This commit is contained in:
v-shukore 2024-06-10 18:02:14 +05:30
Родитель 402423899e
Коммит bbe63ad52f
6 изменённых файлов: 89 добавлений и 68 удалений

Просмотреть файл

@ -8,6 +8,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
@ -77,7 +80,7 @@ entityMappings:
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.2
version: 1.0.3
kind: Scheduled
metadata:
source:

Просмотреть файл

@ -22,7 +22,7 @@
"azuresentinel.azure-sentinel-solution-azurewebapplicationfirewal"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Web Shells Threat Protection",
"Version": "3.0.3",
"Version": "3.0.4",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true

Двоичные данные
Solutions/Web Shells Threat Protection/Package/3.0.4.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -100,7 +100,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment."
"text": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions has been provided in scriptExtensions that should be tailored to your environment."
}
}
]

Просмотреть файл

@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Web Shells Threat Protection",
"_solutionVersion": "3.0.3",
"_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-webshellsthreatprotection",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
@ -67,18 +67,18 @@
"huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e0c947c3-fe83-46ff-bbda-a43224a785fd')))]"
},
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.2",
"analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "50eb4cbd-188f-44f4-b964-bab84dcdec10",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50eb4cbd-188f-44f4-b964-bab84dcdec10')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50eb4cbd-188f-44f4-b964-bab84dcdec10')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50eb4cbd-188f-44f4-b964-bab84dcdec10','-', '1.0.2')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50eb4cbd-188f-44f4-b964-bab84dcdec10','-', '1.0.3')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.3",
"analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "fbfbf530-506b-49a4-81ad-4030885a195c",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fbfbf530-506b-49a4-81ad-4030885a195c')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fbfbf530-506b-49a4-81ad-4030885a195c')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbfbf530-506b-49a4-81ad-4030885a195c','-', '1.0.3')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbfbf530-506b-49a4-81ad-4030885a195c','-', '1.0.4')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.4",
@ -99,7 +99,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Possible webshell drop_HuntingQueries Hunting Query with template version 3.0.3",
"description": "Possible webshell drop_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@ -180,7 +180,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "exchange-iis-worker-dropping-webshell_HuntingQueries Hunting Query with template version 3.0.3",
"description": "exchange-iis-worker-dropping-webshell_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@ -261,7 +261,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialWebshell_HuntingQueries Hunting Query with template version 3.0.3",
"description": "PotentialWebshell_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@ -346,7 +346,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SpringshellWebshellUsage_HuntingQueries Hunting Query with template version 3.0.3",
"description": "SpringshellWebshellUsage_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@ -431,7 +431,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "umworkerprocess-creating-webshell_HuntingQueries Hunting Query with template version 3.0.3",
"description": "umworkerprocess-creating-webshell_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@ -512,7 +512,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "WebShellActivity_HuntingQueries Hunting Query with template version 3.0.3",
"description": "WebShellActivity_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@ -597,7 +597,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialMercury_Webshell_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "PotentialMercury_Webshell_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -630,6 +630,12 @@
"SecurityEvent"
]
},
{
"connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
]
},
{
"connectorId": "MicrosoftThreatProtection",
"dataTypes": [
@ -645,38 +651,38 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Account"
"columnName": "Account",
"identifier": "FullName"
},
{
"identifier": "Name",
"columnName": "AccountName"
"columnName": "AccountName",
"identifier": "Name"
},
{
"identifier": "NTDomain",
"columnName": "AccountNTDomain"
"columnName": "AccountNTDomain",
"identifier": "NTDomain"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
"columnName": "Computer",
"identifier": "FullName"
},
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "HostNameDomain"
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
],
"entityType": "Host"
]
}
]
}
@ -732,7 +738,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MaliciousAlertLinkedWebRequests_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "MaliciousAlertLinkedWebRequests_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -746,7 +752,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment.",
"description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions has been provided in scriptExtensions that should be tailored to your environment.",
"displayName": "Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts",
"enabled": false,
"query": "let alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions that suit your web application environment - a sample are provided below\nlet scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nlet alertData = materialize(SecurityAlert\n| where TimeGenerated > ago(alertTimeWindow)\n| where ProviderName == \"MDATP\"\n// Parse and expand the alert JSON\n| extend alertData = parse_json(Entities)\n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\n| where alertData.Type =~ \"file\"\n| where alertData.Name has_any(scriptExtensions)\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet hostData = alertData\n// Extract server details from alerts and map to alert id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| join (\n// Find requests that were made to this file on the impacted server in the W3CIISLog table\nW3CIISLog\n| where TimeGenerated > ago(logTimeWindow)\n// Restrict to accesses to script extensions\n| where csUriStem has_any(scriptExtensions)\n| extend splitUriStem = split(csUriStem, \"/\")\n| extend FileName = splitUriStem[-1], HostName = sComputerName\n// Summarize potential attacker activity\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName\n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, Computer = HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
@ -780,30 +786,30 @@
],
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
"columnName": "Computer",
"identifier": "FullName"
},
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "HostNameDomain"
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
],
"entityType": "Host"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "AttackerIP"
"columnName": "AttackerIP",
"identifier": "Address"
}
],
"entityType": "IP"
]
}
]
}
@ -859,7 +865,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Supernovawebshell_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Supernovawebshell_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -903,47 +909,47 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "csUserName"
"columnName": "csUserName",
"identifier": "FullName"
},
{
"identifier": "Name",
"columnName": "AccountName"
"columnName": "AccountName",
"identifier": "Name"
},
{
"identifier": "UPNSuffix",
"columnName": "AccountUPNSuffix"
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
],
"entityType": "Account"
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
"columnName": "Computer",
"identifier": "FullName"
},
{
"identifier": "HostName",
"columnName": "HostName"
"columnName": "HostName",
"identifier": "HostName"
},
{
"identifier": "DnsDomain",
"columnName": "HostNameDomain"
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
],
"entityType": "Host"
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "cIP"
"columnName": "cIP",
"identifier": "Address"
}
],
"entityType": "IP"
]
}
]
}
@ -995,7 +1001,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.3",
"version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Web Shells Threat Protection",
@ -1023,7 +1029,6 @@
"link": "https://support.microsoft.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "HuntingQuery",
@ -1069,6 +1074,18 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-securityevents"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azurewebapplicationfirewal"
}
]
},

Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-------------------------------------------------------------------------------|
| 3.0.4 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
| 3.0.3 | 12-04-2024 | Updated Entity Mapping and Query of **Analytic Rule** Supernovawebshell.yaml and MaliciousAlertLinkedWebRequests.yaml |
| 3.0.2 | 22-02-2024 | Tagged for dependent Solutions for deployment |
| 3.0.1 | 25-10-2023 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR |