Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Revert "Revert "Merge branch 'master' into pr/8145"" 

This reverts commit f8bcc71ce1.
This commit is contained in:
v-rbajaj 2023-06-26 18:55:20 +05:30
Родитель f8bcc71ce1
Коммит ac940af956
245 изменённых файлов: 19279 добавлений и 8593 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

76
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_CASES_CL.json Normal file
Просмотреть файл

@ -0,0 +1,76 @@
{ "Name": "ABNORMAL_CASES_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "caseId",
"Type": "real"
},
{
"Name": "affectedEmployee",
"Type": "string"
},
{
"Name": "severity",
"Type": "string"
},
{
"Name": "description",
"Type": "string"
},
{
"Name": "firstObserved",
"Type": "datetime"
},
{
"Name": "threatIds",
"Type": "string"
},
{
"Name": "analysis",
"Type": "string"
},
{
"Name": "case_status",
"Type": "string"
},
{
"Name": "remediation_status",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

156
.script/tests/KqlvalidationsTests/CustomTables/ABNORMAL_THREAT_MESSAGES_CL.json Normal file
Просмотреть файл

@ -0,0 +1,156 @@
{ "Name": "ABNORMAL_THREAT_MESSAGES_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "threatId_g",
"Type": "string"
},
{
"Name": "abxMessageId_d",
"Type": "real"
},
{
"Name": "abxPortalUrl_s",
"Type": "string"
},
{
"Name": "subject_s",
"Type": "string"
},
{
"Name": "senderDomain_s",
"Type": "string"
},
{
"Name": "fromAddress_s",
"Type": "string"
},
{
"Name": "fromName_s",
"Type": "string"
},
{
"Name": "toAddresses_s",
"Type": "string"
},
{
"Name": "recipientAddress_s",
"Type": "string"
},
{
"Name": "receivedTime_t",
"Type": "datetime"
},
{
"Name": "sentTime_t",
"Type": "datetime"
},
{
"Name": "internetMessageId_s",
"Type": "string"
},
{
"Name": "autoRemediated_b",
"Type": "bool"
},
{
"Name": "postRemediated_b",
"Type": "bool"
},
{
"Name": "attackType_s",
"Type": "string"
},
{
"Name": "attackStrategy_s",
"Type": "string"
},
{
"Name": "returnPath_s",
"Type": "string"
},
{
"Name": "replyToEmails_s",
"Type": "string"
},
{
"Name": "ccEmails_s",
"Type": "string"
},
{
"Name": "senderIpAddress_s",
"Type": "string"
},
{
"Name": "impersonatedParty_s",
"Type": "string"
},
{
"Name": "attackVector_s",
"Type": "string"
},
{
"Name": "attachmentNames_s",
"Type": "string"
},
{
"Name": "attachmentCount_d",
"Type": "real"
},
{
"Name": "urls_s",
"Type": "string"
},
{
"Name": "urlCount_d",
"Type": "real"
},
{
"Name": "summaryInsights_s",
"Type": "string"
},
{
"Name": "attackedParty_s",
"Type": "string"
},
{
"Name": "remediationTimestamp_t",
"Type": "datetime"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

52
.script/tests/KqlvalidationsTests/CustomTables/F5Telemetry_ASM_CL.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{ "Name": "F5Telemetry_ASM_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "probability",
"Type": "real"
},
{
"Name": "RawMessage",
"Type": "string"
},
{
"Name": "geo_location_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

52
.script/tests/KqlvalidationsTests/CustomTables/F5Telemetry_LTM_CL.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{ "Name": "F5Telemetry_LTM_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "probability",
"Type": "real"
},
{
"Name": "RawMessage",
"Type": "string"
},
{
"Name": "client_ip_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

60
.script/tests/KqlvalidationsTests/CustomTables/F5Telemetry_system_CL.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{ "Name": "F5Telemetry_system_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "probability",
"Type": "real"
},
{
"Name": "RawMessage",
"Type": "string"
},
{
"Name": "client_ip_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "geo_location_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

121
.script/tests/KqlvalidationsTests/CustomTables/ForcepointDLPEvents_CL.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"Name":"ForcepointDLPEvents_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "DestinationDomain",
"Type": "string"
},
{
"Name": "CreatedAt_t",
"Type": "datetime"
},
{
"Name": "Protocol",
"Type": "string"
},
{
"Name": "PolicyCategoryId",
"Type": "string"
},
{
"Name": "GeneratorId",
"Type": "string"
},
{
"Name": "Id",
"Type": "string"
},
{
"Name": "RuleName_1_s",
"Type": "string"
},
{
"Name": "Severity_s",
"Type": "string"
},
{
"Name": "UpdatedAt",
"Type": "string"
},
{
"Name": "DestinationHostname",
"Type": "string"
},
{
"Name": "ExternalId",
"Type": "string"
},
{
"Name": "SourceIpV4_s",
"Type": "string"
},
{
"Name": "Text",
"Type": "real"
},
{
"Name": "DestinationCommonName",
"Type": "real"
},
{
"Name": "DestinationIpV4",
"Type": "real"
},
{
"Name": "SourceDomain",
"Type": "string"
},
{
"Name": "Title",
"Type": "string"
},
{
"Name": "ForcepointDLPSourceIP",
"Type": "string"
},
{
"Name": "UpdatedBy",
"Type": "string"
},
{
"Name": "Description",
"Type": "real"
}
]
}

2
.script/tests/KqlvalidationsTests/CustomTables/GitLabApp.json
Просмотреть файл

@ -40,6 +40,6 @@
{
"Name": "UserImpersonated",
"Type": "Int"
},
}
]
}

1361
.script/tests/KqlvalidationsTests/CustomTables/Netskope_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

293
.script/tests/KqlvalidationsTests/CustomTables/Perimeter81_CL.json Normal file
Просмотреть файл

@ -0,0 +1,293 @@
{
"Name":"Perimeter81_CL",
"Properties":[
{
"Name": "TenantId",
"Type": ""
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "emails_s",
"Type": "string"
},
{
"Name": "enabled_b",
"Type": "string"
},
{
"Name": "installation_installationId_g",
"Type": "string"
},
{
"Name": "releasedBy_roleName_s",
"Type": "string"
},
{
"Name": "role_displayName_s",
"Type": "string"
},
{
"Name": "oldRole_displayName_s",
"Type": "string"
},
{
"Name": "planName_s",
"Type": "string"
},
{
"Name": "planId_s",
"Type": "string"
},
{
"Name": "error_message_s",
"Type": "string"
},
{
"Name": "amount_d",
"Type": "real"
},
{
"Name": "vpnLocation_name_s",
"Type": "string"
},
{
"Name": "account_tenantId_s",
"Type": "string"
},
{
"Name": "account_name_s",
"Type": "string"
},
{
"Name": "account_company_s",
"Type": "string"
},
{
"Name": "installation_installationId_s",
"Type": "string"
},
{
"Name": "oldPlan_planWeight_d",
"Type": "real"
},
{
"Name": "oldPlan_name_s",
"Type": "string"
},
{
"Name": "newPlan_planWeight_d",
"Type": "string"
},
{
"Name": "newPlan_name_s",
"Type": "string"
},
{
"Name": "user_tenantId_s",
"Type": "string"
},
{
"Name": "user_email_s",
"Type": "string"
},
{
"Name": "user_lastName_s",
"Type": "string"
},
{
"Name": "user_firstName_s",
"Type": "string"
},
{
"Name": "policy_name_s",
"Type": "string"
},
{
"Name": "regions_s",
"Type": "string"
},
{
"Name": "group_name_s",
"Type": "string"
},
{
"Name": "networkName_s",
"Type": "string"
},
{
"Name": "applicationName_s",
"Type": "string"
},
{
"Name": "paymentInfo_s",
"Type": "string"
},
{
"Name": "application_name_s",
"Type": "string"
},
{
"Name": "application_type_s",
"Type": "string"
},
{
"Name": "application_endpoint_s",
"Type": "string"
},
{
"Name": "application_alias_cname_s",
"Type": "string"
},
{
"Name": "idpName_s",
"Type": "string"
},
{
"Name": "network_name_s",
"Type": "string"
},
{
"Name": "network_dns_s",
"Type": "string"
},
{
"Name": "geoPoint_accuracy_radius_d",
"Type": "real"
},
{
"Name": "geoPoint_latitude_d",
"Type": "real"
},
{
"Name": "geoPoint_longitude_d",
"Type": "real"
},
{
"Name": "geoPoint_metro_code_d",
"Type": "real"
},
{
"Name": "geoPoint_time_zone_s",
"Type": "string"
},
{
"Name": "addressCountry_s",
"Type": "string"
},
{
"Name": "event_eventName_s",
"Type": "string"
},
{
"Name": "event_tenantId_s",
"Type": "string"
},
{
"Name": "event_originalTenantId_s",
"Type": "string"
},
{
"Name": "event_releasedFrom_tenantId_s",
"Type": "string"
},
{
"Name": "event_releasedBy_email_s",
"Type": "string"
},
{
"Name": "event_ip_s",
"Type": "string"
},
{
"Name": "event_integrationIdentifier_s",
"Type": "string"
},
{
"Name": "event_eventVersion_s",
"Type": "string"
},
{
"Name": "releasedFrom_name_s",
"Type": "string"
},
{
"Name": "releasedFrom_company_s",
"Type": "string"
},
{
"Name": "releasedBy_tenantId_s",
"Type": "string"
},
{
"Name": "releasedBy_lastName_s",
"Type": "string"
},
{
"Name": "releasedBy_firstName_s",
"Type": "string"
},
{
"Name": "integrationName_s",
"Type": "string"
},
{
"Name": "eventName_s",
"Type": "string"
},
{
"Name": "originalTenantId_s",
"Type": "string"
},
{
"Name": "releasedFrom_tenantId_s",
"Type": "string"
},
{
"Name": "releasedBy_email_s",
"Type": "string"
},
{
"Name": "ip_s",
"Type": "string"
},
{
"Name": "integrationIdentifier_s",
"Type": "string"
},
{
"Name": "eventVersion_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

4
.script/tests/KqlvalidationsTests/CustomTables/TheHive_CL.json
Просмотреть файл

@ -132,6 +132,10 @@
{
"Name":"objectType_s",
"Type":"String"
},
{
"Name":"TimeGenerated",
"Type":"Datetime"
}
]
}

62
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_Health_Check_CL.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"Name": "TrendMicro_XDR_Health_Check_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "clpId",
"Type": "string"
},
{
"Name": "queryStartTime",
"Type": "datetime"
},
{
"Name": "queryEndTime",
"Type": "datetime"
},
{
"Name": "newWorkbenchCount",
"Type": "real"
},
{
"Name": "error_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

490
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_OAT_CL.json Normal file
Просмотреть файл

@ -0,0 +1,490 @@
{
"Name": "TrendMicro_XDR_OAT_CL",
"Properties":[
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "authId_s",
"Type": "string"
},
{
"Name": "bitwiseFilterRiskLevel_d",
"Type": "real"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "detectionTime_t",
"Type": "datetime"
},
{
"Name": "deviceType_d",
"Type": "real"
},
{
"Name": "endpoint_guid_g",
"Type": "string"
},
{
"Name": "endpoint_name_s",
"Type": "string"
},
{
"Name": "endpointHostName_s",
"Type": "string"
},
{
"Name": "endpointIp_s",
"Type": "string"
},
{
"Name": "endpointMacAddress_s",
"Type": "string"
},
{
"Name": "entityName_s",
"Type": "string"
},
{
"Name": "entityType_s",
"Type": "string"
},
{
"Name": "eventHashId_s",
"Type": "string"
},
{
"Name": "eventId_s",
"Type": "string"
},
{
"Name": "eventSourceType_d",
"Type": "real"
},
{
"Name": "eventSubId_d",
"Type": "real"
},
{
"Name": "eventTime_d",
"Type": "real"
},
{
"Name": "filterRiskLevel_s",
"Type": "string"
},
{
"Name": "filters_s",
"Type": "string"
},
{
"Name": "firstSeen_s",
"Type": "string"
},
{
"Name": "ingestionTime_t",
"Type": "datetime"
},
{
"Name": "integrityLevel_d",
"Type": "real"
},
{
"Name": "lastSeen_s",
"Type": "string"
},
{
"Name": "logonUser_s",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "nativeDeviceCharacteristics_d",
"Type": "real"
},
{
"Name": "nativeDeviceType_d",
"Type": "real"
},
{
"Name": "nativeStorageDeviceBusType_d",
"Type": "real"
},
{
"Name": "objectAppName_s",
"Type": "string"
},
{
"Name": "objectAuthId_s",
"Type": "string"
},
{
"Name": "objectCmd_s",
"Type": "string"
},
{
"Name": "objectContentName_s",
"Type": "string"
},
{
"Name": "objectFileCreation_s",
"Type": "string"
},
{
"Name": "objectFileDaclString_s",
"Type": "string"
},
{
"Name": "objectFileHashId_s",
"Type": "string"
},
{
"Name": "objectFileHashMd5_g",
"Type": "string"
},
{
"Name": "objectFileHashSha1_s",
"Type": "string"
},
{
"Name": "objectFileHashSha256_s",
"Type": "string"
},
{
"Name": "objectFileModifiedTime_s",
"Type": "string"
},
{
"Name": "objectFilePath_s",
"Type": "string"
},
{
"Name": "objectFileSize_s",
"Type": "string"
},
{
"Name": "objectFirstSeen_s",
"Type": "string"
},
{
"Name": "objectHashId_s",
"Type": "string"
},
{
"Name": "objectIntegrityLevel_d",
"Type": "real"
},
{
"Name": "objectLastSeen_s",
"Type": "string"
},
{
"Name": "objectLaunchTime_s",
"Type": "string"
},
{
"Name": "objectName_s",
"Type": "string"
},
{
"Name": "objectPid_d",
"Type": "real"
},
{
"Name": "objectRawDataSize_s",
"Type": "string"
},
{
"Name": "objectRawDataStr_s",
"Type": "string"
},
{
"Name": "objectRegistryData_s",
"Type": "string"
},
{
"Name": "objectRegistryKeyHandle_s",
"Type": "string"
},
{
"Name": "objectRegistryRoot_d",
"Type": "real"
},
{
"Name": "objectRegistryValue_s",
"Type": "string"
},
{
"Name": "objectRegType_d",
"Type": "real"
},
{
"Name": "objectRunAsLocalAccount_b",
"Type": "bool"
},
{
"Name": "objectSessionId_s",
"Type": "string"
},
{
"Name": "objectSigner_s",
"Type": "string"
},
{
"Name": "objectSignerValid_s",
"Type": "string"
},
{
"Name": "objectSubTrueType_d",
"Type": "real"
},
{
"Name": "objectTrueType_d",
"Type": "real"
},
{
"Name": "objectUser_s",
"Type": "string"
},
{
"Name": "objectUserDomain_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "osDescription_s",
"Type": "string"
},
{
"Name": "osType_s",
"Type": "string"
},
{
"Name": "osVer_s",
"Type": "string"
},
{
"Name": "packageTraceId_g",
"Type": "string"
},
{
"Name": "parentAuthId_s",
"Type": "string"
},
{
"Name": "parentCmd_s",
"Type": "string"
},
{
"Name": "parentFileCreation_s",
"Type": "string"
},
{
"Name": "parentFileHashId_s",
"Type": "string"
},
{
"Name": "parentFileHashMd5_g",
"Type": "string"
},
{
"Name": "parentFileHashSha1_s",
"Type": "string"
},
{
"Name": "parentFileHashSha256_s",
"Type": "string"
},
{
"Name": "parentFileModifiedTime_s",
"Type": "string"
},
{
"Name": "parentFilePath_s",
"Type": "string"
},
{
"Name": "parentFileSize_s",
"Type": "string"
},
{
"Name": "parentHashId_s",
"Type": "string"
},
{
"Name": "parentIntegrityLevel_d",
"Type": "real"
},
{
"Name": "parentLaunchTime_s",
"Type": "string"
},
{
"Name": "parentName_s",
"Type": "string"
},
{
"Name": "parentPid_d",
"Type": "real"
},
{
"Name": "parentSessionId_d",
"Type": "real"
},
{
"Name": "parentSigner_s",
"Type": "string"
},
{
"Name": "parentSignerValid_s",
"Type": "string"
},
{
"Name": "parentTrueType_d",
"Type": "real"
},
{
"Name": "parentUser_s",
"Type": "string"
},
{
"Name": "parentUserDomain_s",
"Type": "string"
},
{
"Name": "pname_s",
"Type": "string"
},
{
"Name": "processCmd_s",
"Type": "string"
},
{
"Name": "processFileCreation_s",
"Type": "string"
},
{
"Name": "processFileModifiedTime_s",
"Type": "string"
},
{
"Name": "processFilePath_s",
"Type": "string"
},
{
"Name": "processFileSize_s",
"Type": "string"
},
{
"Name": "processHashId_s",
"Type": "string"
},
{
"Name": "processLaunchTime_s",
"Type": "string"
},
{
"Name": "processName_s",
"Type": "string"
},
{
"Name": "processPid_d",
"Type": "string"
},
{
"Name": "processSigner_s",
"Type": "real"
},
{
"Name": "processSignerValid_s",
"Type": "string"
},
{
"Name": "processTrueType_s",
"Type": "string"
},
{
"Name": "processUser_s",
"Type": "string"
},
{
"Name": "processUserDomain_s",
"Type": "string"
},
{
"Name": "productCode_s",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "searchDL_s",
"Type": "string"
},
{
"Name": "sessionId_d",
"Type": "string"
},
{
"Name": "source_s",
"Type": "real"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "tags_s",
"Type": "string"
},
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "string"
},
{
"Name": "timezone_s",
"Type": "datetime"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "userDomain_s",
"Type": "string"
},
{
"Name": "uuid_g",
"Type": "string"
},
{
"Name": "version_s",
"Type": "string"
},
{
"Name": "xdrCustomerId_g",
"Type": "string"
}
]
}

109
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_RCA_Result_CL.json Normal file
Просмотреть файл

@ -0,0 +1,109 @@
{
"Name": "TrendMicro_XDR_RCA_Result_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "agentEntity_host_s",
"Type": "string"
},
{
"Name": "xdrCustomerID_g",
"Type": "string"
},
{
"Name": "taskId_g",
"Type": "string"
},
{
"Name": "taskName_s",
"Type": "string"
},
{
"Name": "agentEntity_hostname_s",
"Type": "string"
},
{
"Name": "agentEntity_guid_g",
"Type": "string"
},
{
"Name": "agentEntity_ip_s",
"Type": "string"
},
{
"Name": "workbenchId_s",
"Type": "string"
},
{
"Name": "objectHashId_s",
"Type": "string"
},
{
"Name": "eventId_d",
"Type": "real"
},
{
"Name": "objectName_s",
"Type": "string"
},
{
"Name": "isMatched_b",
"Type": "bool"
},
{
"Name": "parentObjectId_s",
"Type": "string"
},
{
"Name": "objectMeta_s",
"Type": "string"
},
{
"Name": "objectEvent_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "workbenchId_s",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

113
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_RCA_Task_CL.json Normal file
Просмотреть файл

@ -0,0 +1,113 @@
{
"Name": "TrendMicro_XDR_RCA_Task_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "xdrCustomerID",
"Type": "string"
},
{
"Name": "id",
"Type": "string"
},
{
"Name": "name",
"Type": "string"
},
{
"Name": "workbenchId",
"Type": "string"
},
{
"Name": "description",
"Type": "string"
},
{
"Name": "status",
"Type": "string"
},
{
"Name": "criteria_operator",
"Type": "string"
},
{
"Name": "criteria_conditions",
"Type": "string"
},
{
"Name": "createdTimestamp",
"Type": "real"
},
{
"Name": "lastUpdateTimestamp",
"Type": "real"
},
{
"Name": "completedTimestamp",
"Type": "real"
},
{
"Name": "targets",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "workbenchId_s",
"Type": "string"
},
{
"Name": "id_g",
"Type": "string"
},
{
"Name": "name_s",
"Type": "string"
},
{
"Name": "xdrCustomerID_g",
"Type": "string"
},
{
"Name": "targets_s",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

13
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_WORKBENCH_CL.json
Просмотреть файл

@ -68,6 +68,19 @@
{
"Name":"RegistryValueName_s",
"Type":"String"
},
{
"Name": "alertTriggerTimestamp_t",
"Type": "Datetime"
},
{
"Name": "model_s",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

4
.script/tests/KqlvalidationsTests/CustomTables/VMware_vCenter.json
Просмотреть файл

@ -37,6 +37,10 @@
"Name": "UserName",
"Type": "String"
},
{
"Name": "UserAgent",
"Type": "String"
},
{
"Name": "SourceIP",
"Type": "Int"

6
.script/tests/KqlvalidationsTests/CustomTables/VectraStream.json
Просмотреть файл

@ -498,7 +498,7 @@
"Type": "String"
},
{
"Name": "answers_s",
"Name": "answers",
"Type": "String"
},
{
@ -518,7 +518,7 @@
"Type": "Double"
},
{
"Name": "qtype_name_s",
"Name": "qtype_name",
"Type": "String"
},
{
@ -778,7 +778,7 @@
"Type": "String"
},
{
"Name": "cipher_s",
"Name": "cipher",
"Type": "String"
},
{

2
.script/tests/KqlvalidationsTests/CustomTables/Workplace_Facebook.json → .script/tests/KqlvalidationsTests/CustomTables/Workplace_Facebook_CL.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Name":"Workplace_Facebook",
"Name":"Workplace_Facebook_CL",
"Properties":[
{
"Name":"EventVendor",

2
.script/tests/KqlvalidationsTests/CustomTables/Zoom_CL.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Name":"Zoom",
"Name":"Zoom_CL",
"Properties":[
{
"Name":"EventVendor",

6
.script/tests/KqlvalidationsTests/CustomTables/net_assets_CL.json
Просмотреть файл

@ -6,8 +6,12 @@
"Type": "String"
},
{
"Name": "severity",
"Name": "severity_s",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

6
.script/tests/KqlvalidationsTests/CustomTables/web_assets_CL.json
Просмотреть файл

@ -6,8 +6,12 @@
"Type": "String"
},
{
"Name": "severity",
"Name": "severity_s",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

2
.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj
Просмотреть файл

@ -5,7 +5,7 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.6.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.11.0" />
<PackageReference Include="Newtonsoft.Json.Schema" Version="3.0.14" />
<PackageReference Include="xunit" Version="2.4.1" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">

88
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -2586,12 +2586,8 @@
"templateName": "imDns_IPEntity_DnsEvents.yaml",
"validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
},
// Temporarily adding Data connector template id's for KQL Validations - Start
{
"id": "AbnormalSecurity",
"templateName": "AbnormalSecurity_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Agari",
"templateName": "Agari_API_FunctionApp.json",
@ -2737,11 +2733,6 @@
"templateName": "Connector_KasperskySC_CEF.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "MongoDB",
"templateName": "Connector_MongoDBAudit.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "PostgreSQL",
"templateName": "Connector_PostgreSQL.json",
@ -2782,11 +2773,6 @@
"templateName": "Connector_Syslog_CiscoUCS.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "GitLab",
"templateName": "Connector_Syslog_GitLab.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "InfobloxNIOS",
"templateName": "Connector_Syslog_Infoblox.json",
@ -2822,31 +2808,16 @@
"templateName": "Connector_Syslog_SymantecVIP.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "VMwarevCenter",
"templateName": "Connector_Syslog_vcenter.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "WatchguardFirebox",
"templateName": "Connector_syslog_WatchGuardFirebox.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "AIVectraStream",
"templateName": "Connector_VectraAI_Stream.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "CrowdstrikeReplicator",
"templateName": "CrowdstrikeReplicator_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "CybersixgillActionableAlerts",
"templateName": "Cybersixgill_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "DarktraceRESTConnector",
"templateName": "DarktraceConnectorRESTAPI.json",
@ -2877,16 +2848,6 @@
"templateName": "ESI-ExchangeOnPremisesCollector.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "F5BigIp",
"templateName": "F5BigIp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Forcepoint_DLP",
"templateName": "Forcepoint DLP.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Forescout",
"templateName": "Forescout_syslog.json",
@ -2897,11 +2858,6 @@
"templateName": "ForescoutHostPropertyMonitor.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Fortinet",
"templateName": "Fortinet-FortiGate.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "GCPIAMDataConnector",
"templateName": "GCP_IAM_API_FunctionApp.json",
@ -2922,11 +2878,6 @@
"templateName": "GWorkspaceReports_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "HolmSecurityAssets",
"templateName": "HolmSecurityAssets_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "iboss",
"templateName": "iboss_cef.json",
@ -2982,11 +2933,6 @@
"templateName": "Morphisec.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Netskope",
"templateName": "Netskope_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "NucleusCyberNCProtect",
"templateName": "NucleusCyberNCProtect.json",
@ -3017,11 +2963,6 @@
"templateName": "OCI_logs_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "OneIdentity",
"templateName": "OneIdentity.JSON",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "OneLogin",
"templateName": "OneLogin_Webhooks_FunctionApp.json",
@ -3032,11 +2973,6 @@
"templateName": "OrcaSecurityAlerts.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Perimeter81ActivityLogs",
"templateName": "Perimeter81ActivityLogs.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "PaloAltoPrismaCloud",
"templateName": "PrismaCloud_API_FunctionApp.json",
@ -3182,11 +3118,6 @@
"templateName": "TerndMicroCAS_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "TheHiveProjectTheHive",
"templateName": "TheHive_Webhooks_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Theom",
"templateName": "Theom.json",
@ -3202,38 +3133,23 @@
"templateName": "TrendMicroTippingPoint.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "TrendMicroXDR",
"templateName": "TrendMicroXDR.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "VMwareCarbonBlack",
"templateName": "VMwareCarbonBlack_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "WorkplaceFacebook",
"templateName": "WorkplaceFacebook_Webhooks_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "ZimperiumMtdAlerts",
"templateName": "Zimperium MTD Alerts.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "Zoom",
"templateName": "ZoomReports_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
{
"id": "CofenseTriage",
"templateName": "CofenseTriage_API_FunctionApp.json",
"validationFailReason": "Temporarily Added for Data Connector KQL Queries validation"
},
// Temporarily adding Data connector template id's for KQL Validations - End
// Temporarily adding Analytic rules and hunting queries id's for TI KQL Validations - Start

3
.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json
Просмотреть файл

@ -515,5 +515,6 @@
"a2b67846-d66b-4047-bc84-78bfc993d5f3",
"9699e4c9-dca9-404b-be0b-6e342dd31aff",
"6084abc3-c4be-47d0-86f5-3c20fea63cea",
"cd8faa84-4464-4b4e-96dc-b22f50c27541"
"cd8faa84-4464-4b4e-96dc-b22f50c27541",
"5533fe80-905e-49d5-889a-df27d2c3976d"
]

10
ASIM/dev/Delete-SentinelFunction/README.md
Просмотреть файл

@ -1,16 +1,16 @@
# Deletes saved functions from a Log Analytics workspace
This PowerShell script deletes saved functions from a Log Analytics workspace. It supports wildcards and enable batch cleaning the workspace from unneeded functions, especially when deploying a new function ARM tempalte such as those used by Microsoft Sentinel ASIM.
This PowerShell script deletes saved functions from a Log Analytics workspace. It supports wildcards and enables batch cleaning of the workspace from unneeded functions, especially when deploying a new function ARM template such as those used by Microsoft Sentinel ASIM.
The script accepts the following parameters:
| Parameter | Description |
| --------- | ----------- |
| FunctionName | A comma delimited list of names or wildcard patterns of the function to be delete. The list can also be specified without a parameter name. |
| FunctionName | A comma-delimited list of names or wildcard patterns of the function to be deleted. The list can also be specified without a parameter name. |
| WorkspaceName | The workspace the functions should be deleted from. |
| ResourceGroup | The resource group of the workspace. |
| Force | If specified, the user is not prompted for confirmation, enabling using the script as part of an automation (Optional). |
| Category | Delete functions only if they belong to this category (Optional). For example, currently all ASIM functions use the category ASIM, which enables ensuring that the script delete only ASIM functions even when using wildcards. |
| Force | If specified, the user is not prompted for confirmation, enabling using the script as part of automation (Optional). |
| Category | Delete functions only if they belong to this category (Optional). For example, currently, all ASIM functions use the category ASIM, which enables ensuring that the script deletes only ASIM functions even when using wildcards. |
| Emulate | If specified, the script will run without actually deleting, enabling you to list the functions about to be deleted first. |
|||
@ -32,4 +32,4 @@ List of functions in a workspace
``` PowerShell
PS> Delete-SentinelFunction * -Emulate -Subscription "Contoso Production" -Workspace contosoc_ws -ResourceGroup soc_rg
```
```

Двоичные данные
DataConnectors/AWS-SecurityHubFindings/AzFunAWSSecurityHubIngestion.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/AWS-SecurityHubFindings/requirements.txt
Просмотреть файл

@ -4,7 +4,7 @@
azure-functions==1.8.0
boto3==1.9.180
requests==2.22.0
requests==2.31.0
adal==1.2.2
aiohttp==3.6.2
asn1crypto==0.24.0

6
DataConnectors/CEF/cef_AMA_troubleshoot.py → DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py
Просмотреть файл

@ -10,7 +10,7 @@ PY3 = sys.version_info.major == 3
# GENERAL SCRIPT CONSTANTS
DEFAULT_MACHINE_ENV = "Prod"
LOG_OUTPUT_FILE = "/tmp/cef_troubleshooter_output_file.log"
LOG_OUTPUT_FILE = "/tmp/troubleshooter_output_file.log"
PATH_FOR_CSS_TICKET = {
"Prod": "https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview",
"MK": "https://portal.azure.cn/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview",
@ -827,7 +827,7 @@ def print_scenario(args):
"""
if list(vars(args).values()).count(True) > 1:
print_error("More than 1 stream provided. Please run the script again with only one scenario.\n"
"For more information run 'python cef_AMA_troubleshoot.py -h'. Exiting.")
"For more information run 'python Sentinel_AMA_troubleshoot.py -h'. Exiting.")
sys.exit(1)
else:
print_notice("The scenario chosen is: {}".format(STREAM_SCENARIO.upper()))
@ -879,7 +879,7 @@ def main():
if not args.collect:
print_notice(
"\nIf you would like to open a support case please run this script with the \'collect\' feature flag in order to collect additional system data for troubleshooting."
"\'python cef_AMA_troubleshoot.py [STREAM_OPTION] collect\'")
"\'python Sentinel_AMA_troubleshoot.py [STREAM_OPTION] collect\'")
if __name__ == '__main__':

45
Detections/Dynamics365Activity/DynamicsEncryptionSettingsChanged.yaml
Просмотреть файл

@ -1,45 +0,0 @@
id: b185ac23-dc27-4573-8192-1134c7a95f4f
name: Dynamics Encryption Settings Changed
description: |
'This query looks for changes to the Data Encryption settings for Dynamics 365.
Reference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1600
query: |
Dynamics365Activity
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| where Message =~ 'IsDataEncryptionActive'
| project-reorder TimeGenerated, Message, UserId, ClientIP, InstanceUrl, UserAgent
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

64
Detections/Dynamics365Activity/MassExportOfDynamicstoExcel.yaml
Просмотреть файл

@ -1,64 +0,0 @@
id: 05eca115-c4b5-48e4-ba6e-07db57695be2
name: Mass Export of Dynamics 365 Records to Excel
description: |
'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
relevantTechniques:
- T1530
query: |
let baseline_time = 7d;
let detection_time = 1d;
Dynamics365Activity
| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))
| where OriginalObjectId contains 'ExportToExcel'
| extend numQueryCount = todouble(QueryResults)
| extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))
| summarize sum(QueryCount) by UserId
| extend HistoricalBaseline = sum_QueryCount
| join (Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| where OriginalObjectId contains 'ExportToExcel'
| extend numQueryCount = todouble(QueryResults)
| extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))
| summarize sum(QueryCount) by UserId
| extend CurrentExportRate = sum_QueryCount) on UserId
| where CurrentExportRate > HistoricalBaseline
| project UserId, HistoricalBaseline, CurrentExportRate
| join kind=inner(Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| where OriginalObjectId contains 'ExportToExcel'
| extend numQueryCount = todouble(QueryResults)
| extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId
| project TimeGenerated, UserId, QueryCount, UserAgent, OriginalObjectId, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName
| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate
| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

49
Detections/Dynamics365Activity/NewDynamicsAdminActivity.yaml
Просмотреть файл

@ -1,49 +0,0 @@
id: e147e4dc-849c-49e9-9e8b-db4581951ff4
name: New Dynamics 365 Admin Activity
description: |
'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let baseline_time = 14d;
let detection_time = 1h;
Dynamics365Activity
| where TimeGenerated between(ago(baseline_time)..ago(detection_time))
| where UserType =~ 'admin'
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| summarize by UserId
| join kind=rightanti
(Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| where UserType =~ 'admin')
on UserId
| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId
| extend timestamp = MostRecentAction, AccountCustomEntity = UserId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

57
Detections/Dynamics365Activity/NewDynamicsUserAgent.yaml
Просмотреть файл

@ -1,57 +0,0 @@
id: 8ec3a7f9-9f55-4be3-aeb6-9188f91b278e
name: New Dynamics 365 User Agent
description: |
'Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let lookback = 14d;
let timeframe = 1d;
let user_accounts = "(([a-zA-Z]{1,})\\.([a-zA-Z]{1,}))@.*";
let known_useragents = dynamic([]);
Dynamics365Activity
| where TimeGenerated between(ago(lookback)..ago(timeframe))
| where isnotempty(UserAgent)
| summarize by UserAgent, UserId
| join kind = rightanti (Dynamics365Activity
| where TimeGenerated > ago(timeframe)
| where isnotempty(UserAgent)
| where UserAgent !in~ (known_useragents)
| where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps"
| where UserId matches regex user_accounts)
on UserAgent, UserId
// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.
//| join kind = leftanti(
//Dynamics365Activity
//| where TimeGenerated between(ago(lookback)..ago(timeframe))
//| where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink")) on UserAgent
| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId
| extend timestamp = FirstSeen, AccountCustomEntity = UserId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

48
Detections/Dynamics365Activity/NewOfficeUserAgentinDynamics.yaml
Просмотреть файл

@ -1,48 +0,0 @@
id: 572f3951-5fa3-4e42-9640-fe194d859419
name: New Office User Agent in Dynamics 365
description: |
'Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let timeframe = 1h;
let lookback = 7d;
let known_useragents = dynamic([]);
Dynamics365Activity
| where TimeGenerated > ago(timeframe)
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| where Message =~ "UserSignIn"
| extend IPAddress = tostring(split(ClientIP, ":")[0])
| where isnotempty(UserAgent)
// Exclude user agents with a render agent to reduce noise
| where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink")
| join kind=leftanti(
OfficeActivity
| where TimeGenerated > ago(lookback)
| where UserAgent !in~ (known_useragents))
on UserAgent
| summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent
| extend timestamp = MostRecentActivity
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

67
Detections/Dynamics365Activity/UserBulkRetreivalOutsideNormalActivity.yaml
Просмотреть файл

@ -1,67 +0,0 @@
id: 93a25f10-593d-4c57-a752-a8a75f031425
name: Dynamics 365 - User Bulk Retrieval Outside Normal Activity
description: |
'This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
relevantTechniques:
- T1530
query: |
let baseline_time = 14d;
let detection_time = 1d;
Dynamics365Activity
| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| where Message =~ "RetrieveMultiple"
| extend numQueryCount = todouble(QueryResults)
| extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))
| summarize sum(QueryCount) by UserId
| extend HistoricalBaseline = sum_QueryCount
| join (Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| where Message =~ "RetrieveMultiple"
| extend numQueryCount = todouble(QueryResults)
| extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))
| summarize sum(QueryCount) by UserId
| extend CurrentExportRate = sum_QueryCount) on UserId
| where CurrentExportRate > HistoricalBaseline
| project UserId, HistoricalBaseline, CurrentExportRate
| join kind=inner(Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| where Message =~ "RetrieveMultiple"
| extend numQueryCount = todouble(QueryResults)
| extend QueryCount = iif(QueryResults contains ",", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)
| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId
| project TimeGenerated, UserId, QueryCount, UserAgent, Message, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName, Query
| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent), make_set(Query) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate
| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

4
Hunting Queries/AuditLogs/ConsentToApplicationDiscovery.yaml
Просмотреть файл

@ -1,6 +1,8 @@
id: b09d6e57-c48b-491d-9c2b-ab73018e6534
name: Consent to Application discovery
description: |
'This query looks at the last 14 days for "Consent to application" operation by a user/app which could potentially mean unauthorized access. Additional context is added from AuditLogs based on CorrleationId from the same account that performed the action.'
description_detailed: |
'This query looks at the last 14 days for any "Consent to application" operation
occurs by a user or app. This could indicate that permissions to access the listed AzureApp
was provided to a malicious actor. Consent to appliction, Add service principal and
@ -96,4 +98,4 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]
domains: [ "Security - Threat Protection" ]

48
Hunting Queries/Dynamics365Activity/DynamicsActivityAfterAADAlert.yaml
Просмотреть файл

@ -1,48 +0,0 @@
id: 7498594f-e3a7-4e02-9280-a07be9cfd38a
name: Dynamics 365 Activity After Azure AD Alerts
description: |
'This hunting query looks for users conducting Dynamics 365 activity shortly after Azn Azure AD Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen.'
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let match_window = 1h;
let analysis_window = 1d;
let lookback_window = 7d;
SecurityAlert
| where TimeGenerated > ago(analysis_window)
| where ProviderName == 'IPC'
| extend UserName = tostring(parse_json(ExtendedProperties).["User Account"])
| extend UserName = tolower(UserName)
| extend TimeKey = bin(TimeGenerated, match_window)
| join kind=inner(Dynamics365Activity
| where TimeGenerated > ago(analysis_window)
| extend UserName = tolower(UserId)
| extend TimeKey = bin(TimeGenerated, match_window))
on UserName, TimeKey
| join kind=leftanti(Dynamics365Activity
| where TimeGenerated between(ago(lookback_window)..ago(analysis_window))
| extend UserName = tolower(UserId))
on UserName, OriginalObjectId
| summarize Actions = make_set(OriginalObjectId), MostRecentAction = max(TimeGenerated1), IPs = make_set(split(tostring(ClientIP), ':')[0]), AADAlerts=make_set(Description), MostRecentAlert = max(TimeGenerated) by UserName
| extend timestamp = MostRecentAction, AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.2
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

42
Hunting Queries/Dynamics365Activity/DynamicsActivityAfterFailedLogons.yaml
Просмотреть файл

@ -1,42 +0,0 @@
id: 0ea22925-998d-42ea-9ff6-0c32af4ff835
name: Dynamics 365 Activity After Failed Logons
description: |
'This hunting query looks for users conducting Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate.'
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let threshold = 10;
SigninLogs
| where ResultType in ("50125", "50140", "70043", "70044")
| summarize count() by IPAddress
| where count_ >= threshold
| join (Dynamics365Activity
| extend IPAddress = tostring(split(ClientIP, ":")[0]))
on IPAddress
| project-rename FailedLogonCount = count_
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
metadata:
source:
kind: Community
author:
name: Microsoft
support:
tier: Microsoft
categories:
domains: ["Cloud Provider","IT Operations","Storage"]

74
Hunting Queries/SAP/Emailforwarding_SAPdownload.yaml Normal file
Просмотреть файл

@ -0,0 +1,74 @@
id: 0576750e-6b61-4545-845f-f5b8f29a0cc4
name: Email Forwarding Configuration with SAP download
description: |
'This query could help detect any external email forwarding configuration activity with SAP download for sensitive financial transaction related keywords. Attackers may perform such operation for financial gain, Intellectual Property theft or to cause disruption of operation to an organization.'
requiredDataConnectors:
- connectorId: SAP
dataTypes:
- SAPAuditLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- connectorId: Office365
dataTypes:
- OfficeActivity
tactics:
- InitialAccess
- Collection
- Exfiltration
relevantTechniques:
- T1078
- T1114
- T1020
query: |
let Keywords = dynamic(["payroll", "invoice", "payment", "statement", "confidential", "bank account", "wire", "wire transfer"]);
EmailEvents
| extend Account = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])
| project NetworkMessageId, Account, RecipientEmailAddress, SenderIPv4, Subject, EmailAction, DeliveryLocation, TenantId
| join kind=innerunique
(OfficeActivity
| where OfficeWorkload =~ "Exchange"
| where Operation in~ ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| extend Events=todynamic(Parameters)
| where UserId has "@"
| extend Account = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])
| parse Events with * "SubjectContainsWords" SubjectContainsWords '}'*
| parse Events with * "BodyContainsWords" BodyContainsWords '}'*
| parse Events with * "SubjectOrBodyContainsWords" SubjectOrBodyContainsWords '}'*
| where SubjectContainsWords has_any (Keywords) or BodyContainsWords has_any (Keywords) or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case( ClientIP has ".", tostring(split(ClientIP,":")[0]), ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ClientIP )
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))
| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail,Account)
on Account
| join kind=inner
(
SAPAuditLog
| where MessageID == "AUY" //AUY= Download bytes
| extend ByteCount= toint(replace_string(replace_string(Variable1, ".",""), ",","")), Code=Variable2, Path= Variable3
| summarize DownloadsByUser = count(), Paths= make_set(Variable3, 10), ByteCount=sum(ByteCount) by SystemID, ClientID, User, TerminalIPv6, Email, Host, TransactionCode, Instance
| where Paths has_any (Keywords)
) on $left.Account == $right.User, $left.RecipientEmailAddress == $right. Email
| project StartTimeUtc, Account, SenderIPv4, Email, Host, Keyword, NetworkMessageId, OfficeObjectId, Paths, Subject, SystemID, TenantId, ClientID, DeliveryLocation, TransactionCode
| extend UserName = tostring(split(Account, '@', 0)[0]), UPNSuffix = tostring(split(Account, '@', 1)[0])
| extend Account_0_Name = UserName
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = SenderIPv4
| extend Host_0_HostName = Host
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Host
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SenderIPv4
version: 1.0.0

47
Logos/Dynamics365.svg Normal file
Просмотреть файл

@ -0,0 +1,47 @@
<svg width="96" height="96" viewBox="0 0 96 96" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#5c4323e9-bccf-4173-9a63-230b0a6cbf31)">
<defs>
<filter id="98748e04-354a-4bbe-88fe-925f9d83cf56">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape"/>
<feGaussianBlur stdDeviation="0.4" result="effect1_foregroundBlur"/>
</filter>
<filter id="2ef9ea67-0b28-4d5f-9ab0-d87228903584">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape"/>
<feGaussianBlur stdDeviation="4" result="effect1_foregroundBlur"/>
</filter>
<linearGradient id="9cbdce2e-c186-46c1-bd94-e0f83979478b" x1="38.0451" y1="-1" x2="56.6585" y2="47.7233" gradientUnits="userSpaceOnUse">
<stop stop-color="#0B53CE"/>
<stop offset="1" stop-color="#7252AA"/>
</linearGradient>
<linearGradient id="3bba1c32-c017-45d2-936b-c64e5c618f2a" x1="64.1377" y1="93.4922" x2="64.1377" y2="35.4151" gradientUnits="userSpaceOnUse">
<stop stop-color="#2266E3"/>
<stop offset="1" stop-color="#AE7FE2"/>
</linearGradient>
<linearGradient id="b67040e7-9361-49b1-93d4-5145ed213c69" x1="82" y1="56.7858" x2="62.0764" y2="56.7858" gradientUnits="userSpaceOnUse">
<stop stop-color="#94B9FF"/>
<stop offset="0.287843" stop-color="#94B9FF" stop-opacity="0.523646"/>
<stop offset="1" stop-color="#538FFF" stop-opacity="0"/>
</linearGradient>
<clipPath id="5c4323e9-bccf-4173-9a63-230b0a6cbf31">
<rect width="96" height="96" fill="white"/>
</clipPath>
</defs>
<mask id="db4783d4-1ae9-4409-98dd-c4591e00df94" mask-type="alpha" maskUnits="userSpaceOnUse" x="12" y="0" width="70" height="96">
<path d="M82.0001 31.047C82.0001 26.8209 79.3434 23.051 75.3634 21.6296L17.3453 0.90903C14.7404 -0.0213096 12 1.90988 12 4.676V36.1811C12 37.8715 13.0627 39.3795 14.6547 39.9481L40.6547 49.2338C43.2596 50.1641 46 48.2329 46 45.4668V27.3768C46 25.9794 47.3966 25.0127 48.7044 25.5049L55.5222 28.0707C59.4195 29.5374 62 33.2657 62 37.4299V45.3076L32.6272 56.0399C31.0495 56.6164 30 58.1172 30 59.797V91.2797C30 94.0582 32.7631 95.9903 35.3728 95.0367L75.432 80.3996C79.3763 78.9584 82 75.2064 82 71.007L82.0001 31.047Z" fill="white"/>
</mask>
<g mask="url(#db4783d4-1ae9-4409-98dd-c4591e00df94)">
<path d="M12 -1L82.0001 23.9998V58.3245C82.0001 61.0905 79.2601 63.0217 76.6551 62.0917L62 56.8593V37.4241C62 33.258 59.4171 29.5283 55.5172 28.063L48.7034 25.5029C47.3957 25.0116 46 25.9782 46 27.3751V51.1428L12 39V-1Z" fill="url(#9cbdce2e-c186-46c1-bd94-e0f83979478b)"/>
<g filter="url(#98748e04-354a-4bbe-88fe-925f9d83cf56)">
<path d="M82 31.3998V31.3998C82 35.5992 79.3763 39.3586 75.4319 40.7998L30 57.3999V97.3999L82 78.3998V31.3998Z" fill="black" fill-opacity="0.24"/>
</g>
<g filter="url(#2ef9ea67-0b28-4d5f-9ab0-d87228903584)">
<path d="M82 32.9998V32.9998C82 37.1992 79.3763 40.9585 75.4319 42.3997L30 58.9999V98.9999L82 79.9998V32.9998Z" fill="black" fill-opacity="0.32"/>
</g>
<path d="M82 30.9998V30.9998C82 35.1992 79.3763 38.9585 75.4319 40.3997L30 56.9999V96.9999L82 77.9998V30.9998Z" fill="url(#3bba1c32-c017-45d2-936b-c64e5c618f2a)"/>
<path opacity="0.5" d="M82 30.9998V30.9998C82 35.1992 79.3763 38.9585 75.4319 40.3997L30 56.9999V96.9999L82 77.9998V30.9998Z" fill="url(#b67040e7-9361-49b1-93d4-5145ed213c69)"/>
<path opacity="0.5" d="M62.0013 45.3202L45.9922 51.1768L45.9923 74.6349C45.9923 76.0323 47.389 76.9989 48.6968 76.5066L55.5241 73.9368C59.4211 72.4699 62.0013 68.7418 62.0013 64.5779V45.3202Z" fill="#B0ADFF"/>
</g>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.5 KiB

7
Parsers/SQLSever/SQLServer_Parser.txt
Просмотреть файл

@ -36,10 +36,9 @@ let FailedLogon = SQlData
| where EventLevelName has "error"
| where RenderedDescription startswith "Login"
| parse kind=regex RenderedDescription with "Login" LogonResult:string
"for user '" CurrentUser:string
"'. Reason:" Reason:string
"provided" *
| parse kind=regex RenderedDescription with * "CLIENT" * ":" ClientIP:string
"for user '" CurrentUser:string
"'. Reason:" Reason:string " \\[" *
| parse kind=regex RenderedDescription with * "CLIENT" * ":" ClientIP:string
"]" *
;
let dbfailedLogon = SQlData

402
Playbooks/Get-SOCTasks/azuredeploy.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Двоичные данные
Playbooks/Get-SOCTasks/images/tasks.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 218 KiB

27
Playbooks/Get-SOCTasks/readme.md Normal file
Просмотреть файл

@ -0,0 +1,27 @@
# Get-SOCTasks
## Overview
This playbook is an updated version of Get-SOCActions found in the Sentinel Solution: [SOC Process Framework][https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-soc-process-framework-is-now-live-in-content-hub/ba-p/3590349]. The playbook uses the SOCRA Watchlist to automatically enrich incidents generated by Microsoft Sentinel with Tasks to review and take. Tasks will be evaluated per Customer Organization and edited/modified per their standards of conduct.
## Prerequisites
This playbook does a watchlist lookup using an API connection created with in the LogicApp of this playbook to the SOCRA Watchlist and writes the recommended actions as tasks to the working incident. Ensure you have deployed the SOCRA Watchlist prior to deploying this playbook.
## Deployment
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SOCTasks%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2Get-SOCTasks%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
### Post-Deployment Instructions
After deploying the playbook, you must authorize the connections leveraged.
1. Visit the playbook resource.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
**Note: Each A# column contains a action, this logic app will use '-' dash as a delimter between the title and description of the task to be added**
![tasks](../Get-SOCTasks/images/tasks.png)

33
Playbooks/Isolate-MDE-Machine-entityTrigger/readme.md
Просмотреть файл

@ -1,33 +0,0 @@
# Isolate-MDE-Machine-entityTrigger
author: Benji Kovacevic
This playbook will isolate Microsoft Defender for Endpoint (MDE) device using entity trigger.
# Prerequisites
None.
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDE-Machine-entityTrigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDE-Machine-entityTrigger%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.<br>
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName1 = "Machine.Isolate"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
```
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.jpg)<br>

38
Playbooks/Revoke-AADSignIn-Session-entityTrigger/readme.md
Просмотреть файл

@ -1,38 +0,0 @@
# Revoke-AADSignIn-Session-entityTrigger
author: Benji Kovacevic
This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.
# Prerequisites
None.
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignIn-Session-entityTrigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignIn-Session-entityTrigger%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.<br>
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.ReadWrite.All"
$PermissionName2 = "Directory.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id
```
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.jpg)<br>

58
Playbooks/Revoke-AADSignInSessions/readme.md
Просмотреть файл

@ -1,58 +0,0 @@
# Revoke-AADSignInSessions
author: Nicholas DiCola
This playbook will revoke all signin sessions for the user using Graph API. It will send and email to the user's manager.
## Quick Deployment
**Deploy with incident trigger** (recommended)
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazuregovbutton"/>
</a>
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Falert-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Falert-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazuregovbutton"/>
</a>
## Prerequisites
- You will need to grant User.ReadWrite.All permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName = "User.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
```
## Screenshots
**Incident Trigger**<br>
![Incident Trigger](./incident-trigger/images/Revoke-AADSignInSessions_incident.png)<br>
**Alert Trigger**<br>
![Alert Trigger](./alert-trigger/images/Revoke-AADSignInSessions_alert.png)<br>

528
Playbooks/Tasks/M365D_Phishing_Playbook_for_SecOps-Tasks/azuredeploy.json
Просмотреть файл

@ -1,528 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Incident tasks - Microsoft 365 Defender Phishing Playbook for SecOps",
"description": "This playbook add Incident Tasks based on Microsoft 365 Defender Phishing Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a phishing incident: containment, investigation, remediation and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks.",
"prerequisites": "",
"postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign playbook to the automation rule."],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2022-12-20T00:00:00.000Z",
"entities": [],
"tags": ["Tasks"],
"support": {
"tier": "community",
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
},
"author": {
"name": "Benji Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "M365D_Phishing_Playbook_for_SecOps-Tasks",
"type": "string"
}
},
"variables": {
"MicrosoftsentinelConnectionName": "[concat('Microsoftsentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Condition": {
"actions": {
"Scope_-_Contain": {
"actions": {
"Add_task_to_incident_-_Contain": {
"runAfter": {
"Compose_-_Contain": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Contain')}</p>",
"taskTitle": "Contain"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Compose_-_Contain": {
"runAfter": {},
"type": "Compose",
"inputs": "<b>•Which assets are involved?</b>\n<dd>•If an endpoint performed any suspicious activity, consider <a target='_blank' href=\"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-machine-alerts#isolate-devices-from-the-network\">isolating the device</a> in M365D or <a target='_blank' href=\"https://learn.microsoft.com/azure/sentinel/respond-threats-during-investigation\">from Microsoft Sentinel</a>.</dd><br>\n<b>•Which user accounts are involved and what are their privileges?</b>\n<dd>•To assess the risk, first determine whether the user accounts are priority, management, or administrator accounts.</dd>\n<b>•What containments actions were already taken by automated response?</b>\n<dd>•What is the evidence remediation status?</dd>\n<dd>•Check evidence & response tab in M365D portal for <a target='_blank' href=\"https://docs.microsoft.com/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions\">pending approval actions</a>.</dd>"
}
},
"runAfter": {
"Scope_-_Introduction": [
"Succeeded"
]
},
"type": "Scope"
},
"Scope_-_Introduction": {
"actions": {
"Add_task_to_incident_-_Introduction": {
"runAfter": {
"Compose_-_Introduction": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Introduction')}</p>",
"taskTitle": "Introduction"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Compose_-_Introduction": {
"runAfter": {},
"type": "Compose",
"inputs": "<p>To report phishing messages, <a target='_blank' href=\"https://go.microsoft.com/fwlink/?linkid=2167511\">submit</a> them on Microsoft 365 Defender for analysis. Select \"Should have been blocked\" when prompted. Results are shown in the submissions detail flyout. Follow our <a target='_blank' href=\"https://go.microsoft.com/fwlink/?linkid=2201181\">step-by-step guide</a> for details.</p>\n<p><b>This playbook for Security Operations (SecOps/SOC) teams will walk you through four stages of responding to a phishing incident: containment, investigation, remediation and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks.</b></p>\nClick on \"Contain\" task when you're ready to start."
},
"Mark_a_task_as_completed_-_Introduction": {
"runAfter": {
"Add_task_to_incident_-_Introduction": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"taskArmId": "@body('Add_task_to_incident_-_Introduction')?['id']"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CompleteTask"
}
}
},
"runAfter": {},
"type": "Scope"
},
"Scope_-_Investigate": {
"actions": {
"Add_task_to_incident_-_Investigate_-_Part_1": {
"runAfter": {
"Compose_-_Investigate_-_Part_1": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Investigate_-_Part_1')}</p>",
"taskTitle": "Investigate - Part 1"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Add_task_to_incident_-_Investigate_-_Part_2": {
"runAfter": {
"Compose_-_Investigate_-_Part_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Investigate_-_Part_2')}</p>",
"taskTitle": "Investigate - Part 2"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Compose_-_Investigate_-_Part_1": {
"runAfter": {},
"type": "Compose",
"inputs": "<b>•\tReview the initial phishing email.</b>\n<dd>•\tFrom the incident in the M365D incidents queue, select the Evidence and Response tab.</dd>\n<dd>•\tFind the relevant email and open the email page. </dd>\n<dd>•\tCheck the email header for the true source of the sender.</dd>\n<dd>•\tInvestigate the source IP address of the email. Is the IP address used by attackers or campaigns?</dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- <a target='_blank' href=\"https://security.microsoft.com/threatanalytics3\">Threat analytics</a></dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- <a target='_blank' href=\"https://security.microsoft.com/campaigns\">Campaigns</a></dd><br>\n<b>•\tDid the email contain a URL?</b>\n<dd>•\tGo to the URL page to get the URL reputation.</dd>\n<p>Continue to Investigate - Part 2<p>"
},
"Compose_-_Investigate_-_Part_2": {
"runAfter": {
"Add_task_to_incident_-_Investigate_-_Part_1": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<b>•\tDid the email contain an attachment?</b>\n<dd>•\tLook for potential malicious content in the attachment, for example, PDF files, obfuscated PowerShell, or other script codes.</dd>\n<dd>•\tCheck the device timeline to understand if the payload executed on the endpoint. If so, consider isolating the device. </dd><br>\n<b>•\tIs there a risk that the user opened the email?</b>\n<dd>•\tIf yes, perform remediation.</dd><br>\n<b>•\tGet the list of users who got the phishing email.</b>"
}
},
"runAfter": {
"Scope_-_Contain": [
"Succeeded"
]
},
"type": "Scope"
},
"Scope_-_Investigate_involved_users": {
"actions": {
"Add_task_to_incident_-_Investigate_involved_users_-_Part_1": {
"runAfter": {
"Compose_-_Investigate_involved_users_-_Part_1": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Investigate_involved_users_-_Part_1')}</p>",
"taskTitle": "Investigate involved users - Part 1"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Add_task_to_incident_-_Investigate_involved_users_-_Part_2": {
"runAfter": {
"Compose_-_Investigate_involved_users_-_Part_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Investigate_involved_users_-_Part_2')}</p>",
"taskTitle": "Investigate involved users - Part 2"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Compose_-_Investigate_involved_users_-_Part_1": {
"runAfter": {},
"type": "Compose",
"inputs": "<p>For each user that is involved in the incident:</p>\n<b>•\tInvestigate the user account for suspicious actions.</b>\n<dd>•\t<a target='_blank' href=\"https://docs.microsoft.com/microsoft-365/security/defender/investigate-users?view=o365-worldwide\">Investigate users in Microsoft 365 Defender</a>.</dd>\n<dd>•\t<a target='_blank' href=\"https://learn.microsoft.com/azure/sentinel/investigate-with-ueba\">Investigate users with Microsoft Sentinel UEBA</a>.</dd><br>\n<b>•\tWhat is the investigation priority score of the user account?</b>\n<dd>•\tIf the user performed suspicious activity, consider these steps:</dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- Contact the user assigned the user account.</dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- Reset the user accounts password.</dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- Require the user to sign in again.</dd>\n<p>Continue to Investigate involved users - Part 2<p>"
},
"Compose_-_Investigate_involved_users_-_Part_2": {
"runAfter": {
"Add_task_to_incident_-_Investigate_involved_users_-_Part_1": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<b>•\tInvestigate the user accounts mailbox.</b>\n<dd>•\tGet the latest dates when the user account had access to the mailbox.</dd>\n<dd>•\tIs delegated access configured on the mailbox and did it change recently?</dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- Activity names: 'Add-MailboxPermission', 'Add-MailboxFolderPermission', 'Set-MailboxFolderPermission'</dd>\n<dd>•\tIs there a forwarding rule configured for the mailbox and was it added recently?</dd>\n<dd>&nbsp;&nbsp;&nbsp;&nbsp;- Activity names: \"New-InboxRule\", \"Set-InboxRule\", \"Set-Mailbox\", \"Set-TransportRule\", \"New-TransportRule\".</dd><br>\n<b>•\tIf the email contained a malicious URL, did the user click the link in the email?</b>\n<dd>•\tGet more details on the user click from the advanced hunting user clicks table</dd><br>\n<b>•\tIf the email contained an attachment, was the attachment payload executed? Was malicious code executed?</b>\n<dd>•\tIf yes, quarantine the file on the device, and consider to isolating the device.</dd>"
}
},
"runAfter": {
"Scope_-_Investigate": [
"Succeeded"
]
},
"type": "Scope"
},
"Scope_-_Prevent": {
"actions": {
"Add_task_to_incident_-_Prevent_-_Part_1": {
"runAfter": {
"Compose_-_Prevent_-_Part_1": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Prevent_-_Part_1')}</p>",
"taskTitle": "Prevent - Part 1"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Add_task_to_incident_-_Prevent_-_Part_2": {
"runAfter": {
"Compose_-_Prevent_-_Part_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Prevent_-_Part_2')}</p>",
"taskTitle": "Prevent - Part 2"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Compose_-_Prevent_-_Part_1": {
"runAfter": {},
"type": "Compose",
"inputs": "<p>If the phishing email was received because of a policy override, consider removing the override from the related allow list (Exchange Transport Rule/IP Allow List), and/or enabling ZAP.</p>\n<b>•\tAlerts generated due to policy overrides:</b>\n<dd>•\tPhish delivered due to an ETR override.</dd>\n<dd>•\tPhish delivered due to an IP allow policy.</dd>\n<dd>•\tPhish not zapped because ZAP is disabled.</dd>\n<p>Continue to Prevent - Part 2<p>"
},
"Compose_-_Prevent_-_Part_2": {
"runAfter": {
"Add_task_to_incident_-_Prevent_-_Part_1": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<p>For more information, see <a target='_blank' href=\"https://learn.microsoft.com/security/compass/incident-response-playbook-phishing\">Phishing investigation IR playbook</a>.</p>\n<p>If you received a forwarding alert as part of the incident, use outbound spam policies to <a target='_blank' href=\"https://docs.microsoft.com/microsoft-365/security/office-365-security/external-email-forwarding\">prevent forwarding to external recipients</a>.</p>\n<p>Use <a target='_blank' href=\"https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-get-started\">Attack simulation training</a> in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify vulnerable users.</p>"
}
},
"runAfter": {
"Scope_-_Remediate": [
"Succeeded"
]
},
"type": "Scope"
},
"Scope_-_Remediate": {
"actions": {
"Add_task_to_incident_-_Remediate": {
"runAfter": {
"Compose_-_Remediate": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"taskDescription": "<p>@{outputs('Compose_-_Remediate')}</p>",
"taskTitle": "Remediate"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/CreateTask"
}
},
"Compose_-_Remediate": {
"runAfter": {},
"type": "Compose",
"inputs": "<b>•\tMark the incident as a True Positive.</b><br><br>\n<b>•\tUse Threat Explorer to remove the malicious emails from all of your inboxes and report the message as phishing to Microsoft.</b>\n<dd>•\t<a target='_blank' href=\"https://security.microsoft.com/threatexplorer\">Threat Explorer</a>.</dd><br>\n<dt><b>•\tIf during this incident a forwarding rule is created, remove the forwarding rule and block the forwarding address.</b></dt><br>\n<dt><b>•\t<a target='_blank' href=\"https://docs.microsoft.com/microsoft-365/security/office-365-security/admin-submission\">Submit</a> the incident evidence to Microsoft.</b></dt>\n<dd>•\tEmails</dd>\n<dd>•\tAttachments</dd>\n<dd>•\tURLs</dd>\n<dd>•\tFiles</dd>"
}
},
"runAfter": {
"Scope_-_Investigate_involved_users": [
"Succeeded"
]
},
"type": "Scope"
}
},
"runAfter": {
"For_each_-_alert_check_the_keywod": [
"Succeeded"
]
},
"expression": {
"and": [
{
"greater": [
"@length(variables('Alert title'))",
0
]
}
]
},
"type": "If"
},
"For_each_-_alert_check_the_keywod": {
"foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"actions": {
"Condition_-_if_alerts_contain_keywords": {
"actions": {
"Append_to_array_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "Alert title",
"value": "@items('For_each_-_alert_check_the_keywod')?['properties']?['alertDisplayName']"
}
}
},
"runAfter": {},
"expression": {
"or": [
{
"contains": [
"@items('For_each_-_alert_check_the_keywod')?['properties']?['alertDisplayName']",
"Phish"
]
},
{
"contains": [
"@items('For_each_-_alert_check_the_keywod')?['properties']?['alertDisplayName']",
"ZAP"
]
},
{
"contains": [
"@items('For_each_-_alert_check_the_keywod')?['properties']?['alertDisplayName']",
"removed after delivery"
]
},
{
"contains": [
"@items('For_each_-_alert_check_the_keywod')?['properties']?['alertDisplayName']",
"URL click was detected"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"runAfter": {},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Alert title",
"type": "array"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftsentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftsentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "M365D_Phishing_Playbook_for_SecOps-Tasks",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftsentinelConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftsentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftsentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
]
}

Двоичные данные
Playbooks/Tasks/M365D_Phishing_Playbook_for_SecOps-Tasks/images/tasksDark.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 166 KiB

Двоичные данные
Playbooks/Tasks/M365D_Phishing_Playbook_for_SecOps-Tasks/images/tasksLight.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 177 KiB

33
Playbooks/Unisolate-MDE-Machine-entityTrigger/readme.md
Просмотреть файл

@ -1,33 +0,0 @@
# Unisolate-MDE-Machine-entityTrigger
author: Benji Kovacevic
This playbook will unisolate Microsoft Defender for Endpoint (MDE) device using entity trigger.
# Prerequisites
None.
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUnisolate-MDE-Machine-entityTrigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUnisolate-MDE-Machine-entityTrigger%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.<br>
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName1 = "Machine.Isolate"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
```
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.jpg)<br>

2
Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_API_FunctionApp.json
Просмотреть файл

@ -45,7 +45,7 @@
{
"type": "IsConnectedQuery",
"value": [
"ABNORMAL_THREAT_LOG_C\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
"ABNORMAL_THREAT_MESSAGES_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],

4
Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml
Просмотреть файл

@ -1,4 +1,4 @@
id: 5170c3c4-b8c9-485c-910d-a21d965ee181
id: 5533fe80-905e-49d5-889a-df27d2c3976d
name: Password spray attack against ADFSSignInLogs
description: |
'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.
@ -40,5 +40,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.0
version: 1.0.1
kind: Scheduled

5
Solutions/Azure Active Directory/Data/Solution_AAD.json
Просмотреть файл

@ -79,7 +79,10 @@
"Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json",
"Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json",
"Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json",
"Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json"
"Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json",
"Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json",
"Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json",
"Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.12",

5
Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json
Просмотреть файл

@ -2,7 +2,10 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager. NOTE: You must create an app registration for graph api with appropriate permissions. NOTE: You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD.",
"title": "Revoke-AADSignInSessions alert trigger",
"description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.",
"prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD."],
"comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.",
"author": "Nicholas DiCola"
},
"parameters": {

0
Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 34 KiB

После

Ширина:  |  Высота:  |  Размер: 34 KiB

0
Playbooks/Revoke-AADSignIn-Session-entityTrigger/azuredeploy.json → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json
Просмотреть файл

0
Playbooks/Revoke-AADSignIn-Session-entityTrigger/images/playbookDark.jpg → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 150 KiB

После

Ширина:  |  Высота:  |  Размер: 150 KiB

0
Playbooks/Revoke-AADSignIn-Session-entityTrigger/images/playbookLight.jpg → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 147 KiB

После

Ширина:  |  Высота:  |  Размер: 147 KiB

2
Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json
Просмотреть файл

@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Revoke-AADSignInSessions",
"title": "Revoke AAD SignIn Sessions - incident trigger",
"description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.",
"prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.",
"lastUpdateTime": "2021-07-14T00:00:00.000Z",

0
Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 30 KiB

После

Ширина:  |  Высота:  |  Размер: 30 KiB

0
Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 31 KiB

После

Ширина:  |  Высота:  |  Размер: 31 KiB

0
Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png → Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 30 KiB

После

Ширина:  |  Высота:  |  Размер: 30 KiB

57
Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/readme.md Normal file
Просмотреть файл

@ -0,0 +1,57 @@
# Revoke-AADSignInSessions
author: Nicholas DiCola
This playbook will revoke all signin sessions for the user using Graph API. It will send and email to the user's manager.
## Quick Deployment
**Deploy with entity trigger** (recommended)
After deployment, you can run this playbook manually on an entity.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAzure%2520Active%2520Directory%2FPlaybooks%2FRevoke-AADSignInSessions%2Fentity-trigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAzure%2520Active%2520Directory%2FPlaybooks%2FRevoke-AADSignInSessions%2Fentity-trigger%2Fazuredeploy.json)
**Deploy with incident trigger**
After deployment, you can run this playbook manually on an incident or attach this playbook to an **automation rule** so it runs when the incident is created.
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAzure%2520Active%2520Directory%2FPlaybooks%2FRevoke-AADSignInSessions%2Fincident-trigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAzure%2520Active%2520Directory%2FPlaybooks%2FRevoke-AADSignInSessions%2Fincident-trigger%2Fazuredeploy.json)
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **automation rule** so it will rune when an alert is created.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAzure%2520Active%2520Directory%2FPlaybooks%2FRevoke-AADSignInSessions%2Falert-trigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAzure%2520Active%2520Directory%2FPlaybooks%2FRevoke-AADSignInSessions%2Falert-trigger%2Fazuredeploy.json)
## Prerequisites
1. Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
2. You will need to grant User.ReadWrite.All permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName = "User.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
```
## Screenshots
**Incident Trigger**<br>
![Incident Trigger](./incident-trigger/images/Revoke-AADSignInSessions_incident.png)<br>
**Alert Trigger**<br>
![Alert Trigger](./alert-trigger/images/Revoke-AADSignInSessions_alert.png)<br>
**Enityt Trigger**<br>
![Entity Trigger](./entity-trigger/images/playbookDark.png)<br>

Двоичные данные
Solutions/Box/Data Connectors/BoxConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Box/Data Connectors/requirements.txt
Просмотреть файл

@ -5,7 +5,7 @@
azure-functions
pyjwt==2.4.0
cryptography==39.0.1
cryptography==41.0.0
boxsdk==3.3.0
azure-storage-file-share==12.7.0
python-dateutil==2.8.2

4
Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewIP.yaml
Просмотреть файл

@ -19,7 +19,7 @@ tactics:
- DefenseEvasion
- Execution
query: |
let lbperiod = 60d;
let lbperiod = 14d;
let lbtime = 15m;
let knownAdminIpList =
CiscoISEEvent
@ -43,5 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

4
Solutions/Cisco ISE/Analytic Rules/CiscoISECmdExecutionWithHighestPrivilegesNewUser.yaml
Просмотреть файл

@ -19,7 +19,7 @@ tactics:
- DefenseEvasion
- Execution
query: |
let lbperiod = 60d;
let lbperiod = 14d;
let lbtime = 15m;
let knownPrivUsers =
CiscoISEEvent
@ -43,5 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

2
Solutions/Cisco ISE/Data/Solution_CiscoISE.json
Просмотреть файл

@ -43,7 +43,7 @@
"Hunting Queries/CiscoISESuspendLogCollector.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Cisco ISE",
"Version": "2.0.2",
"Version": "2.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Cisco ISE/Package/2.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

150
Solutions/Cisco ISE/Package/mainTemplate.json
Просмотреть файл

@ -68,12 +68,12 @@
"_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
"analyticRuleVersion5": "1.0.0",
"analyticRuleVersion5": "1.0.1",
"analyticRulecontentId5": "1fa0da3e-ec99-484f-aadb-93f59764e158",
"_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
"analyticRuleVersion6": "1.0.0",
"analyticRuleVersion6": "1.0.1",
"analyticRulecontentId6": "e71890a2-5f61-4790-b1ed-cf1d92d3e398",
"_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
@ -222,7 +222,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoISEWorkbook with template version 2.0.2",
"description": "CiscoISEWorkbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -317,7 +317,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoISEAdminPasswordReset_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISEAdminPasswordReset_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@ -361,8 +361,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -370,8 +370,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -437,7 +437,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "CiscoISEAttempDeleteLocalStoreLogs_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISEAttempDeleteLocalStoreLogs_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@ -478,8 +478,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -487,8 +487,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -496,8 +496,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
@ -563,7 +563,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
],
"properties": {
"description": "CiscoISEBackupFailed_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISEBackupFailed_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@ -601,8 +601,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
@ -610,8 +610,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -677,7 +677,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
],
"properties": {
"description": "CiscoISECertExpired_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISECertExpired_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@ -718,8 +718,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -727,8 +727,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -736,8 +736,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
@ -803,7 +803,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
],
"properties": {
"description": "CiscoISECmdExecutionWithHighestPrivilegesNewIP_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISECmdExecutionWithHighestPrivilegesNewIP_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@ -820,7 +820,7 @@
"description": "Detects command execution with PrivilegeLevel - 15 from new source.",
"displayName": "CiscoISE - Command executed with the highest privileges from new IP",
"enabled": false,
"query": "let lbperiod = 60d;\nlet lbtime = 15m;\nlet knownAdminIpList =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(SrcIpAddr)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where SrcIpAddr !in (knownAdminIpList)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
"query": "let lbperiod = 14d;\nlet lbtime = 15m;\nlet knownAdminIpList =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(SrcIpAddr)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where SrcIpAddr !in (knownAdminIpList)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
@ -848,8 +848,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -857,8 +857,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -924,7 +924,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
],
"properties": {
"description": "CiscoISECmdExecutionWithHighestPrivilegesNewUser_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISECmdExecutionWithHighestPrivilegesNewUser_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@ -941,7 +941,7 @@
"description": "Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier.",
"displayName": "CiscoISE - Command executed with the highest privileges by new user",
"enabled": false,
"query": "let lbperiod = 60d;\nlet lbtime = 15m;\nlet knownPrivUsers =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(DstUserName)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where DstUserName !in (knownPrivUsers)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
"query": "let lbperiod = 14d;\nlet lbtime = 15m;\nlet knownPrivUsers =\nCiscoISEEvent\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where PrivilegeLevel == '15'\n| summarize makelist(DstUserName)\n;\nCiscoISEEvent\n| where TimeGenerated > ago(lbtime)\n| where PrivilegeLevel == '15'\n| where DstUserName !in (knownPrivUsers)\n| project TimeGenerated, SrcIpAddr, DstIpAddr, DstUserName, CmdSet\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
@ -969,8 +969,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -978,8 +978,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -1045,7 +1045,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
],
"properties": {
"description": "CiscoISEDeviceChangedIP_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISEDeviceChangedIP_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@ -1083,8 +1083,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
@ -1092,8 +1092,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -1159,7 +1159,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
],
"properties": {
"description": "CiscoISEDevicePostureStatusChanged_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISEDevicePostureStatusChanged_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@ -1200,8 +1200,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -1267,7 +1267,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
],
"properties": {
"description": "CiscoISELogCollectorSuspended_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISELogCollectorSuspended_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@ -1308,8 +1308,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -1375,7 +1375,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
],
"properties": {
"description": "CiscoISELogsDeleted_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "CiscoISELogsDeleted_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@ -1416,8 +1416,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -1425,8 +1425,8 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
@ -1434,8 +1434,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
@ -1501,7 +1501,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoISEConnector Playbook with template version 2.0.2",
"description": "CiscoISEConnector Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -2522,7 +2522,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
],
"properties": {
"description": "CiscoISE-FalsePositivesClearPolicies Playbook with template version 2.0.2",
"description": "CiscoISE-FalsePositivesClearPolicies Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -3108,7 +3108,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]"
],
"properties": {
"description": "CiscoISE-SuspendGuestUser Playbook with template version 2.0.2",
"description": "CiscoISE-SuspendGuestUser Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@ -3487,7 +3487,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]"
],
"properties": {
"description": "CiscoISE-TakeEndpointActionFromTeams Playbook with template version 2.0.2",
"description": "CiscoISE-TakeEndpointActionFromTeams Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@ -4602,7 +4602,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Cisco ISE data connector with template version 2.0.2",
"description": "Cisco ISE data connector with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -4936,7 +4936,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoISEEvent Data Parser with template version 2.0.2",
"description": "CiscoISEEvent Data Parser with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -4998,7 +4998,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
@ -5067,7 +5067,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
],
"properties": {
"description": "CiscoISEAuthenticationToSuspendedAccount_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEAuthenticationToSuspendedAccount_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
@ -5155,7 +5155,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
],
"properties": {
"description": "CiscoISEDynamicAuthorizationFailed_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEDynamicAuthorizationFailed_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
@ -5243,7 +5243,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
],
"properties": {
"description": "CiscoISEExpiredCertInClientCertChain_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEExpiredCertInClientCertChain_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
@ -5327,7 +5327,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
],
"properties": {
"description": "CiscoISEFailedAuthentication_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEFailedAuthentication_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion4')]",
@ -5415,7 +5415,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
],
"properties": {
"description": "CiscoISEFailedLoginsSSHCLI_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEFailedLoginsSSHCLI_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion5')]",
@ -5503,7 +5503,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
],
"properties": {
"description": "CiscoISEGuestAuthenticationFailed_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEGuestAuthenticationFailed_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion6')]",
@ -5591,7 +5591,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
],
"properties": {
"description": "CiscoISEGuestAuthenticationSuccess_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISEGuestAuthenticationSuccess_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion7')]",
@ -5679,7 +5679,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
],
"properties": {
"description": "CiscoISERareUserAgent_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISERareUserAgent_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion8')]",
@ -5767,7 +5767,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
],
"properties": {
"description": "CiscoISESourceHighNumberAuthenticationErrors_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISESourceHighNumberAuthenticationErrors_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion9')]",
@ -5855,7 +5855,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
],
"properties": {
"description": "CiscoISESuspendLogCollector_HuntingQueries Hunting Query with template version 2.0.2",
"description": "CiscoISESuspendLogCollector_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion10')]",
@ -5921,7 +5921,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.2",
"version": "2.0.3",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

Двоичные данные
Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip
Просмотреть файл

Двоичный файл не отображается.

25
Solutions/CiscoUmbrella/Data Connectors/requirements.txt
Просмотреть файл

@ -2,9 +2,26 @@
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
azure-core==1.22.1
azure-functions==1.6.0
boto3==1.9.180
requests==2.31.0
python-dateutil==2.8.2
azure-storage-file-share==12.5.0
typing-extensions==4.0.0
boto3==1.9.180
botocore==1.12.253
certifi==2022.12.7
cffi==1.15.1
charset-normalizer==3.1.0
cryptography==36.0.0
docutils==0.15.2
idna==2.8
isodate==0.6.1
jmespath==0.10.0
msrest==0.6.21
oauthlib==3.2.2
pycparser==2.21
python-dateutil==2.8.2
requests==2.31.0
requests-oauthlib==1.3.1
s3transfer==0.2.1
six==1.16.0
typing_extensions==4.0.0
urllib3==1.25.11

2
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/Cybersixgill_FunctionApp.json
Просмотреть файл

@ -13,7 +13,7 @@
"sampleQueries": [
{
"description": "All Alerts",
"query": "CyberSixgill_Alerts"
"query": "CyberSixgill_Alerts_CL"
}
],
"dataTypes": [

4
Solutions/ESETPROTECT/Analytic Rules/ESETThreatDetected.yaml
Просмотреть файл

@ -23,7 +23,7 @@ entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: srcUserName
columnName: SrcUserName
- entityType: Host
fieldMappings:
- identifier: FullName
@ -38,5 +38,5 @@ entityMappings:
columnName: FileHashAlgo
- identifier: Value
columnName: FileHashSha1
version: 1.0.1
version: 1.0.2
kind: Scheduled

4
Solutions/ESETPROTECT/Data/Solution_ESETPROTECT.json
Просмотреть файл

@ -17,8 +17,8 @@
"Workbooks/ESETPROTECT.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ESETPROTECT",
"Version": "2.0.1",
"BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\ESETPROTECT",
"Version": "2.0.2",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/ESETPROTECT/Package/2.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

58
Solutions/ESETPROTECT/Package/mainTemplate.json
Просмотреть файл

@ -51,7 +51,7 @@
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"analyticRuleVersion1": "1.0.1",
"analyticRuleVersion1": "1.0.2",
"analyticRulecontentId1": "64badfab-1dd8-4491-927b-3ca206fa9a17",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
@ -103,7 +103,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "ESETPROTECT data connector with template version 2.0.1",
"description": "ESETPROTECT data connector with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -531,7 +531,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "ESETThreatDetected_AnalyticalRules Analytics Rule with template version 2.0.1",
"description": "ESETThreatDetected_AnalyticalRules Analytics Rule with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@ -559,10 +559,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "ESETPROTECT",
"dataTypes": [
"ESETPROTECT"
]
],
"connectorId": "ESETPROTECT"
}
],
"tactics": [
@ -573,33 +573,34 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "srcUserName"
"columnName": "SrcUserName"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "DvcHostname"
}
],
"entityType": "Host"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "DvcIpAddr"
}
],
"entityType": "IP"
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
@ -609,8 +610,7 @@
"identifier": "Value",
"columnName": "FileHashSha1"
}
],
"entityType": "FileHash"
]
}
]
}
@ -672,7 +672,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "ESETWebsiteBlocked_AnalyticalRules Analytics Rule with template version 2.0.1",
"description": "ESETWebsiteBlocked_AnalyticalRules Analytics Rule with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@ -700,10 +700,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "ESETPROTECT",
"dataTypes": [
"ESETPROTECT"
]
],
"connectorId": "ESETPROTECT"
}
],
"tactics": [
@ -719,40 +719,40 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "SrcUserName"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "DvcHostname"
}
],
"entityType": "Host"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "DvcIpAddr"
}
],
"entityType": "IP"
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "FilePath"
}
],
"entityType": "URL"
]
}
]
}
@ -814,7 +814,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "ESETPROTECT Data Parser with template version 2.0.1",
"description": "ESETPROTECT Data Parser with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -875,7 +875,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
@ -943,7 +943,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "ESETPROTECTWorkbook with template version 2.0.1",
"description": "ESETPROTECTWorkbook with template version 2.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -1015,7 +1015,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.1",
"version": "2.0.2",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

2
Solutions/ESETPROTECT/SolutionMetadata.json
Просмотреть файл

@ -4,7 +4,7 @@
"firstPublishDate": "2021-10-20",
"providers": ["Cyber Defense Group B.V."],
"categories": {
"domains" : ["Security-ThreatProtection"]
"domains": [ "Security - Threat Protection" ]
},
"support": {
"name": "ESET Netherlands",

2
Solutions/F5 BIG-IP/Data Connectors/F5BigIp.json
Просмотреть файл

@ -28,7 +28,7 @@
},
{
"description": "Present the System Telemetry host names",
"query": "F5Telemetry_system_CL\n | project hostname_s\n | sort by TimeGenerated"
"query": "F5Telemetry_system_CL\n | project hostname_s, TimeGenerated\n | sort by TimeGenerated"
},
{
"description": "Count how many ASM logs have been generated from different locations",

6
Solutions/Forcepoint DLP/Data Connectors/Forcepoint DLP.json
Просмотреть файл

@ -13,15 +13,15 @@
"sampleQueries": [
{
"description" : "Rules triggered in the last three days",
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(3d)\n | summarize count(RuleName_1_s) by RuleName_1_s, SourceIpV4_s\n | render barchart"
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(3d)\n | summarize count() by RuleName_1_s, SourceIpV4_s\n | render barchart"
},
{
"description" : "Rules triggered over time (90 days)",
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(RuleName_1_s) by CreatedAt_t, RuleName_1_s\n | render linechart"
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count() by CreatedAt_t, RuleName_1_s\n | render linechart"
},
{
"description" : "Count of High, Medium and Low rules triggered over 90 days",
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count(Severity_s) by CreatedAt_t, Severity_s\n | render barchart"
"query": "ForcepointDLPEvents_CL\n | where TimeGenerated > ago(90d)\n | sort by CreatedAt_t asc nulls last\n | summarize count() by CreatedAt_t, Severity_s\n | render barchart"
}
],
"dataTypes": [

14
Solutions/Forescout/Data Connectors/Forescout_syslog.json
Просмотреть файл

@ -110,8 +110,20 @@
"type": "InstructionStepsGroup"
}]
},
{
"title": "2. Configure the logs to be collected",
"description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "2. Configure Forescout event forwarding",
"title": "3. Configure Forescout event forwarding",
"description": "Follow the configuration steps below to get Forescout logs into Microsoft Sentinel.\n1. [Select an Appliance to Configure.](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Select-an-Appliance-to-Configure.html)\n2. [Follow these instructions](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Send-Events-To-Tab.html#pID0E0CE0HA) to forward alerts from the Forescout platform to a syslog server.\n3. [Configure](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html) the settings in the Syslog Triggers tab."
}
]

2
Solutions/Forescout/Data/Solution_Forescout.json
Просмотреть файл

@ -10,7 +10,7 @@
"Parsers/ForescoutEvent.txt"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Forescout",
"Version": "2.0.2",
"Version": "2.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Forescout/Package/2.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

36
Solutions/Forescout/Package/mainTemplate.json
Просмотреть файл

@ -80,7 +80,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Forescout data connector with template version 2.0.2",
"description": "Forescout data connector with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -226,9 +226,21 @@
}
]
},
{
"description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
],
"title": "2. Configure the logs to be collected"
},
{
"description": "Follow the configuration steps below to get Forescout logs into Microsoft Sentinel.\n1. [Select an Appliance to Configure.](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Select-an-Appliance-to-Configure.html)\n2. [Follow these instructions](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Send-Events-To-Tab.html#pID0E0CE0HA) to forward alerts from the Forescout platform to a syslog server.\n3. [Configure](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html) the settings in the Syslog Triggers tab.",
"title": "2. Configure Forescout event forwarding"
"title": "3. Configure Forescout event forwarding"
}
]
}
@ -431,9 +443,21 @@
}
]
},
{
"description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
],
"title": "2. Configure the logs to be collected"
},
{
"description": "Follow the configuration steps below to get Forescout logs into Microsoft Sentinel.\n1. [Select an Appliance to Configure.](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Select-an-Appliance-to-Configure.html)\n2. [Follow these instructions](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Send-Events-To-Tab.html#pID0E0CE0HA) to forward alerts from the Forescout platform to a syslog server.\n3. [Configure](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html) the settings in the Syslog Triggers tab.",
"title": "2. Configure Forescout event forwarding"
"title": "3. Configure Forescout event forwarding"
}
],
"id": "[variables('_uiConfigId1')]",
@ -468,7 +492,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "ForescoutEvent Data Parser with template version 2.0.2",
"description": "ForescoutEvent Data Parser with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -530,7 +554,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
@ -577,7 +601,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.2",
"version": "2.0.3",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

2
Solutions/Fortinet-FortiGate/Data Connectors/Fortinet-FortiGate.json
Просмотреть файл

@ -18,7 +18,7 @@
},
{
"description": "Summarize by destination IP and port",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
}
],
"connectivityCriterias": [

18
Solutions/GitLab/Data Connectors/Connector_Syslog_GitLab.json
Просмотреть файл

@ -7,8 +7,18 @@
"graphQueries": [
{
"metricName": "Total data received",
"legend": "GitLab",
"baseQuery": "GitLab"
"legend": "GitLabApp",
"baseQuery": "GitLabApp"
},
{
"metricName": "Total data received",
"legend": "GitLabAudit",
"baseQuery": "GitLabAudit"
},
{
"metricName": "Total data received",
"legend": "GitLabAccess",
"baseQuery": "GitLabAccess"
}
],
"sampleQueries": [
@ -43,7 +53,9 @@
{
"type": "IsConnectedQuery",
"value": [
"GitLabAudit\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
"GitLabApp\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
"GitLabAudit\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
"GitLabAccess\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],

14
Solutions/Google Cloud Platform Audit Logs/Data/Solution_GCPAuditLogs.json Normal file
Просмотреть файл

@ -0,0 +1,14 @@
{
"Name": "Google Cloud Platform Audit Logs",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\" width=\"75px\" height=\"75px\">",
"Description": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
"Data Connectors": [
"Data Connectors/GCPAuditLogs.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Audit Logs",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

16
Solutions/Google Cloud Platform Audit Logs/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-gcpauditlogs-api",
"firstPublishDate": "2023-03-29",
"providers": ["Google"],
"categories": {
"domains" : ["DevOps"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

4
Solutions/GoogleCloudPlatformDNS/Data/Solution_GoogleCloudPlatformDNS.json
Просмотреть файл

@ -7,7 +7,7 @@
"GoogleCloudPlatformDNS/Data Connectors/GCP_DNS_API_FunctionApp.json"
],
"Parsers": [
"GoogleCloudPlatformDNS/Parsers/imDNSGCPCloudDNS.txt"
"GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.txt"
],
"WorkBooks": [
"GoogleCloudPlatformDNS/WorkBooks/GCPDNS.json"
@ -38,7 +38,7 @@
"GoogleCloudPlatformDNS/Hunting Queries/GCPDNSUnusualTLD.yaml"
],
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions",
"Version": "2.0.2",
"Version": "2.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/GoogleCloudPlatformDNS/Package/2.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

340
Solutions/GoogleCloudPlatformDNS/Package/mainTemplate.json
Просмотреть файл

@ -52,9 +52,9 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"parserVersion1": "1.0.0",
"parserContentId1": "imDNSGCPCloudDNS-Parser",
"parserContentId1": "GCPCloudDNS-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "GoogleCloudPlatformDNS Data Parser",
"parserName1": "GCPCloudDNS",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
@ -199,7 +199,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "GoogleCloudPlatformDNS data connector with template version 2.0.2",
"description": "GoogleCloudPlatformDNS data connector with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -208,7 +208,7 @@
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"apiVersion": "2022-10-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
@ -400,7 +400,7 @@
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"apiVersion": "2022-10-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
@ -540,8 +540,8 @@
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "imDNSGCPCloudDNS Data Parser with template",
"displayName": "imDNSGCPCloudDNS Data Parser template"
"description": "GCPCloudDNS Data Parser with template",
"displayName": "GCPCloudDNS Data Parser template"
}
},
{
@ -557,7 +557,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "imDNSGCPCloudDNS Data Parser with template version 2.0.2",
"description": "GCPCloudDNS Data Parser with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -571,15 +571,15 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GoogleCloudPlatformDNS Data Parser",
"displayName": "GCPCloudDNS",
"category": "Samples",
"functionAlias": "imDNSGCPCloudDNS",
"functionAlias": "GCPCloudDNS",
"query": "\nlet DNSQuery_GcpDns=()\r\n{\r\n GCP_DNS_CL\r\n | project-rename\r\n Query=payload_queryName_s, \r\n QueryTypeName=payload_queryType_s,\r\n ResponseName=payload_rdata_s, \r\n EventResultDetails=payload_responseCode_s,\r\n NetworkProtocol=payload_protocol_s, \r\n SrcIpAddr=payload_sourceIP_s,\r\n EventOriginalUid=insert_id_s,\r\n EventSeverity=severity_s \r\n | extend\r\n EventCount=int(1),\r\n EventProduct='Cloud DNS',\r\n EventVendor='GCP',\r\n EventSchemaVersion=\"0.1.0\",\r\n Dvc=\"GCPDNS\",\r\n EventType = iif (resource_type_s == \"dns_query\", \"lookup\", resource_type_s),\r\n EventResult=iff(EventResultDetails =~ 'NOERROR', 'Success', 'Failure'),\r\n EventSubType='response',\r\n EventEndTime=todatetime(timestamp_t) \r\n // -- Aliases\r\n | extend \r\n ResponseCodeName=EventResultDetails, \r\n Domain=Query,\r\n IpAddr=SrcIpAddr,\r\n EventStartTime = EventEndTime\r\n};\r\nDNSQuery_GcpDns",
"version": 1,
"tags": [
{
"name": "description",
"value": "GoogleCloudPlatformDNS Data Parser"
"value": "GCPCloudDNS"
}
]
}
@ -619,14 +619,14 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GoogleCloudPlatformDNS Data Parser",
"displayName": "GCPCloudDNS",
"category": "Samples",
"functionAlias": "imDNSGCPCloudDNS",
"functionAlias": "GCPCloudDNS",
"query": "\nlet DNSQuery_GcpDns=()\r\n{\r\n GCP_DNS_CL\r\n | project-rename\r\n Query=payload_queryName_s, \r\n QueryTypeName=payload_queryType_s,\r\n ResponseName=payload_rdata_s, \r\n EventResultDetails=payload_responseCode_s,\r\n NetworkProtocol=payload_protocol_s, \r\n SrcIpAddr=payload_sourceIP_s,\r\n EventOriginalUid=insert_id_s,\r\n EventSeverity=severity_s \r\n | extend\r\n EventCount=int(1),\r\n EventProduct='Cloud DNS',\r\n EventVendor='GCP',\r\n EventSchemaVersion=\"0.1.0\",\r\n Dvc=\"GCPDNS\",\r\n EventType = iif (resource_type_s == \"dns_query\", \"lookup\", resource_type_s),\r\n EventResult=iff(EventResultDetails =~ 'NOERROR', 'Success', 'Failure'),\r\n EventSubType='response',\r\n EventEndTime=todatetime(timestamp_t) \r\n // -- Aliases\r\n | extend \r\n ResponseCodeName=EventResultDetails, \r\n Domain=Query,\r\n IpAddr=SrcIpAddr,\r\n EventStartTime = EventEndTime\r\n};\r\nDNSQuery_GcpDns",
"version": 1
}
@ -688,7 +688,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "GCPDNSWorkbook with template version 2.0.2",
"description": "GCPDNSWorkbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -783,7 +783,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "GCPDNSDataExfiltration_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSDataExfiltration_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@ -811,10 +811,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -825,22 +825,22 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
@ -903,7 +903,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "GCPDNSExchangeAutodiscoverAbuse_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSExchangeAutodiscoverAbuse_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@ -931,10 +931,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -947,29 +947,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 2",
@ -1025,7 +1025,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
],
"properties": {
"description": "GCPDNSCVE-2021-40444_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSCVE-2021-40444_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@ -1053,10 +1053,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1067,29 +1067,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 3",
@ -1145,7 +1145,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
],
"properties": {
"description": "GCPDNSIpCheck_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSIpCheck_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@ -1173,10 +1173,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1187,29 +1187,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 4",
@ -1265,7 +1265,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
],
"properties": {
"description": "GCPDNSIpDynDns_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSIpDynDns_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@ -1293,10 +1293,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1307,29 +1307,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 5",
@ -1385,7 +1385,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
],
"properties": {
"description": "GCPDNSMaliciousPythonPackages_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSMaliciousPythonPackages_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@ -1413,10 +1413,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1427,29 +1427,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 6",
@ -1505,7 +1505,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
],
"properties": {
"description": "GCPDNSMultipleErrorsFromIp_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSMultipleErrorsFromIp_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@ -1533,10 +1533,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1547,20 +1547,20 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 7",
@ -1616,7 +1616,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
],
"properties": {
"description": "GCPDNSMultipleErrorsQuery_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSMultipleErrorsQuery_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@ -1644,10 +1644,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1658,29 +1658,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 8",
@ -1736,7 +1736,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
],
"properties": {
"description": "GCPDNSPrintNightmare_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSPrintNightmare_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@ -1764,10 +1764,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1778,29 +1778,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 9",
@ -1856,7 +1856,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
],
"properties": {
"description": "GCPDNSSIGREDPattern_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSSIGREDPattern_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@ -1884,10 +1884,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -1898,20 +1898,20 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 10",
@ -1967,7 +1967,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName11'))]"
],
"properties": {
"description": "GCPDNSUNC2452AptActivity_AnalyticalRules Analytics Rule with template version 2.0.2",
"description": "GCPDNSUNC2452AptActivity_AnalyticalRules Analytics Rule with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion11')]",
@ -1995,10 +1995,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "GCPDNSDataConnector",
"dataTypes": [
"GCPCloudDNS"
],
"connectorId": "GCPDNSDataConnector"
]
}
],
"tactics": [
@ -2009,29 +2009,29 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DNSCustomEntity",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DNSCustomEntity"
}
],
"entityType": "DNS"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Analytics Rule 11",
@ -2087,7 +2087,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
],
"properties": {
"description": "GCPDNSErrors_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSErrors_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
@ -2096,7 +2096,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2123,7 +2123,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 1",
@ -2179,7 +2179,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
],
"properties": {
"description": "GCPDNSIpLookup_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSIpLookup_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
@ -2188,7 +2188,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2215,7 +2215,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 2",
@ -2271,7 +2271,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
],
"properties": {
"description": "GCPDNSOnlineShares_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSOnlineShares_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
@ -2280,7 +2280,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2307,7 +2307,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 3",
@ -2363,7 +2363,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
],
"properties": {
"description": "GCPDNSRareDomains_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSRareDomains_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion4')]",
@ -2372,7 +2372,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2399,7 +2399,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 4",
@ -2455,7 +2455,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
],
"properties": {
"description": "GCPDNSRareErrors_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSRareErrors_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion5')]",
@ -2464,7 +2464,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2491,7 +2491,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 5",
@ -2547,7 +2547,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
],
"properties": {
"description": "GCPDNSRequestToTOR_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSRequestToTOR_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion6')]",
@ -2556,7 +2556,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_6",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2583,7 +2583,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 6",
@ -2639,7 +2639,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
],
"properties": {
"description": "GCPDNSServerLatency_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSServerLatency_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion7')]",
@ -2648,7 +2648,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_7",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2675,7 +2675,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 7",
@ -2731,7 +2731,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
],
"properties": {
"description": "GCPDNSSourceHighErrors_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSSourceHighErrors_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion8')]",
@ -2740,7 +2740,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_8",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2767,7 +2767,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 8",
@ -2823,7 +2823,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
],
"properties": {
"description": "GCPDNSUnexpectedTLD_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSUnexpectedTLD_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion9')]",
@ -2832,7 +2832,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_9",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2859,7 +2859,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 9",
@ -2915,7 +2915,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
],
"properties": {
"description": "GCPDNSUnusualTLD_HuntingQueries Hunting Query with template version 2.0.2",
"description": "GCPDNSUnusualTLD_HuntingQueries Hunting Query with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion10')]",
@ -2924,7 +2924,7 @@
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01-preview",
"name": "GoogleCloudPlatformDNS_Hunting_Query_10",
"location": "[parameters('workspace-location')]",
"properties": {
@ -2951,7 +2951,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
"properties": {
"description": "GoogleCloudPlatformDNS Hunting Query 10",
@ -2982,10 +2982,10 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2022-10-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.2",
"version": "2.0.3",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

0
Solutions/GoogleCloudPlatformDNS/Parsers/imDNSGCPCloudDNS.txt → Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.txt
Просмотреть файл

2
Solutions/GoogleWorkspaceReports/Data/Solution_GoogleWorkspaceReports.json
Просмотреть файл

@ -39,7 +39,7 @@
"Hunting Queries/GWorkspaceUserWithSeveralDevices.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GoogleWorkspaceReports",
"Version": "2.0.5",
"Version": "2.0.6",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/GoogleWorkspaceReports/Package/2.0.6.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/GoogleWorkspaceReports/Package/createUiDefinition.json
Просмотреть файл

@ -67,7 +67,7 @@
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the GWorkspace Kusto Function alias. "
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the GWorkspace Kusto Function alias."
}
},
{

148
Solutions/GoogleWorkspaceReports/Package/mainTemplate.json
Просмотреть файл

@ -203,7 +203,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "GoogleWorkspaceWorkbook with template version 2.0.5",
"description": "GoogleWorkspaceWorkbook with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -215,7 +215,7 @@
"name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2022-02-01",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Sets the time name for analysis"
},
@ -318,7 +318,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "GWorkspaceActivityReports Data Parser with template version 2.0.5",
"description": "GWorkspaceActivityReports Data Parser with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -327,7 +327,7 @@
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2022-10-01",
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
@ -449,7 +449,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "GWorkspaceAdminPermissionsGranted_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceAdminPermissionsGranted_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@ -491,13 +491,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -560,7 +560,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "GWorkspaceAlertEvents_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceAlertEvents_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@ -603,13 +603,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -672,7 +672,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
],
"properties": {
"description": "GWorkspaceApiAccessToNewClient_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceApiAccessToNewClient_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@ -715,13 +715,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -784,7 +784,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
],
"properties": {
"description": "GWorkspaceChangedUserAccess_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceChangedUserAccess_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@ -826,13 +826,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -895,7 +895,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
],
"properties": {
"description": "GWorkspaceDifferentUAsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceDifferentUAsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@ -939,13 +939,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
],
"entityType": "IP"
}
]
}
@ -1008,7 +1008,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
],
"properties": {
"description": "GWorkspaceOutboundRelayAddedToSuiteDomain_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceOutboundRelayAddedToSuiteDomain_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@ -1050,13 +1050,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -1119,7 +1119,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
],
"properties": {
"description": "GWorkspacePossibleBruteForce_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspacePossibleBruteForce_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@ -1161,13 +1161,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -1230,7 +1230,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
],
"properties": {
"description": "GWorkspacePossibleMaldocFileNamesInGDRIVE_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspacePossibleMaldocFileNamesInGDRIVE_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@ -1272,22 +1272,22 @@
],
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FileCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "FileCustomEntity"
}
]
],
"entityType": "File"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -1350,7 +1350,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
],
"properties": {
"description": "GWorkspaceTwoStepAuthenticationDisabledForUser_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceTwoStepAuthenticationDisabledForUser_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@ -1392,13 +1392,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -1461,7 +1461,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]"
],
"properties": {
"description": "GWorkspaceUnexpectedOSUpdate_AnalyticalRules Analytics Rule with template version 2.0.5",
"description": "GWorkspaceUnexpectedOSUpdate_AnalyticalRules Analytics Rule with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@ -1500,13 +1500,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
"identifier": "Name",
"columnName": "AccountCustomEntity"
}
]
],
"entityType": "Account"
}
]
}
@ -1569,7 +1569,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "GoogleWorkspaceReports data connector with template version 2.0.5",
"description": "GoogleWorkspaceReports data connector with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -1796,7 +1796,7 @@
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-GWorkspaceReportsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. GWorkspaceXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tGooglePickleString\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tGooglePickleString\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n4. (Optional) Change the default delays if required. \n\n\t> **NOTE:** The following default values for ingestion delays have been added for different set of logs from Google Workspace based on Google [documentation](https://support.google.com/a/answer/7061566). These can be modified based on environmental requirements. \n\t\t Fetch Delay - 10 minutes \n\t\t Calendar Fetch Delay - 6 hours \n\t\t Chat Fetch Delay - 1 day \n\t\t User Accounts Fetch Delay - 3 hours \n\t\t Login Fetch Delay - 6 hours \n\n5. Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. \n6. Once all application settings have been entered, click **Save**."
}
]
}
@ -2080,7 +2080,7 @@
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-GWorkspaceReportsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. GWorkspaceXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tGooglePickleString\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tGooglePickleString\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n4. (Optional) Change the default delays if required. \n\n\t> **NOTE:** The following default values for ingestion delays have been added for different set of logs from Google Workspace based on Google [documentation](https://support.google.com/a/answer/7061566). These can be modified based on environmental requirements. \n\t\t Fetch Delay - 10 minutes \n\t\t Calendar Fetch Delay - 6 hours \n\t\t Chat Fetch Delay - 1 day \n\t\t User Accounts Fetch Delay - 3 hours \n\t\t Login Fetch Delay - 6 hours \n\n5. Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. \n6. Once all application settings have been entered, click **Save**."
}
],
"id": "[variables('_uiConfigId1')]",
@ -2115,7 +2115,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
],
"properties": {
"description": "GWorkspaceDocumentSharedExternally_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceDocumentSharedExternally_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
@ -2207,7 +2207,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
],
"properties": {
"description": "GWorkspaceDocumentSharedPublicily_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceDocumentSharedPublicily_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
@ -2299,7 +2299,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]"
],
"properties": {
"description": "GWorkspaceDocumentSharedPublicilyWithLink_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceDocumentSharedPublicilyWithLink_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
@ -2391,7 +2391,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]"
],
"properties": {
"description": "GWorkspaceMultiIPAddresses_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceMultiIPAddresses_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion4')]",
@ -2483,7 +2483,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]"
],
"properties": {
"description": "GWorkspacePossibleSCAMSPAMorPhishingCalendar_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspacePossibleSCAMSPAMorPhishingCalendar_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion5')]",
@ -2575,7 +2575,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]"
],
"properties": {
"description": "GWorkspaceRareDocType_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceRareDocType_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion6')]",
@ -2667,7 +2667,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]"
],
"properties": {
"description": "GWorkspaceSharedPrivateDocument_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceSharedPrivateDocument_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion7')]",
@ -2759,7 +2759,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]"
],
"properties": {
"description": "GWorkspaceSuspendedUsers_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceSuspendedUsers_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion8')]",
@ -2851,7 +2851,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]"
],
"properties": {
"description": "GWorkspaceUncommonUAsString_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceUncommonUAsString_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion9')]",
@ -2943,7 +2943,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]"
],
"properties": {
"description": "GWorkspaceUnknownLoginType_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceUnknownLoginType_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion10')]",
@ -3035,7 +3035,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName11'))]"
],
"properties": {
"description": "GWorkspaceUserReportedCalendarInviteAsSpam_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceUserReportedCalendarInviteAsSpam_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion11')]",
@ -3127,7 +3127,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName12'))]"
],
"properties": {
"description": "GWorkspaceUserWithSeveralDevices_HuntingQueries Hunting Query with template version 2.0.5",
"description": "GWorkspaceUserWithSeveralDevices_HuntingQueries Hunting Query with template version 2.0.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion12')]",
@ -3197,7 +3197,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.5",
"version": "2.0.6",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

4
Solutions/HolmSecurity/Data Connectors/HolmSecurityAssets_API_FunctionApp.json
Просмотреть файл

@ -18,11 +18,11 @@
"sampleQueries": [
{
"description" : "All low net assets",
"query": "net_assets_Cl\n | where severity_s == 'low'"
"query": "net_assets_CL\n | where severity_s == 'low'"
},
{
"description" : "All low web assets",
"query": "web_assets_Cl\n | where severity_s == 'low'"
"query": "web_assets_CL\n | where severity_s == 'low'"
}
],
"dataTypes": [

4
Solutions/Juniper SRX/Data/Solution_Juniper SRX.json
Просмотреть файл

@ -9,8 +9,8 @@
"Parsers": [
"Parsers/JuniperSRX.txt"
],
"BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\Juniper SRX",
"Version": "2.0.2",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Juniper SRX",
"Version": "2.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Juniper SRX/Package/2.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

20
Solutions/Juniper SRX/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше