
{
|
||||
"id": "39594a16-ba63-4c67-8be3-00b4e415bb19",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "HostName",
|
||||
"label": "Host Name",
|
||||
"type": 1,
|
||||
"isRequired": true,
|
||||
"value": "dogfood-rc.mv.awakenetworks.net"
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 8"
|
||||
},
|
||||
{
|
||||
"type": 11,
|
||||
"content": {
|
||||
"version": "LinkItem/1.0",
|
||||
"style": "tabs",
|
||||
"links": [
|
||||
{
|
||||
"id": "bc6350d6-4f87-4575-9057-6e80072afdc1",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Overview",
|
||||
"subTarget": "Overview",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "b90a2ef4-07db-4f55-b8f1-fcafa493ab16",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Models",
|
||||
"subTarget": "Models",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "e097203d-20ea-48de-af3d-d367e704dd61",
|
||||
"cellValue": "Tab",
|
||||
"linkTarget": "parameter",
|
||||
"linkLabel": "Devices",
|
||||
"subTarget": "Devices",
|
||||
"style": "link"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "links - 11"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\n### Adversarial Model Matches by Severity Level for {TimeRange}"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "Overview_Pie_Label"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "\n\n\n---\n### Adversarial Models Matches for {TimeRange}"
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "Overview_Chart_Label"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n//| summarize by bin(TimeGenerated,3h),Activity,LogSeverity\n//| summarize by bin(TimeGenerated,case(datetime_diff('day',{TimeRange:end},{TimeRange:start})>1,3h,case(datetime_diff('hour',{TimeRange:end},{TimeRange:start})>3,1h,10m))),Activity,LogSeverity\n| summarize by bin(TimeGenerated,floor(({TimeRange:end}-{TimeRange:start})/30,1m)),Activity,LogSeverity\n| summarize Count=count() by Severity=iif(toint(LogSeverity) between (0 .. 3),\"1\",iif(toint(LogSeverity) between (4 .. 6),\"2\",iif(toint(LogSeverity) between (7 .. 8),\"3\",iif(toint(LogSeverity) between (9 .. 10),\"4\",\"5\")))) \n| where toint(Severity)<5\n| order by toint(Severity) desc",
|
||||
"size": 2,
|
||||
"timeContext": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"sortBy": [],
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "Severity",
|
||||
"formatter": 18,
|
||||
"formatOptions": {
|
||||
"thresholdsOptions": "colors",
|
||||
"thresholdsGrid": [
|
||||
{
|
||||
"operator": "==",
|
||||
"thresholdValue": "4",
|
||||
"representation": "redBright",
|
||||
"text": "Critical"
|
||||
},
|
||||
{
|
||||
"operator": "==",
|
||||
"thresholdValue": "3",
|
||||
"representation": "orange",
|
||||
"text": "High"
|
||||
},
|
||||
{
|
||||
"operator": "==",
|
||||
"thresholdValue": "2",
|
||||
"representation": "yellow",
|
||||
"text": "Medium"
|
||||
},
|
||||
{
|
||||
"operator": "==",
|
||||
"thresholdValue": "1",
|
||||
"representation": "green",
|
||||
"text": "Low"
|
||||
},
|
||||
{
|
||||
"operator": "Default",
|
||||
"thresholdValue": null,
|
||||
"representation": null,
|
||||
"text": "{0}{1}"
|
||||
}
|
||||
],
|
||||
"compositeBarSettings": {
|
||||
"labelText": "",
|
||||
"columnSettings": [
|
||||
{
|
||||
"columnName": "status",
|
||||
"color": "green"
|
||||
},
|
||||
{
|
||||
"columnName": "status_count",
|
||||
"color": "lightBlue"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "Count",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "none"
|
||||
}
|
||||
},
|
||||
"showBorder": true,
|
||||
"sortOrderField": 1,
|
||||
"size": "auto"
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0
|
||||
},
|
||||
"chartSettings": {
|
||||
"yAxis": [
|
||||
"Count"
|
||||
],
|
||||
"createOtherGroup": null,
|
||||
"seriesLabelSettings": [
|
||||
{
|
||||
"seriesName": "1",
|
||||
"label": "Low",
|
||||
"color": "green"
|
||||
},
|
||||
{
|
||||
"seriesName": "2",
|
||||
"label": "Medium",
|
||||
"color": "yellow"
|
||||
},
|
||||
{
|
||||
"seriesName": "4",
|
||||
"label": "Critical",
|
||||
"color": "redBright"
|
||||
},
|
||||
{
|
||||
"seriesName": "3",
|
||||
"label": "High",
|
||||
"color": "orange"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "Adversarial Model Matches by Severity"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "//union CommonSecurityLog\n//| summarize Requests = dcount(Activity) by bin(TimeGenerated, 3h)\n\nunion CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n//| summarize by bin(TimeGenerated,case(datetime_diff('day',{TimeRange:end},{TimeRange:start})>1,3h,case(datetime_diff('hour',{TimeRange:end},{TimeRange:start})>3,1h,10m))),Activity,LogSeverity\n| summarize by bin(TimeGenerated,floor(({TimeRange:end}-{TimeRange:start})/30,1m)),Activity,LogSeverity\n//| summarize by bin(TimeGenerated,3h),Activity,LogSeverity\n| summarize Critical=countif(toint(LogSeverity) between (9 .. 10)),High=countif(toint(LogSeverity) between (7 .. 8)),Medium=countif(toint(LogSeverity) between (4 .. 6)),Low=countif(toint(LogSeverity) between (0 .. 3)) by TimeGenerated,LogSeverity\n\n",
|
||||
"size": 2,
|
||||
"timeContext": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "categoricalbar",
|
||||
"graphSettings": {
|
||||
"type": 0
|
||||
},
|
||||
"chartSettings": {
|
||||
"xAxis": "TimeGenerated",
|
||||
"seriesLabelSettings": [
|
||||
{
|
||||
"seriesName": "High",
|
||||
"color": "orange"
|
||||
},
|
||||
{
|
||||
"seriesName": "Critical",
|
||||
"color": "redBright"
|
||||
},
|
||||
{
|
||||
"seriesName": "Medium",
|
||||
"color": "yellow"
|
||||
},
|
||||
{
|
||||
"seriesName": "Low",
|
||||
"color": "green"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"customWidth": "70",
|
||||
"name": "Overview_Chart"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "\n\n\n---\n###### Links"
|
||||
},
|
||||
"name": "Overview_Links_Label"
|
||||
},
|
||||
{
|
||||
"type": 11,
|
||||
"content": {
|
||||
"version": "LinkItem/1.0",
|
||||
"style": "bullets",
|
||||
"links": [
|
||||
{
|
||||
"id": "49514376-7f9d-40d5-9e71-be047648b095",
|
||||
"cellValue": "https://awakesecurity.com/",
|
||||
"linkTarget": "Url",
|
||||
"linkLabel": "Awake-Security",
|
||||
"preText": "",
|
||||
"postText": "",
|
||||
"style": "link"
|
||||
},
|
||||
{
|
||||
"id": "5f591858-9562-423f-b082-c8946fd74727",
|
||||
"cellValue": "https://{HostName}/",
|
||||
"linkTarget": "Url",
|
||||
"linkLabel": "Awake-Platform",
|
||||
"style": "link"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "Overview_Links"
|
||||
}
|
||||
]
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "Overview"
|
||||
},
|
||||
"name": "Overview_Group"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\n### Top 5 Adversarial Models Activities for {TimeRange}"
|
||||
},
|
||||
"name": "Models_Chart_Label"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "\nunion CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize d=arg_max(DeviceEventClassID,LogSeverity),TriggeredCount=sum(EventCount) by Activity\n| top 5 by case(\"{SortBy}\"==\"Count\",TriggeredCount,toint(LogSeverity))\n\n\n//union CommonSecurityLog\n//| summarize TriggeredCount=sum(EventCount) by Activity\n// ,SeverityInt=iif(toint(LogSeverity) between (0 .. 3),1,iif(toint(LogSeverity) between (4 .. 6),2,iif(toint(LogSeverity) between (7 .. 8),3,4)))\n//| top 5 by case(\"{SortBy}\"==\"Count\",TriggeredCount,SeverityInt)\n\n//union CommonSecurityLog\n//| summarize TriggeredCount=dcount(Activity) by Activity,DeviceEventClassID,toint(LogSeverity)\n// ,SeverityInt=iif(toint(LogSeverity) between (0 .. 3),1,iif(toint(LogSeverity) between (4 .. 6),2,iif(toint(LogSeverity) between (7 .. 8),3,4)))\n| top 5 by case(\"{SortBy}\"==\"Count\",TriggeredCount,toint(LogSeverity))\n",
|
||||
"size": 0,
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart",
|
||||
"sortBy": [],
|
||||
"chartSettings": {
|
||||
"xAxis": "Activity",
|
||||
"yAxis": [
|
||||
"TriggeredCount"
|
||||
]
|
||||
}
|
||||
},
|
||||
"name": "Models_Chart"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\n\n### Detailed: Top 50 Adversarial Model Matches for {TimeRange}"
|
||||
},
|
||||
"name": "Models_Grid_Label"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize arg_max(TimeGenerated,Severity=toint(LogSeverity),DeviceCustomDate2,DeviceEventClassID),arg_min(TimeGenerated, DeviceCustomDate1),\nUniqueDevices= dcount(coalesce(SourceHostName,'Unknown')),TotalActivities=sum(EventCount) by Activity\n| extend ModelPath= strcat(\"https://{HostName}/app/workbench/?startTime=\",DeviceCustomDate1,\"&endTime=\",DeviceCustomDate2,\"&query=(dataset.threat_behavior%20\",DeviceEventClassID,\")%20%26%26%20(device.threat_behavior%20\",DeviceEventClassID,\")&view=device\")\n| project Activity,ModelPath,Severity,UniqueDevices,TotalActivities\n| top 50 by case(\"{SortBy}\"==\"Count\",TotalActivities,Severity)",
|
||||
"size": 2,
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Activity",
|
||||
"formatter": 1
|
||||
},
|
||||
{
|
||||
"columnMatch": "ModelPath",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "Url",
|
||||
"linkLabel": "Awake-Platform: Model Detail"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "Severity",
|
||||
"formatter": 18,
|
||||
"formatOptions": {
|
||||
"thresholdsOptions": "colors",
|
||||
"thresholdsGrid": [
|
||||
{
|
||||
"operator": "<=",
|
||||
"thresholdValue": "3",
|
||||
"representation": "green",
|
||||
"text": "Low"
|
||||
},
|
||||
{
|
||||
"operator": "<=",
|
||||
"thresholdValue": "6",
|
||||
"representation": "yellow",
|
||||
"text": "Medium"
|
||||
},
|
||||
{
|
||||
"operator": "<=",
|
||||
"thresholdValue": "8",
|
||||
"representation": "orange",
|
||||
"text": "High"
|
||||
},
|
||||
{
|
||||
"operator": "Default",
|
||||
"thresholdValue": null,
|
||||
"representation": "redBright",
|
||||
"text": "Critical"
|
||||
}
|
||||
],
|
||||
"compositeBarSettings": {
|
||||
"labelText": "",
|
||||
"columnSettings": [
|
||||
{
|
||||
"columnName": "SeverityInt",
|
||||
"color": "redBright"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "TimeGenerated",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "SeverityInt",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "DeviceEventClassID",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "mints",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "maxts",
|
||||
"formatter": 5
|
||||
}
|
||||
],
|
||||
"labelSettings": [
|
||||
{
|
||||
"columnId": "Activity"
|
||||
},
|
||||
{
|
||||
"columnId": "ModelPath",
|
||||
"label": "Model Path"
|
||||
},
|
||||
{
|
||||
"columnId": "Severity"
|
||||
},
|
||||
{
|
||||
"columnId": "UniqueDevices",
|
||||
"label": "Unique Devices"
|
||||
},
|
||||
{
|
||||
"columnId": "TotalActivities",
|
||||
"label": "Total Activities"
|
||||
}
|
||||
]
|
||||
},
|
||||
"sortBy": []
|
||||
},
|
||||
"name": "Models_Grid"
|
||||
}
|
||||
]
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "Models"
|
||||
},
|
||||
"name": "Models_Group"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\n### Top 10 Devices by Model Matches for {TimeRange}"
|
||||
},
|
||||
"name": "Devices_Chart_Label"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "//union CommonSecurityLog\n//| extend Source = strcat(Sour.ceHostName,\" \", \"(\" ,SourceIP, \")\"),Destination= strcat(DestinationHostName,\" \", \"(\" ,DestinationIP, \")\")\n//| summarize TimesAlerted=count() by SourceHostName //, //avg(DeviceCustomNumber1) by SourceHostName\n//| top 10 by TimesAlerted\n//| sort by TimesAlerted desc\n\nunion CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize \n MaxDeviceRiskScore=max(DeviceCustomNumber1),UniqueDeviceTypeCount=dcount(DeviceCustomString4),\n TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")\n//| where UniqueDeviceTypeCount<2\n| top 10 by case(\"{SortBy}\"==\"Count\",TimesAlerted,MaxDeviceRiskScore)\n",
|
||||
"size": 0,
|
||||
"timeContext": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart",
|
||||
"chartSettings": {
|
||||
"xAxis": "SourceHostName",
|
||||
"yAxis": [
|
||||
"TimesAlerted"
|
||||
]
|
||||
}
|
||||
},
|
||||
"name": "Devices_Chart"
|
||||
},
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "---\n### Detailed: Top 50 Devices by Model Matches for {TimeRange}"
|
||||
},
|
||||
"name": "Devices_Grid_Label"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "union CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize DevicePath=take_anyif(strcat(\"https://{HostName}/app/workbench/device/\",substring(DeviceCustomString2,-39,36)),DeviceCustomString2!=\"\"),\n DeviceType=strcat_array(make_set_if(DeviceCustomString4, strlen(DeviceCustomString4) > 0),\", \"),UniqueDeviceTypeCount=dcount(DeviceCustomString4),\n OperatingSystem=strcat_array(make_set_if(DeviceCustomString3, strlen(DeviceCustomString3) > 0),\", \"),\n IPsFound= dcount(SourceIP),//strcat_array(make_set(SourceIP),\", \"),\n// AverageDeviceRiskScore=round(avgif(DeviceCustomNumber1,DeviceCustomNumber1>0)),\n MaxDeviceRiskScore=max(DeviceCustomNumber1),\n TimesAlerted=count() by SourceHostName=coalesce(SourceHostName,\"Unknown\")//,DevicePath\n//| where UniqueDeviceTypeCount<2\n| top 50 by case(\"{SortBy}\"==\"Count\",TimesAlerted,MaxDeviceRiskScore)\n//| order by MaxDeviceRiskScore desc\n",
|
||||
"size": 2,
|
||||
"timeContext": {
|
||||
"durationMs": 172800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "DevicePath",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "Url",
|
||||
"linkLabel": "Awake-Platform: Device Detail"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "UniqueDeviceTypeCount",
|
||||
"formatter": 5
|
||||
},
|
||||
{
|
||||
"columnMatch": "MaxDeviceRiskScore",
|
||||
"formatter": 18,
|
||||
"formatOptions": {
|
||||
"thresholdsOptions": "colors",
|
||||
"thresholdsGrid": [
|
||||
{
|
||||
"operator": "<",
|
||||
"thresholdValue": "33",
|
||||
"representation": "green",
|
||||
"text": "Low"
|
||||
},
|
||||
{
|
||||
"operator": ">=",
|
||||
"thresholdValue": "75",
|
||||
"representation": "redBright",
|
||||
"text": "High"
|
||||
},
|
||||
{
|
||||
"operator": ">=",
|
||||
"thresholdValue": "33",
|
||||
"representation": "orange",
|
||||
"text": "Medium"
|
||||
},
|
||||
{
|
||||
"operator": "Default",
|
||||
"thresholdValue": null,
|
||||
"text": "{0}{1}"
|
||||
}
|
||||
],
|
||||
"compositeBarSettings": {
|
||||
"labelText": "",
|
||||
"columnSettings": [
|
||||
{
|
||||
"columnName": "IPsFound",
|
||||
"color": "blue"
|
||||
},
|
||||
{
|
||||
"columnName": "MaxDeviceRiskScore",
|
||||
"color": "brown"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"labelSettings": [
|
||||
{
|
||||
"columnId": "SourceHostName",
|
||||
"label": "Source HostName"
|
||||
},
|
||||
{
|
||||
"columnId": "DevicePath",
|
||||
"label": "Device Path"
|
||||
},
|
||||
{
|
||||
"columnId": "DeviceType",
|
||||
"label": "Device Type"
|
||||
},
|
||||
{
|
||||
"columnId": "UniqueDeviceTypeCount"
|
||||
},
|
||||
{
|
||||
"columnId": "OperatingSystem",
|
||||
"label": "Operating System"
|
||||
},
|
||||
{
|
||||
"columnId": "IPsFound",
|
||||
"label": "Distinct IPs"
|
||||
},
|
||||
{
|
||||
"columnId": "MaxDeviceRiskScore",
|
||||
"label": "Device Risk Score (Max)"
|
||||
},
|
||||
{
|
||||
"columnId": "TimesAlerted",
|
||||
"label": "Total Activities"
|
||||
}
|
||||
]
|
||||
},
|
||||
"sortBy": []
|
||||
},
|
||||
"name": "Devices_Grid"
|
||||
}
|
||||
]
|
||||
},
|
||||
"conditionalVisibility": {
|
||||
"parameterName": "Tab",
|
||||
"comparison": "isEqualTo",
|
||||
"value": "Devices"
|
||||
},
|
||||
"name": "Devices_Group"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
"/subscriptions/afbdd4c0-3adf-45e3-85b9-f755a63ac85d/resourcegroups/awake-sentinel-integration/providers/microsoft.operationalinsights/workspaces/awake-sentinel-integration"
|
||||
],
|
||||
"fromTemplateId": "sentinel-UserWorkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
После Ширина: | Высота: | Размер: 4.9 KiB |
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesBlack.png
Normal file
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesBlack.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 323 KiB |
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesWhite.png
Normal file
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityDevicesWhite.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 298 KiB |
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsBlack.png
Normal file
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsBlack.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 297 KiB |
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsWhite.png
Normal file
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityModelsWhite.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 294 KiB |
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewBlack.png
Normal file
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewBlack.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 223 KiB |
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewWhite.png
Normal file
Двоичные данные
Solutions/AristaAwakeSecurity/Workbooks/Images/Preview/AristaAwakeSecurityOverviewWhite.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 249 KiB |
|
|
@ -0,0 +1,15 @@
|
|||
[
|
||||
{
|
||||
"workbookKey": "AristaAwakeSecurityWorkbook",
|
||||
"logoFileName": "AristaAwakeSecurity.svg",
|
||||
"description": "Provides an overview of the detections that have occurred over a selected period, with views of overall detection counts, the detection breakdown by model, and the detection breakdown by device. These views provide rich starting points for further investigation of potential threats.\n\nNOTE: Please fill in the Awake hostname or IP address on the top of the workbook for the link to work.",
|
||||
"dataTypesDependencies": ["CommonSecurityLog"],
|
||||
"dataConnectorsDependencies": ["AristaAwakeSecurity"],
|
||||
"previewImagesFileNames": ["AristaAwakeSecurityOverviewBlack.png", "AristaAwakeSecurityModelsBlack.png","AristaAwakeSecurityDevicesBlack.png", "AristaAwakeSecurityOverviewWhite.png", "AristaAwakeSecurityModelsWhite.png","AristaAwakeSecurityDevicesWhite.png"],
|
||||
"version": "1.0",
|
||||
"title": "Awake Security",
|
||||
"templateRelativePath": "AristaAwakeSecurityWorkbook.json",
|
||||
"subtitle": "",
|
||||
"provider": "Arista Networks"
|
||||
}
|
||||
]
|
||||
Загрузка…
Ссылка в новой задаче