Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into v-sabiraj-iototpackageupdate

This commit is contained in:
v-sabiraj 2023-02-02 14:53:38 +05:30
Родитель 82e10a56ba 11eb2b02db
Коммит ae59f0de72
43 изменённых файлов: 244 добавлений и 224 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -124,6 +124,7 @@
"PostgreSQL",
"ProofpointPOD",
"ProofpointTAP",
"ProofpointTAPNativePoller",
"PulseConnectSecure",
"QualysKB",
"QualysVulnerabilityManagement",
@ -182,4 +183,4 @@
"DynatraceAttacks",
"DynatraceAuditLogs",
"DynatraceProblems"
]
]

4
Solutions/Azure Active Directory Identity Protection/Data Connectors/template_AzureActiveDirectoryIdentityProtection.JSON
Просмотреть файл

@ -6,7 +6,7 @@
"type": 3,
"options": null
},
"descriptionMarkdown": "Azure Active Directory Identity Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on Microsofts experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Azure Active Directory Identity Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.\n\n[Get Azure Active Directory Premium P1/P2 >](https://aka.ms/asi-ipcconnectorgetlink)",
"descriptionMarkdown": "Azure Active Directory Identity Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on Microsofts experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Azure Active Directory Identity Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220065&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).\n\n[Get Azure Active Directory Premium P1/P2 >](https://aka.ms/asi-ipcconnectorgetlink)",
"graphQueries": [
{
"metricName": "Total data received",
@ -103,4 +103,4 @@
]
}
]
}
}

4
Solutions/Azure Activity/Data Connectors/AzureActivity.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "AzureActivity",
"title": "Azure Activity",
"publisher": "Microsoft",
"descriptionMarkdown": "Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure.",
"descriptionMarkdown": "Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2219695&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"logo": "AzureActivity.svg",
"lastDataReceivedInfoBalloon": "If no new data has been received in the last 14 days, the connector will display as being \"not connected.\" When the connector will recive data , the \"connected\" status will return.",
"graphQueries": [
@ -126,4 +126,4 @@
"link":"https://github.com/Azure/Azure-Sentinel/issues"
}
}
}
}

4
Solutions/Azure DDoS Protection/Data Connectors/DDOS.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "DDOS",
"title": "Azure DDoS Protection",
"publisher": "Microsoft",
"descriptionMarkdown": "Connect to Azure DDoS Protection Standard logs via Public IP Address Diagnostic Logs. In addition to the core DDoS protection in the platform, Azure DDoS Protection Standard provides advanced DDoS mitigation capabilities against network attacks. It's automatically tuned to protect your specific Azure resources. Protection is simple to enable during the creation of new virtual networks. It can also be done after creation and requires no application or resource changes.",
"descriptionMarkdown": "Connect to Azure DDoS Protection Standard logs via Public IP Address Diagnostic Logs. In addition to the core DDoS protection in the platform, Azure DDoS Protection Standard provides advanced DDoS mitigation capabilities against network attacks. It's automatically tuned to protect your specific Azure resources. Protection is simple to enable during the creation of new virtual networks. It can also be done after creation and requires no application or resource changes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2219760&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"lastDataReceivedInfoBalloon": "If no new data has been received in the last 14 days, the connector will display as being \"not connected.\" When the connector will recive data , the \"connected\" status will return.",
"graphQueries": [
{
@ -93,4 +93,4 @@
"description": "Inside your Public IP Address resource:\n \n1. Select **+ Add diagnostic setting.**\n2. In the **Diagnostic setting** blade:\n - Type a **Name**, within the **Diagnostics settings** name field.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports)\n - Click **Save**."
}
]
}
}

4
Solutions/Azure Firewall/Data Connectors/AzureFirewall.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "AzureFirewall",
"title": "Azure Firewall",
"publisher": "Microsoft",
"descriptionMarkdown": "Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.",
"descriptionMarkdown": "Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220124&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"lastDataReceivedInfoBalloon": "If no new data has been received in the last 14 days, the connector will display as being \"not connected.\" When the connector will recive data , the \"connected\" status will return.",
"logo": "AzureFirewall.svg",
"graphQueries": [
@ -76,4 +76,4 @@
"description": "Inside your Firewall resource:\n\n1. Select **Diagnostic logs.**\n2. Select **+ Add diagnostic setting.**\n3. In the **Diagnostic setting** blade:\n - Type a **Name**.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: AzureFirewallApplicationRule, AzureFirewallNetworkRule)\n - Click **Save**."
}
]
}
}

4
Solutions/Azure Key Vault/Data Connectors/AzureKeyVault.JSON
Просмотреть файл

@ -12,7 +12,7 @@
"publisher": "Microsoft",
"logo": "AzureKeyVault.svg",
"lastDataReceivedInfoBalloon": "If no new data has been received in the last 14 days, the connector will display as being \"not connected.\" When the connector will recive data , the \"connected\" status will return.",
"descriptionMarkdown": "Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. ",
"descriptionMarkdown": "Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220125&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@ -120,4 +120,4 @@
"assessmentDescriptions": "Microsoft Defender for Key-Vaults provides real-time protection for your Azure Key-Vaults Services. Enable Microsoft Defender for Key-Vaults,connect it into Sentinel, and use Key-Vaults diagnostic logs in order to investigate Microsoft Defender alerts into a root cause in Sentinel.",
"assessmentSectionTitleText": "Enable Microsoft Defender for Key-Vaults - Recommended!"
}
}
}

4
Solutions/Azure Storage/Data Connectors/AzureStorageAccount_CCP.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "AzureStorageAccount",
"title": "Azure Storage Account",
"publisher": "Microsoft",
"descriptionMarkdown": "Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization.",
"descriptionMarkdown": "Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220068&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@ -233,4 +233,4 @@
]
}
]
}
}

4
Solutions/Azure Web Application Firewall (WAF)/Data Connectors/template_WAF.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "WAF",
"title": "Azure Web Application Firewall (WAF)",
"publisher": "Microsoft",
"descriptionMarkdown": "Connect to the Azure Web Application Firewall (WAF) for Application Gateway, Front Door, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Follow these instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel.",
"descriptionMarkdown": "Connect to the Azure Web Application Firewall (WAF) for Application Gateway, Front Door, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Follow these instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2223546&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"logo": "MicrosoftWebApplication.svg",
"graphQueries": [
{
@ -103,4 +103,4 @@
"description": "Inside your WAF resource:\n\n1. Select **Diagnostic logs.**\n2. Select **+ Add diagnostic setting.**\n3. In the **Diagnostic setting** blade:\n - Type a **Name**.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: ApplicationGatewayAccessLog, ApplicationGatewayFirewallLog, FrontdoorAccessLog, FrontdoorWebApplicationFirewallLog, WebApplicationFirewallLogs).\n - Click **Save**."
}
]
}
}

4
Solutions/Azure kubernetes Service/Data Connectors/AzureKubernetes.JSON
Просмотреть файл

@ -20,7 +20,7 @@
"publisher": "Microsoft",
"logo": "AzureKubernetes.svg",
"lastDataReceivedInfoBalloon": "If no new data has been received in the last 14 days, the connector will display as being \"not connected.\" When the connector will recive data , the \"connected\" status will return.",
"descriptionMarkdown": "Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.",
"descriptionMarkdown": "Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2219762&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@ -200,4 +200,4 @@
"link": "https://support.microsoft.com/"
}
}
}
}

13
Solutions/Box/Data Connectors/AzureFunctionBox/main.py
Просмотреть файл

@ -5,7 +5,7 @@ import time
from boxsdk.auth.jwt_auth import JWTAuth
from boxsdk import Client
from boxsdk.object.events import Events, EnterpriseEventsStreamType
from boxsdk.util.api_call_decorator import api_call
#from boxsdk.util.api_call_decorator import api_call
from .sentinel_connector import AzureSentinelConnector
from .state_manager import StateManager
from dateutil.parser import parse as parse_date
@ -36,6 +36,7 @@ AZURE_FUNC_MAX_EXECUTION_TIME_MINUTES = 9
def main(mytimer: func.TimerRequest):
logging.getLogger().setLevel(logging.INFO)
start_time = time.time()
config_json = os.environ['BOX_CONFIG_JSON']
config_dict = json.loads(config_json)
@ -53,10 +54,12 @@ def main(mytimer: func.TimerRequest):
sentinel = AzureSentinelConnector(workspace_id=WORKSPACE_ID, logAnalyticsUri = logAnalyticsUri, shared_key=SHARED_KEY, log_type=LOG_TYPE, queue_size=10000)
with sentinel:
logging.getLogger().setLevel(logging.INFO)
last_event_date = None
for events, stream_position in get_events(config_dict, created_after, stream_position=stream_position):
for event in events:
sentinel.send(event)
logging.getLogger().setLevel(logging.INFO)
last_event_date = events[-1]['created_at'] if events else last_event_date
if check_if_time_is_over(start_time, SCRIPT_EXECUTION_INTERVAL_MINUTES, AZURE_FUNC_MAX_EXECUTION_TIME_MINUTES):
logging.info('Stopping script because time for execution is over.')
@ -74,14 +77,17 @@ def main(mytimer: func.TimerRequest):
def get_stream_pos_and_date_from(marker, max_period_minutes, script_execution_interval_minutes):
logging.getLogger().setLevel(logging.INFO)
"""Returns last saved checkpoint. If last checkpoint is older than max_period_minutes - returns now - script_execution_interval_minutes."""
def get_default_date_from(script_execution_interval_minutes):
logging.getLogger().setLevel(logging.INFO)
date_from = datetime.datetime.utcnow() - datetime.timedelta(minutes=script_execution_interval_minutes)
date_from = date_from.replace(tzinfo=datetime.timezone.utc, second=0, microsecond=0).isoformat()
return date_from
def get_token_from_marker(marker, max_period_minutes):
logging.getLogger().setLevel(logging.INFO)
token = 0
try:
last_token, last_event_date = marker.split()
@ -103,6 +109,7 @@ def get_stream_pos_and_date_from(marker, max_period_minutes, script_execution_in
def save_marker(state_manager, stream_position, last_event_date):
logging.getLogger().setLevel(logging.INFO)
logging.info('Saving last stream_position {} and last_event_date {}'.format(stream_position, last_event_date))
state_manager.post(str(stream_position) + ' ' + last_event_date)
@ -110,6 +117,7 @@ def save_marker(state_manager, stream_position, last_event_date):
def check_if_time_is_over(start_time, interval_minutes, max_script_exec_time_minutes):
"""Returns True if function's execution time is less than interval between function executions and
less than max azure func lifetime. In other case returns False."""
logging.getLogger().setLevel(logging.INFO)
max_minutes = min(interval_minutes, max_script_exec_time_minutes)
if max_minutes > 1:
@ -124,7 +132,7 @@ def check_if_time_is_over(start_time, interval_minutes, max_script_exec_time_min
class ExtendedEvents(Events):
@api_call
#@api_call
def get_events(self, stream_position=0, stream_type=EnterpriseEventsStreamType.ADMIN_LOGS, created_after=None, created_before=None, limit=100):
url = self.get_url()
params = {
@ -140,6 +148,7 @@ class ExtendedEvents(Events):
def get_events(config_dict, created_after=None, stream_position=0):
logging.getLogger().setLevel(logging.WARNING)
limit = 500
config = JWTAuth.from_settings_dictionary(config_dict)
client = Client(config)

Двоичные данные
Solutions/Box/Data Connectors/BoxConn.zip
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
Solutions/Dynatrace/Package/2.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Dynatrace/Package/mainTemplate.json
Просмотреть файл

@ -38,7 +38,7 @@
}
},
"variables": {
"solutionId": "dynatrace.",
"solutionId": "dynatrace.dynatrace_azure_sentinel",
"_solutionId": "[variables('solutionId')]",
"email": "microsoftalliances@dynatrace.com",
"_email": "[variables('email')]",

2
Solutions/Dynatrace/SolutionMetadata.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"publisherId": "dynatrace",
"planId": "sentinel-connector",
"offerId": "dynatrace_azure_sentinel",
"firstPublishDate": "2022-10-18",
"providers": ["Dynatrace"],
"categories": {

4
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Data Connector/template_IoT.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "IoT",
"title": "Microsoft Defender for IoT",
"publisher": "Microsoft",
"descriptionMarkdown": "Gain insights into your IoT security by connecting Microsoft Defender for IoT alerts to Microsoft Sentinel.\nYou can get out-of-the-box alert metrics and data, including alert trends, top alerts, and alert breakdown by severity.\nYou can also get information about the recommendations provided for your IoT hubs including top recommendations and recommendations by severity.",
"descriptionMarkdown": "Gain insights into your IoT security by connecting Microsoft Defender for IoT alerts to Microsoft Sentinel.\nYou can get out-of-the-box alert metrics and data, including alert trends, top alerts, and alert breakdown by severity.\nYou can also get information about the recommendations provided for your IoT hubs including top recommendations and recommendations by severity. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224002&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"logo": "IoTIcon.svg",
"graphQueries": [
{
@ -102,4 +102,4 @@
]
}
]
}
}

4
Solutions/MicrosoftPurviewInsiderRiskManagement/Data Connectors/template_OfficeIRM.JSON
Просмотреть файл

@ -6,7 +6,7 @@
"type": 258,
"options": null
},
"descriptionMarkdown": "Microsoft 365 Insider Risk Management is a compliance solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.\n\nInsider risk policies allow you to:\n\n- define the types of risks you want to identify and detect in your organization.\n- decide on what actions to take in response, including escalating cases to Microsoft Advanced eDiscovery if needed.\n\nThis solution produces alerts that can be seen by Office customers in the Insider Risk Management solution in Microsoft 365 Compliance Center.\n[Learn More](https://aka.ms/OfficeIRMConnector) about Insider Risk Management.\n\nThese alerts can be imported into Microsoft Sentinel with this connector, allowing you to see, investigate, and respond to them in a broader organizational threat context.",
"descriptionMarkdown": "Microsoft 365 Insider Risk Management is a compliance solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.\n\nInsider risk policies allow you to:\n\n- define the types of risks you want to identify and detect in your organization.\n- decide on what actions to take in response, including escalating cases to Microsoft Advanced eDiscovery if needed.\n\nThis solution produces alerts that can be seen by Office customers in the Insider Risk Management solution in Microsoft 365 Compliance Center.\n[Learn More](https://aka.ms/OfficeIRMConnector) about Insider Risk Management.\n\nThese alerts can be imported into Microsoft Sentinel with this connector, allowing you to see, investigate, and respond to them in a broader organizational threat context. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2223721&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@ -103,4 +103,4 @@
]
}
]
}
}

12
Solutions/Onapsis Platform/Data Connectors/OnapsisPlatform.json
Просмотреть файл

@ -6,7 +6,7 @@
"publisher": "Onapsis",
"descriptionMarkdown": "The Onapsis Connector allows you to export the alarms triggered in the Onapsis Platform into Azure Sentinel in real-time. This gives you the ability to monitor the activity on your SAP systems, identify incidents and respond to them quickly.",
"descriptionMarkdown": "The Onapsis Connector allows you to export the alarms triggered in the Onapsis Platform into Microsoft Sentinel in real-time. This gives you the ability to monitor the activity on your SAP systems, identify incidents and respond to them quickly.",
"graphQueries": [
@ -130,7 +130,7 @@
"title": "1. Linux Syslog agent configuration",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
@ -138,7 +138,7 @@
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your Onapsis Console and Azure Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your Onapsis Console and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
},
@ -146,7 +146,7 @@
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
@ -184,7 +184,7 @@
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent",
"description": "Refer to the Onapsis in-product help to set up log forwarding to the Syslog agent.\n\n> 1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Azure Sentinel.\n\n> 2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed - logs should be sent to port 514 using TCP."
"description": "Refer to the Onapsis in-product help to set up log forwarding to the Syslog agent.\n\n> 1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.\n\n> 2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed - logs should be sent to port 514 using TCP."
},
@ -224,7 +224,7 @@
"title": "4. Create Onapsis lookup function for incident enrichment",
"description": "[Follow these steps to get this Kusto function](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Onapsis/OnapsisLookup.txt)"
"description": "[Follow these steps to get this Kusto function](https://aka.ms/sentinel-Onapsis-parser)"
},

2
Solutions/Onapsis Platform/Data/Solution_Onapsis.json
Просмотреть файл

@ -13,7 +13,7 @@
"Solutions/Onapsis Platform/Parsers/OnapsisLookup.txt"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.0",
"Version": "2.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Onapsis Platform/Package/2.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

46
Solutions/Onapsis Platform/Package/mainTemplate.json
Просмотреть файл

@ -47,12 +47,12 @@
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-DataConnector-',variables('_dataConnectorContentId1'))]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"workbookVersion1": "1.0.0",
"workbookContentId1": "OnapsisAlarmsWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'-Workbook-',variables('_workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"parserVersion1": "1.0.0",
"parserContentId1": "OnapsisLookup-Parser",
@ -61,7 +61,7 @@
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-Parser-',variables('_parserContentId1'))]"
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
},
"resources": [
{
@ -91,7 +91,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Onapsis Platform data connector with template version 2.0.0",
"description": "Onapsis Platform data connector with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -109,7 +109,7 @@
"id": "[variables('_uiConfigId1')]",
"title": "Onapsis Platform",
"publisher": "Onapsis",
"descriptionMarkdown": "The Onapsis Connector allows you to export the alarms triggered in the Onapsis Platform into Azure Sentinel in real-time. This gives you the ability to monitor the activity on your SAP systems, identify incidents and respond to them quickly.",
"descriptionMarkdown": "The Onapsis Connector allows you to export the alarms triggered in the Onapsis Platform into Microsoft Sentinel in real-time. This gives you the ability to monitor the activity on your SAP systems, identify incidents and respond to them quickly.",
"graphQueries": [
{
"metricName": "Total data received",
@ -171,15 +171,15 @@
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your Onapsis Console and Azure Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your Onapsis Console and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
@ -198,7 +198,7 @@
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Refer to the Onapsis in-product help to set up log forwarding to the Syslog agent.\n\n> 1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Azure Sentinel.\n\n> 2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed - logs should be sent to port 514 using TCP.",
"description": "Refer to the Onapsis in-product help to set up log forwarding to the Syslog agent.\n\n> 1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.\n\n> 2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed - logs should be sent to port 514 using TCP.",
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
},
{
@ -218,7 +218,7 @@
"title": "3. Validate connection"
},
{
"description": "[Follow these steps to get this Kusto function](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Onapsis/OnapsisLookup.txt)",
"description": "[Follow these steps to get this Kusto function](https://aka.ms/sentinel-Onapsis-parser)",
"title": "4. Create Onapsis lookup function for incident enrichment"
},
{
@ -280,6 +280,7 @@
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
@ -310,7 +311,7 @@
"connectorUiConfig": {
"title": "Onapsis Platform",
"publisher": "Onapsis",
"descriptionMarkdown": "The Onapsis Connector allows you to export the alarms triggered in the Onapsis Platform into Azure Sentinel in real-time. This gives you the ability to monitor the activity on your SAP systems, identify incidents and respond to them quickly.",
"descriptionMarkdown": "The Onapsis Connector allows you to export the alarms triggered in the Onapsis Platform into Microsoft Sentinel in real-time. This gives you the ability to monitor the activity on your SAP systems, identify incidents and respond to them quickly.",
"graphQueries": [
{
"metricName": "Total data received",
@ -372,15 +373,15 @@
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your Onapsis Console and Azure Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your Onapsis Console and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
@ -399,7 +400,7 @@
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Refer to the Onapsis in-product help to set up log forwarding to the Syslog agent.\n\n> 1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Azure Sentinel.\n\n> 2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed - logs should be sent to port 514 using TCP.",
"description": "Refer to the Onapsis in-product help to set up log forwarding to the Syslog agent.\n\n> 1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.\n\n> 2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed - logs should be sent to port 514 using TCP.",
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
},
{
@ -419,7 +420,7 @@
"title": "3. Validate connection"
},
{
"description": "[Follow these steps to get this Kusto function](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Onapsis/OnapsisLookup.txt)",
"description": "[Follow these steps to get this Kusto function](https://aka.ms/sentinel-Onapsis-parser)",
"title": "4. Create Onapsis lookup function for incident enrichment"
},
{
@ -458,7 +459,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "OnapsisAlarmsOverviewWorkbook Workbook with template version 2.0.0",
"description": "OnapsisAlarmsOverviewWorkbook Workbook with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -551,7 +552,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "OnapsisLookup Data Parser with template version 2.0.0",
"description": "OnapsisLookup Data Parser with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -613,6 +614,7 @@
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "OnapsisLookup",
@ -625,6 +627,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
@ -652,8 +655,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"version": "2.0.1",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
@ -697,7 +701,7 @@
],
"categories": {
"domains": [
"Security Vulnerability Management"
"Security - Vulnerability Management"
]
}
},
@ -705,4 +709,4 @@
}
],
"outputs": {}
}
}

4
Solutions/ProofPointTap/Analytic Rules/MalwareAttachmentDelivered.yaml
Просмотреть файл

@ -5,7 +5,7 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointTAP
- connectorId: ProofpointTAPNativePoller
dataTypes:
- ProofPointTAPMessagesDelivered_CL
queryFrequency: 1h
@ -34,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

4
Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml
Просмотреть файл

@ -5,7 +5,7 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointTAP
- connectorId: ProofpointTAPNativePoller
dataTypes:
- ProofPointTAPClicksPermitted_CL
queryFrequency: 1h
@ -34,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: URLCustomEntity
version: 1.0.1
version: 1.0.2
kind: Scheduled

8
Solutions/ProofPointTap/Data/Solution_ProofTap.json
Просмотреть файл

@ -14,10 +14,10 @@
"Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml"
],
"Playbooks": [
"Solutions/ProofPointTap/Playbooks/ProofpointTAPConnector/azuredeploy.json",
"Solutions/ProofPointTap/Playbooks/Get-ProofPointTapEvents/azuredeploy.json",
"Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/azuredeploy.json",
"Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json"
"Solutions/ProofPointTap/Playbooks/ProofpointTAPConnector/azuredeploy.json",
"Solutions/ProofPointTap/Playbooks/Get-ProofPointTapEvents/azuredeploy.json",
"Solutions/ProofPointTap/Playbooks/ProofpointTAP-AddForensicsInfoToIncident/azuredeploy.json",
"Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.1",

Двоичные данные
Solutions/ProofPointTap/Package/2.0.1.zip
Просмотреть файл

Двоичный файл не отображается.

58
Solutions/ProofPointTap/Package/mainTemplate.json
Просмотреть файл

@ -53,12 +53,12 @@
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
"analyticRuleVersion1": "1.0.1",
"analyticRuleVersion1": "1.0.2",
"analyticRulecontentId1": "0558155e-4556-447e-9a22-828f2a7de06b",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
"analyticRuleVersion2": "1.0.1",
"analyticRuleVersion2": "1.0.2",
"analyticRulecontentId2": "8675dd7a-795e-4d56-a79c-fc848c5ee61c",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
@ -604,33 +604,36 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "ProofpointTAP",
"dataTypes": [
"ProofPointTAPMessagesDelivered_CL"
]
],
"connectorId": "ProofpointTAPNativePoller"
}
],
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566.001"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -721,42 +724,45 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "ProofpointTAP",
"dataTypes": [
"ProofPointTAPClicksPermitted_CL"
]
],
"connectorId": "ProofpointTAPNativePoller"
}
],
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566.002"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
},
{
"entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
],
"entityType": "URL"
}
]
}

12
Solutions/SonicWall Firewall/Data Connectors/SonicwallFirewall.JSON
Просмотреть файл

@ -7,34 +7,34 @@
{
"metricName": "Total data received",
"legend": "SonicWall",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\")"
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\")"
}
],
"sampleQueries": [
{
"description" : "All logs",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | sort by TimeGenerated"
},
{
"description" : "Summarize by destination IP and port",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
},
{
"description": "Show all dropped traffic from the SonicWall Firewall",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n | where AdditionalExtensions contains \"fw_action='drop'\""
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n | where AdditionalExtensions contains \"fw_action='drop'\""
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SonicWall)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
"CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],

4
Solutions/SonicWall Firewall/Data/Solution_ SonicWall Firewall.json
Просмотреть файл

@ -7,8 +7,8 @@
"Data Connectors/SonicwallFirewall.JSON"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\SonicWall Firewall",
"Version": "2.0.4",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SonicWall Firewall",
"Version": "2.0.5",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/SonicWall Firewall/Package/2.0.5.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

28
Solutions/SonicWall Firewall/Package/mainTemplate.json
Просмотреть файл

@ -70,7 +70,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "SonicWall Firewall data connector with template version 2.0.4",
"description": "SonicWall Firewall data connector with template version 2.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -93,34 +93,34 @@
{
"metricName": "Total data received",
"legend": "SonicWall",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\")"
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\")"
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | sort by TimeGenerated"
},
{
"description": "Summarize by destination IP and port",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
},
{
"description": "Show all dropped traffic from the SonicWall Firewall",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n | where AdditionalExtensions contains \"fw_action='drop'\""
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n | where AdditionalExtensions contains \"fw_action='drop'\""
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SonicWall)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
"CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
@ -295,35 +295,35 @@
{
"metricName": "Total data received",
"legend": "SonicWall",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\")"
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\")"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SonicWall)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
"CommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | sort by TimeGenerated"
},
{
"description": "Summarize by destination IP and port",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated\n | sort by TimeGenerated"
},
{
"description": "Show all dropped traffic from the SonicWall Firewall",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n | where AdditionalExtensions contains \"fw_action='drop'\""
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"SonicWall\"\n| where DeviceProduct has_any (\"firewall\",\"TZ 670\",\"TZ 600\",\"TZ 600P\",\"NSv 270\",\"TZ 570\",\"TZ 570W\",\"TZ 570P\",\"TZ 500\",\"TZ 500W\",\"TZ 270\",\"TZ 270W\",\"TZ 370W\",\"TZ 470W\",\"TZ 350W\",\"TZ 350\",\"TZ 370\",\"TZ 470\",\"TZ 300W\",\"TZ 300P\",\"TZ 300\",\"TZ 400W\",\"TZ 400\",\"SOHO 250\",\"SOHO 250W\",\"NSa 2700\",\"NSv 470\",\"NSv 870\",\"NSa 3700\",\"NSa 2600\",\"NSa 2650\",\"NSa 3600\",\"NSa 3650\",\"NSa 4650\",\"NSa 5650\",\"NSa 5700\",\"NSa 6650\",\"NSa 9250\",\"NSa 9450\",\"NSa 9650\",\"NSsp 12400\",\"NSsp 12800\",\"NSsp 15700\",\"NSv 10\",\"NSv 25\",\"NSv 50\",\"NSv 100\",\"NSv 200\",\"NSv 300\",\"NSv 400\",\"NSv 800\",\"NSv 1600\") \n | where AdditionalExtensions contains \"fw_action='drop'\""
}
],
"availability": {
@ -416,7 +416,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.4",
"version": "2.0.5",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

2
Solutions/Syslog/Data Connectors/template_Syslog.json
Просмотреть файл

@ -2,7 +2,7 @@
"id": "Syslog",
"title": "Syslog",
"publisher": "Microsoft",
"descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.",
"descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"additionalRequirementBanner": "[Learn more >](https://aka.ms/sysLogInfo)",
"graphQueries": [
{

Двоичные данные
Solutions/VirusTotal/Package/2.0.3.zip
Просмотреть файл

Двоичный файл не отображается.

66
Solutions/VirusTotal/Package/mainTemplate.json
Просмотреть файл

@ -103,8 +103,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalDomainReport playbook",
"displayName": "Get-VirusTotalDomainReport playbook"
"description": "Get-VirusTotalDomainReport-AlertTriggered playbook",
"displayName": "Get-VirusTotalDomainReport-AlertTriggered playbook"
}
},
{
@ -120,13 +120,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
],
"properties": {
"description": "Get-VirusTotalDomainReport Playbook with template version 2.0.3",
"description": "Get-VirusTotalDomainReport-AlertTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalDomainReport",
"defaultValue": "Get-VirusTotalDomainReport-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {
@ -495,8 +495,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalDomainReport playbook",
"displayName": "Get-VirusTotalDomainReport playbook"
"description": "Get-VirusTotalDomainReport-IncidentTriggered playbook",
"displayName": "Get-VirusTotalDomainReport-IncidentTriggered playbook"
}
},
{
@ -512,13 +512,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
],
"properties": {
"description": "Get-VirusTotalDomainReport Playbook with template version 2.0.3",
"description": "Get-VirusTotalDomainReport-IncidentTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalDomainReport",
"defaultValue": "Get-VirusTotalDomainReport-IncidentTriggered",
"type": "string"
}
},
@ -852,8 +852,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalFileInfo playbook",
"displayName": "Get-VirusTotalFileInfo playbook"
"description": "Get-VirusTotalFileInfo-AlertTriggered playbook",
"displayName": "Get-VirusTotalFileInfo-AlertTriggered playbook"
}
},
{
@ -869,13 +869,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]"
],
"properties": {
"description": "Get-VirusTotalFileInfo Playbook with template version 2.0.3",
"description": "Get-VirusTotalFileInfo-AlertTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalFileInfo",
"defaultValue": "Get-VirusTotalFileInfo-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {
@ -1244,8 +1244,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalFileInfo playbook",
"displayName": "Get-VirusTotalFileInfo playbook"
"description": "Get-VirusTotalFileInfo-IncidentTriggered playbook",
"displayName": "Get-VirusTotalFileInfo-IncidentTriggered playbook"
}
},
{
@ -1261,13 +1261,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]"
],
"properties": {
"description": "Get-VirusTotalFileInfo Playbook with template version 2.0.3",
"description": "Get-VirusTotalFileInfo-IncidentTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalFileInfo",
"defaultValue": "Get-VirusTotalFileInfo-IncidentTriggered",
"type": "string"
}
},
@ -1601,8 +1601,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalIPReport playbook",
"displayName": "Get-VirusTotalIPReport playbook"
"description": "Get-VirusTotalIPReport-AlertTriggered playbook",
"displayName": "Get-VirusTotalIPReport-AlertTriggered playbook"
}
},
{
@ -1618,13 +1618,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]"
],
"properties": {
"description": "Get-VirusTotalIPReport Playbook with template version 2.0.3",
"description": "Get-VirusTotalIPReport-AlertTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalIPReport",
"defaultValue": "Get-VirusTotalIPReport-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {
@ -1993,8 +1993,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalIPReport playbook",
"displayName": "Get-VirusTotalIPReport playbook"
"description": "Get-VirusTotalIPReport-IncidentTriggered playbook",
"displayName": "Get-VirusTotalIPReport-IncidentTriggered playbook"
}
},
{
@ -2010,13 +2010,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName6'))]"
],
"properties": {
"description": "Get-VirusTotalIPReport Playbook with template version 2.0.3",
"description": "Get-VirusTotalIPReport-IncidentTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalIPReport",
"defaultValue": "Get-VirusTotalIPReport-IncidentTriggered",
"type": "string"
}
},
@ -2312,7 +2312,7 @@
}
],
"metadata": {
"title": "IP Enrichment - Virus Total report - Incident Trigger",
"title": "IP Enrichment - Virus Total report - Incident Triggered",
"description": "This playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comment to the incident.",
"prerequisites": [
"- You will need to register to Virus Total community for an API key"
@ -2350,8 +2350,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalURLReport_Alert playbook",
"displayName": "Get-VirusTotalURLReport_Alert playbook"
"description": "Get-VirusTotalURLReport-AlertTriggered playbook",
"displayName": "Get-VirusTotalURLReport-AlertTriggered playbook"
}
},
{
@ -2367,13 +2367,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName7'))]"
],
"properties": {
"description": "Get-VirusTotalURLReport_Alert Playbook with template version 2.0.3",
"description": "Get-VirusTotalURLReport-AlertTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalURLReport_Alert",
"defaultValue": "Get-VirusTotalURLReport-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {
@ -2801,8 +2801,8 @@
"hidden-sentinelContentType": "Playbook"
},
"properties": {
"description": "Get-VirusTotalURLReport playbook",
"displayName": "Get-VirusTotalURLReport playbook"
"description": "Get-VirusTotalURLReport-IncidentTriggered playbook",
"displayName": "Get-VirusTotalURLReport-IncidentTriggered playbook"
}
},
{
@ -2818,13 +2818,13 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName8'))]"
],
"properties": {
"description": "Get-VirusTotalURLReport Playbook with template version 2.0.3",
"description": "Get-VirusTotalURLReport-IncidentTriggered Playbook with template version 2.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalURLReport",
"defaultValue": "Get-VirusTotalURLReport-IncidentTriggered",
"type": "string"
}
},

22
Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/alert-trigger/azuredeploy.json
Просмотреть файл

@ -5,11 +5,11 @@
"comments": "This playbook will take each URL entity and query VirusTotal for domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
"title": "URL Enrichment - Virus Total domain report - Alert Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info).",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will run when an alert is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": ["URL"],
"tags": ["Enrichment"],
"entities": [ "URL" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "Community"
},
@ -17,18 +17,18 @@
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalDomainReport",
"defaultValue": "Get-VirusTotalDomainReport-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {

18
Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport/incident-trigger/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": {
"title": "URL Enrichment - Virus Total domain report - Incident Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for Domain Report (https://developers.virustotal.com/v3.0/reference#domain-info). It will write the results to Log Analytics and add a comment to the incident.",
"prerequisites": ["Register to Virus Total community for an API key."],
"prerequisites": [ "Register to Virus Total community for an API key." ],
"postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": [ "URL" ],
@ -16,18 +16,18 @@
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total domain report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalDomainReport",
"defaultValue": "Get-VirusTotalDomainReport-IncidentTriggered",
"type": "string"
}
},

22
Solutions/VirusTotal/Playbooks/Get-VirusTotalFileInfo/alert-trigger/azuredeploy.json
Просмотреть файл

@ -4,11 +4,11 @@
"metadata": {
"title": "FileHash Enrichment - Virus Total report - Alert Triggered",
"description": "This playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info).",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": ["FileHash"],
"tags": ["Enrichment"],
"entities": [ "FileHash" ],
"tags": [ "Enrichment" ],
"comments": "This playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info).",
"support": {
"tier": "Community"
@ -17,18 +17,18 @@
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "FileHash Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "FileHash Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalFileInfo",
"defaultValue": "Get-VirusTotalFileInfo-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {

18
Solutions/VirusTotal/Playbooks/Get-VirusTotalFileInfo/incident-trigger/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": {
"title": "FileHash Enrichment - Virus Total report - Incident Triggered",
"description": "This playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info).",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": [ "FileHash" ],
@ -16,18 +16,18 @@
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "FileHash Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "FileHash Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalFileInfo",
"defaultValue": "Get-VirusTotalFileInfo-IncidentTriggered",
"type": "string"
}
},

22
Solutions/VirusTotal/Playbooks/Get-VirusTotalIPReport/alert-trigger/azuredeploy.json
Просмотреть файл

@ -4,11 +4,11 @@
"metadata": {
"title": "IP Enrichment - Virus Total report - Alert Triggered",
"description": "This playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comment to the incident.",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will run when an alert is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": ["IP"],
"tags": ["Enrichment"],
"entities": [ "IP" ],
"tags": [ "Enrichment" ],
"comments": "This playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comment to the incident. You will need to register to their community for an API key.",
"support": {
"tier": "Community"
@ -17,18 +17,18 @@
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "IP Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "IP Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalIPReport",
"defaultValue": "Get-VirusTotalIPReport-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {

26
Solutions/VirusTotal/Playbooks/Get-VirusTotalIPReport/incident-trigger/azuredeploy.json
Просмотреть файл

@ -2,32 +2,32 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "IP Enrichment - Virus Total report - Incident Trigger",
"title": "IP Enrichment - Virus Total report - Incident Triggered",
"description": "This playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comment to the incident.",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": ["IP"],
"tags": ["Enrichment"],
"entities": [ "IP" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "community"
"tier": "community"
},
"author": {
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "IP Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "IP Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalIPReport",
"defaultValue": "Get-VirusTotalIPReport-IncidentTriggered",
"type": "string"
}
},

18
Solutions/VirusTotal/Playbooks/Get-VirusTotalURLReport/alert-trigger/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": {
"title": "URL Enrichment - Virus Total report - Alert Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for info (https://developers.virustotal.com/v3.0/reference#url-info).",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will run when an alert is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": [ "URL" ],
@ -17,18 +17,18 @@
"name": "Nicholas DiCola"
},
"releaseNotes": [
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
{
"version": "1.0.0",
"title": "URL Enrichment - Virus Total report",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalURLReport_Alert",
"defaultValue": "Get-VirusTotalURLReport-AlertTriggered",
"type": "string"
},
"VirusTotalAPIKey": {

6
Solutions/VirusTotal/Playbooks/Get-VirusTotalURLReport/incident-trigger/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": {
"title": "URL Enrichment - Virus Total report - Incident Triggered",
"description": "This playbook will take each URL entity and query VirusTotal for info (https://developers.virustotal.com/v3.0/reference#url-info).",
"prerequisites": ["- You will need to register to Virus Total community for an API key"],
"prerequisites": [ "- You will need to register to Virus Total community for an API key" ],
"postDeployment": [ "After deployment, attach this playbook to an **automation rule** so it runs when the incident is created." ],
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
"entities": [ "URL" ],
@ -19,13 +19,13 @@
{
"version": "1.0.0",
"title": "Handle MDE device Id missing case",
"notes":["- Added steps to handle if the entity from sentinel incident doesn't provide the MDE device ID."]
"notes": [ "- Added steps to handle if the entity from sentinel incident doesn't provide the MDE device ID." ]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-VirusTotalURLReport",
"defaultValue": "Get-VirusTotalURLReport-IncidentTriggered",
"type": "string"
}
},

4
Solutions/Windows Security Events/Data Connectors/template_SecurityEvents.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "SecurityEvents",
"title": "Security Events via Legacy Agent",
"publisher": "Microsoft",
"descriptionMarkdown": "You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities.",
"descriptionMarkdown": "You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220093&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@ -106,4 +106,4 @@
]
}
]
}
}

4
Solutions/Windows Security Events/Data Connectors/template_WindowsSecurityEvents.JSON
Просмотреть файл

@ -2,7 +2,7 @@
"id": "WindowsSecurityEvents",
"title": "Windows Security Events via AMA",
"publisher": "Microsoft",
"descriptionMarkdown": "You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities.",
"descriptionMarkdown": "You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2220225&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
@ -84,4 +84,4 @@
]
}
]
}
}

2
Tools/stats/stats.md
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны