diff --git a/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml b/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml index b3861eeefa..f34937bc2d 100644 --- a/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml +++ b/Solutions/Web Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: SecurityEvents dataTypes: - SecurityEvent + - connectorId: WindowsSecurityEvents + dataTypes: + - SecurityEvent - connectorId: MicrosoftThreatProtection dataTypes: - DeviceFileEvents @@ -77,7 +80,7 @@ entityMappings: columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Solutions/Web Shells Threat Protection/Data/Solution_WebShellsThreatProtection.json b/Solutions/Web Shells Threat Protection/Data/Solution_WebShellsThreatProtection.json index a2141dd54e..a3a411e0f9 100644 --- a/Solutions/Web Shells Threat Protection/Data/Solution_WebShellsThreatProtection.json +++ b/Solutions/Web Shells Threat Protection/Data/Solution_WebShellsThreatProtection.json @@ -22,7 +22,7 @@ "azuresentinel.azure-sentinel-solution-azurewebapplicationfirewal" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Web Shells Threat Protection", - "Version": "3.0.3", + "Version": "3.0.4", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": true diff --git a/Solutions/Web Shells Threat Protection/Package/3.0.4.zip b/Solutions/Web Shells Threat Protection/Package/3.0.4.zip new file mode 100644 index 0000000000..e1320b3f12 Binary files /dev/null and b/Solutions/Web Shells Threat Protection/Package/3.0.4.zip differ diff --git a/Solutions/Web Shells Threat Protection/Package/createUiDefinition.json b/Solutions/Web Shells Threat Protection/Package/createUiDefinition.json index 68aba494ea..9139771819 100644 --- a/Solutions/Web Shells Threat Protection/Package/createUiDefinition.json +++ b/Solutions/Web Shells Threat Protection/Package/createUiDefinition.json @@ -100,7 +100,7 @@ "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment." + "text": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions has been provided in scriptExtensions that should be tailored to your environment." } } ] diff --git a/Solutions/Web Shells Threat Protection/Package/mainTemplate.json b/Solutions/Web Shells Threat Protection/Package/mainTemplate.json index 73ed1ca51f..bed621e867 100644 --- a/Solutions/Web Shells Threat Protection/Package/mainTemplate.json +++ b/Solutions/Web Shells Threat Protection/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Web Shells Threat Protection", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-webshellsthreatprotection", "_solutionId": "[variables('solutionId')]", "huntingQueryObject1": { @@ -67,18 +67,18 @@ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e0c947c3-fe83-46ff-bbda-a43224a785fd')))]" }, "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "50eb4cbd-188f-44f4-b964-bab84dcdec10", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50eb4cbd-188f-44f4-b964-bab84dcdec10')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50eb4cbd-188f-44f4-b964-bab84dcdec10')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50eb4cbd-188f-44f4-b964-bab84dcdec10','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50eb4cbd-188f-44f4-b964-bab84dcdec10','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "fbfbf530-506b-49a4-81ad-4030885a195c", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fbfbf530-506b-49a4-81ad-4030885a195c')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fbfbf530-506b-49a4-81ad-4030885a195c')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbfbf530-506b-49a4-81ad-4030885a195c','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbfbf530-506b-49a4-81ad-4030885a195c','-', '1.0.4')))]" }, "analyticRuleObject3": { "analyticRuleVersion3": "1.0.4", @@ -99,7 +99,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Possible webshell drop_HuntingQueries Hunting Query with template version 3.0.3", + "description": "Possible webshell drop_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -180,7 +180,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "exchange-iis-worker-dropping-webshell_HuntingQueries Hunting Query with template version 3.0.3", + "description": "exchange-iis-worker-dropping-webshell_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -261,7 +261,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialWebshell_HuntingQueries Hunting Query with template version 3.0.3", + "description": "PotentialWebshell_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -346,7 +346,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SpringshellWebshellUsage_HuntingQueries Hunting Query with template version 3.0.3", + "description": "SpringshellWebshellUsage_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -431,7 +431,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "umworkerprocess-creating-webshell_HuntingQueries Hunting Query with template version 3.0.3", + "description": "umworkerprocess-creating-webshell_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -512,7 +512,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WebShellActivity_HuntingQueries Hunting Query with template version 3.0.3", + "description": "WebShellActivity_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -597,7 +597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialMercury_Webshell_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "PotentialMercury_Webshell_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -630,6 +630,12 @@ "SecurityEvent" ] }, + { + "connectorId": "WindowsSecurityEvents", + "dataTypes": [ + "SecurityEvent" + ] + }, { "connectorId": "MicrosoftThreatProtection", "dataTypes": [ @@ -645,38 +651,38 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -732,7 +738,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousAlertLinkedWebRequests_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "MaliciousAlertLinkedWebRequests_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -746,7 +752,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment.", + "description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions has been provided in scriptExtensions that should be tailored to your environment.", "displayName": "Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts", "enabled": false, "query": "let alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions that suit your web application environment - a sample are provided below\nlet scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nlet alertData = materialize(SecurityAlert\n| where TimeGenerated > ago(alertTimeWindow)\n| where ProviderName == \"MDATP\"\n// Parse and expand the alert JSON\n| extend alertData = parse_json(Entities)\n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\n| where alertData.Type =~ \"file\"\n| where alertData.Name has_any(scriptExtensions)\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet hostData = alertData\n// Extract server details from alerts and map to alert id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| join (\n// Find requests that were made to this file on the impacted server in the W3CIISLog table\nW3CIISLog\n| where TimeGenerated > ago(logTimeWindow)\n// Restrict to accesses to script extensions\n| where csUriStem has_any(scriptExtensions)\n| extend splitUriStem = split(csUriStem, \"/\")\n| extend FileName = splitUriStem[-1], HostName = sComputerName\n// Summarize potential attacker activity\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName\n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, Computer = HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", @@ -780,30 +786,30 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "AttackerIP" + "columnName": "AttackerIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -859,7 +865,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Supernovawebshell_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "Supernovawebshell_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -903,47 +909,47 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "csUserName" + "columnName": "csUserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "cIP" + "columnName": "cIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -995,7 +1001,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Web Shells Threat Protection", @@ -1023,7 +1029,6 @@ "link": "https://support.microsoft.com/" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "HuntingQuery", @@ -1069,6 +1074,18 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-securityevents" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-azurewebapplicationfirewal" } ] }, diff --git a/Solutions/Web Shells Threat Protection/ReleaseNotes.md b/Solutions/Web Shells Threat Protection/ReleaseNotes.md index 8ca0135435..0030ab7cea 100644 --- a/Solutions/Web Shells Threat Protection/ReleaseNotes.md +++ b/Solutions/Web Shells Threat Protection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------------------------| +| 3.0.4 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** | | 3.0.3 | 12-04-2024 | Updated Entity Mapping and Query of **Analytic Rule** Supernovawebshell.yaml and MaliciousAlertLinkedWebRequests.yaml | | 3.0.2 | 22-02-2024 | Tagged for dependent Solutions for deployment | | 3.0.1 | 25-10-2023 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR |