Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Solution Package Update

This commit is contained in:
NikTripathi 2021-10-26 14:33:07 +05:30
Родитель ba91ceff84
Коммит bce85a84c7
26 изменённых файлов: 7390 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/1.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

272
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,272 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 10\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "CybersecurityMaturityModelCertification(CMMC)",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Gain insights into ZeroTrust logs."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "CybersecurityMaturityModelCertification(CMMC)",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for CybersecurityMaturityModelCertification(CMMC) that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Access Control Control Family Monitoring",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Audit & Accountability Control Family Monitoring",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Configuration Management Control Family Monitoring",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Identification & Authentication Control Family Monitoring",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Incident Response Control Family Monitoring",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Recovery Control Family Monitoring",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Risk Management Control Family Monitoring",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC Security Assessment Control Family Monitoring",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC System & Communications Protection Control Family Monitoring",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "(Preview) CMMC System & Information Integrity Control Family Monitoring",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "CMMC Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

506
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/CybersecurityMaturityModelCertification(CMMC)/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"planId": "azure-sentinel-solution-cybersecuritymaturitymodel",
"firstPublishDate": "2021-10-20",
"providers": ["Microsoft"],
"categories": {
"domains" : ["Compliance"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

26
Solutions/CybersecurityMaturityModelCertification(CMMC)/data/Solution_CybersecurityMaturityModelCertification(CMMC).json Normal file
Просмотреть файл

@ -0,0 +1,26 @@
{
"Name": "CybersecurityMaturityModelCertification(CMMC)",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).",
"WorkbookDescription": "Gain insights into ZeroTrust logs.",
"Workbooks": [
"Workbooks/CybersecurityMaturityModelCertification(CMMC).json"
],
"Analytic Rules": [
"Analytic Rules/AccessControlControlFamilyMonitoring.yaml",
"Analytic Rules/Audit&AccountabilityControlFamilyMonitoring.yaml",
"Analytic Rules/ConfigurationManagementControlFamilyMonitoring.yaml",
"Analytic Rules/Identification&AuthenticationControlFamilyMonitoring.yaml",
"Analytic Rules/IncidentResponseControlFamilyMonitoring.yaml",
"Analytic Rules/RecoveryControlFamilyMonitoring.yaml",
"Analytic Rules/RiskManagementControlFamilyMonitoring.yaml",
"Analytic Rules/SecurityAssessmentControlFamilyMonitoring.yaml",
"Analytic Rules/System&CommunicationsProtectionControlFamilyMonitoring.yaml",
"Analytic Rules/System&InformationIntegrityControlFamilyMonitoring.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\CybersecurityMaturityModelCertification(CMMC)",
"Version": "1.0.0"
}

16
Solutions/IronNet IronDefense/Data/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "ironnetcybersecurity1585849518753",
"planId": "irondefense-for-sentinel",
"firstPublishDate": "2021-10-18",
"providers": ["IronNet"],
"categories": {
"domains" : ["Security – Network"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

23
Solutions/IronNet IronDefense/Data/Solution_IronNetIronDefense.json Normal file
Просмотреть файл

@ -0,0 +1,23 @@
{
"Name": "IronNet IronDefense",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IronNet%20IronDefense/Workbooks/Images/Logos/IronNet.svg\"width=\"75px\"height=\"75px\">",
"Description": "[IronDefense](https://www.ironnet.com/products/irondefense) is the industrys most advanced network detection and response (NDR) platform built to stop the most sophisticated cyber threats. As an advanced NDR tool, IronDefense improves visibility across the threat landscape while amplifying detection efficacy within your network environment. As a result, your SOC team can be more efficient and effective with existing cyber defense tools, resources, and analyst capacity.",
"Data Connectors": [
"DataConnectors/IronNetIronDefense.json"
],
"Analytic Rules": [
"Analytic Rules/IronDefense_Detection_Query.yaml"
],
"Workbooks": [
"Workbooks/IronDefenseAlertDashboard.json",
"Workbooks/IronDefenseAlertDetails.json"
],
"Playbooks": [
"Playbooks/IronNet_UpdateIronDefenseAlerts/azuredeploy.json",
"Playbooks/IronNet_UpdateSentinelIncidents/azuredeploy.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\IronNet IronDefense",
"Version": "1.0.0"
}

Двоичные данные
Solutions/IronNet IronDefense/Package/1.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

470
Solutions/IronNet IronDefense/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,470 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IronNet%20IronDefense/Workbooks/Images/Logos/IronNet.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[IronDefense](https://www.ironnet.com/products/irondefense) is the industrys most advanced network detection and response (NDR) platform built to stop the most sophisticated cyber threats. As an advanced NDR tool, IronDefense improves visibility across the threat landscape while amplifying detection efficacy within your network environment. As a result, your SOC team can be more efficient and effective with existing cyber defense tools, resources, and analyst capacity.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 1, **Playbooks:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for IronNet IronDefense. You can get IronNet IronDefense CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
"label": "IronDefense Alert Dashboard",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Dashboard to view IronDefense alerts."
}
},
{
"name": "workbook2-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "IronDefenseAlertDashboard",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "IronDefense Alert Details",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "View IronDefense alert details from the IronDefense Alerts dashboard."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "IronDefenseAlertDetails",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for IronNet IronDefense that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Create Incidents from IronDefense",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates incidents based on behavioral detections from IronDefense."
}
}
]
}
]
},
{
"name": "appregistration",
"label": "App Registration",
"subLabel": {
"preValidation": "Configure the App registration",
"postValidation": "Done"
},
"bladeTitle": "App Registration",
"elements": [
{
"name": "appregistration-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution requires an app registration in the Microsoft identity platform in order to make API requests to Azure Sentinel. Please consult the IronDefense Integration for Azure Sentinel document provided in the IronNet Knowledge Base for detailed setup instructions."
}
},
{
"name": "appregistration-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "IronNet Knowledge Base",
"uri": "https://kb.ironnet.com/knowledge"
}
}
},
{
"name": "appregistration-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Microsoft Identity Platform Overview",
"uri": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview"
}
}
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbookIronAPI",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbookIronAPI-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "IronAPI Configuration"
}
},
{
"name": "playbook-IronApiUsername",
"type": "Microsoft.Common.TextBox",
"label": "IronDefense Username",
"defaultValue": "",
"toolTip": "IronVue username to connect to IronDefense API",
"constraints": {
"required": true,
"regex": "^.{1,256}$",
"validationMessage": "Please enter the full URL with http or https."
}
},
{
"name": "playbook-IronApiPassword",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "IronDefense Password"
},
"toolTip": "Password to connect to IronDefense API",
"constraints": {
"required": true
},
"options": {
"hideConfirmation": false
}
},
{
"name": "playbook-IronDefenseUrl",
"type": "Microsoft.Common.TextBox",
"label": "IronDefense URL",
"defaultValue": "",
"toolTip": "Please enter the URL to the IronDefense deployment. E.g. \"https://example.ironnetcybercloud.com\"",
"constraints": {
"required": true,
"regex": "^https?://.{1,256}$",
"validationMessage": "Please enter the full URL with http or https."
}
}
]
},
{
"name": "playbookAppRegistration",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbookAppRegistration-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "App registration for access to the Sentinel API"
}
},
{
"name": "playbook-ClientId",
"type": "Microsoft.Common.TextBox",
"label": "Client ID",
"defaultValue": "",
"toolTip": "Please enter application (client} ID for Azure Sentinel API access.",
"constraints": {
"required": true,
"regex": "^[a-z0-9A-Z]{8}-[a-z0-9A-Z]{4}-[a-z0-9A-Z]{4}-[a-z0-9A-Z]{4}-[a-z0-9A-Z]{12}$",
"validationMessage": "Please enter a valid UUID"
}
},
{
"name": "playbook-ClientSecret",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "Client Secret",
"confirmPassword": "Confirm Client Secret"
},
"toolTip": "Please enter application (client} secret for Azure Sentinel API access.",
"constraints": {
"required": true
},
"options": {
"hideConfirmation": false
}
}
]
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Updates IronDefense alert workflow status and rating via IronAPI when the corresponding Sentinel Incident is updated."
}
},
{
"name": "playbook1-ShareCommentWithIrondome",
"type": "Microsoft.Common.CheckBox",
"label": "Share Comments With Irondome (Recommended)",
"toolTip": "Share incident comments with IronDome to contribute to collective defense"
},
{
"name": "playbook1-param_recurrence_interval",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Recurrence Interval",
"defaultValue": "15",
"toolTip": "Please enter the time interval to check for incident updates",
"constraints": {
"required": true,
"regex": "[0-9]{1,256}$",
"validationMessage": "Please enter a valid number"
}
},
{
"name": "playbook1-param_recurrence_frequency",
"type": "Microsoft.Common.DropDown",
"label": "Playbook Recurrence Frequency",
"placeholder": "Minute",
"defaultValue": "Minute",
"toolTip": "Please select a unit of time for the playbook recurrence interval",
"constraints": {
"allowedValues": [
{
"label": "Day",
"value": "Day"
},
{
"label": "Hour",
"value": "Hour"
},
{
"label": "Minute",
"value": "Minute"
},
{
"label": "Month",
"value": "Month"
},
{
"label": "Second",
"value": "Second"
}
],
"required": true
},
"visible": true
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "UpdateIronDefenseAlerts",
"toolTip": "Please enter Playbook Name",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Playbook Name"
}
}
]
},
{
"name": "playbook2",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Updates Azure Sentinel incidents when the corresponding IronDefense alert is updated in IronVue."
}
},
{
"name": "playbook2-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "UpdateAzureSentinelIncidents",
"toolTip": "Please enter Playbook Name",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Playbook Name"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"workbook2-name": "[steps('workbooks').workbook2.workbook2-name]",
"playbook-IronApiUsername": "[steps('playbooks').playbookIronAPI.playbook-IronApiUsername]",
"playbook-IronApiPassword": "[steps('playbooks').playbookIronAPI.playbook-IronApiPassword]",
"playbook-IronDefenseUrl": "[steps('playbooks').playbookIronAPI.playbook-IronDefenseUrl]",
"playbook-ClientId": "[steps('playbooks').playbookAppRegistration.playbook-ClientId]",
"playbook-ClientSecret": "[steps('playbooks').playbookAppRegistration.playbook-ClientSecret]",
"playbook1-ShareCommentWithIrondome": "[steps('playbooks').playbook1.playbook1-ShareCommentWithIrondome]",
"playbook1-param_recurrence_interval": "[steps('playbooks').playbook1.playbook1-param_recurrence_interval]",
"playbook1-param_recurrence_frequency": "[steps('playbooks').playbook1.playbook1-param_recurrence_frequency]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook2-PlaybookName": "[steps('playbooks').playbook2.playbook2-PlaybookName]"
}
}
}

4026
Solutions/IronNet IronDefense/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/IronNet IronDefense/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "ironnetcybersecurity1585849518753",
"planId": "irondefense-for-sentinel",
"firstPublishDate": "2021-10-18",
"providers": ["IronNet"],
"categories": {
"domains" : ["Security – Network"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

Двоичные данные
Solutions/MicrosoftInsiderRiskManagement/Package/1.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

290
Solutions/MicrosoftInsiderRiskManagement/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,290 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Sentinel: Insider Risk Management Solution (https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/InsiderRiskManagement/readme.md) demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "InsiderRiskManagement",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "InsiderRiskManagement",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for InsiderRiskManagement that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "(Preview) Insider Risk - High User Security Alert Correlations",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Azure Sentinel and Microsoft 365 Defender. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold. This query evaluates UserPrincipalName for patterns in SecurityAlerts and Reporting Security Tools. This query can be further tuned/configured for higher confidence percentages, security products, or alert severities pending the needs of the organization. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information on the basket plugin, see [basket plugin](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin)"
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "(Preview) Insider Risk - High User Security Incidents Correlation",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products (MCAS, MDE, ASC, etc.) with Microsoft Incident Generating Products (Azure Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization's requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Investigate incidents with Azure Sentinel]( https://docs.microsoft.com/azure/sentinel/investigate-cases)."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "(Preview) Insider Risk - Microsoft 365 Insider Risk Management Alert Observed",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert is triggered when a Microsoft 365 Insider Risk Management alert is recieved in Azure Sentinel via the Microsoft 365 Insider Risk Management Connector. The alert extracts usernames from security alerts to provide UserPrincipalName, Alert Name, Reporting Product Name, Status, Alert Link, Previous Alerts Links, Time Generated. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Learn about insider risk management in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management)"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "(Preview) Insider Risk - Sensitive Data Access Outside Organziational Geolocations",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geolocation. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geolocations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Azure Sentinel watchlists. Accessing sensitive data from a new or unauthorized geolocation warrants further review. For more information see [Sign-in logs in Azure Active Directory: Location Filtering](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "(Preview) Insider Risk - Risky User Access By Application",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert evaluates Azure Active Directory Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for InsiderRiskManagement that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Insider Risk - Entity Anomaly Followed by IRM Alert",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Sentinel UEBA (Behavior Analytics) with Microsoft 365 Insider Risk Management Alerts (SecurityAlerts) for correlation of an M365 IRM Alert to Behavioral Anomalies. Resuls include UserPrincipalName, Entity Anomalies, Start/End Time, Alert Link, and Previous Alert Links. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics OfficeATP data connector and BehaviorAnalytics SecurityAlert (Office 365) data type and BehaviorAnalytics OfficeATP parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Insider Risk - ISP Anomaly to Exfil",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Sentinel UEBA (BehaviorAnalytics) to Security Alerts from Microsoft products for a correlation of Internet Service Provider anomalies to data exfiltration. Data exfiltration is categorized by the MITRE ATT&CK Tactic in the SecurityAlerts table. Results include UserPrincipalName, ISPAnomalies, AlertName, Previous Alert Links, and Time Generated. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP data connector and BehaviorAnalytics SecurityAlert (MDATP) SecurityAlert (IPC) SecurityAlert (ASC) SecurityAlert (ASC for IoT) SecurityAlert (ASC for IoT) SecurityAlert (MCAS) SecurityAlert (Office 365) data type and BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Insider Risk - Multiple Entity-Based Anomalies",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert leverages Azure Sentinel User Entity Behavior Analytics (UEBA) via the BehaviorAnalytics table. Entity insights including uncommon action, uncommon action volume, first time device logon, and first time user action are summarized by entity. The alert returns entity counts by anomaly and user principal name including ranges for start/end time observed. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics AzureActiveDirectory data connector and BehaviorAnalytics SigninLogs data type and BehaviorAnalytics AzureActiveDirectory parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Insider Risk - Possible Sabotage",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Sentinel UEBA (BehaviorAnalytics) to Security Alerts to Azure Activity. This alert is designed to correlate users with entity anomalies, security alerts, and delete/remove actions for identification of possible sabotage activities. Results include User Principal Name, Alert Name, Previous Security Alert Links, Anomalies, and Time Generated. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP AzureActivity data connector and BehaviorAnalytics SecurityAlert (MDATP) SecurityAlert (IPC) SecurityAlert (ASC) SecurityAlert (ASC for IoT) SecurityAlert (ASC for IoT) SecurityAlert (MCAS) SecurityAlert (Office 365) AzureActivity data type and BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP AzureActivity parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Insider Risk - Sign In Risk Followed By Sensitive Data Access",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Active Directory Sign In Risk (SigninLogs) with Azure Information Protection (InformationProtectionLogs_CL) to correlate a risky user sign in (high or medium) with access to sensitive data classified by data loss prevention capabilities. There are optional configurations for correlations against geolocations and Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the AzureInformationProtection AzureActiveDirectory data connector and InformationProtectionLogs_CL SigninLogs data type and AzureInformationProtection AzureActiveDirectory parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

485
Solutions/MicrosoftInsiderRiskManagement/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/MicrosoftInsiderRiskManagement/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"planId": "azure-sentinel-solution-insiderriskmanagement",
"firstPublishDate": "2021-10-20",
"providers": ["Microsoft"],
"categories": {
"domains" : ["Security – Insider Threat"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

27
Solutions/MicrosoftInsiderRiskManagement/data/Solution_InsiderRiskManagement.json Normal file
Просмотреть файл

@ -0,0 +1,27 @@
{
"Name": "InsiderRiskManagement",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Azure Sentinel: Insider Risk Management Solution (https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/InsiderRiskManagement/readme.md) demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.",
"WorkbookDescription": "Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization.",
"Workbooks": [
"Workbooks/InsiderRiskManagement.json"
],
"Analytic Rules": [
"Analytic Rules/InsiderRiskHighUserAlertsCorrelation.yaml",
"Analytic Rules/InsiderRiskHighUserIncidentsCorrelation.yaml",
"Analytic Rules/InsiderRiskM365IRMAlertObserved.yaml",
"Analytic Rules/InsiderRiskSensitiveDataAccessOutsideOrgGeo.yaml",
"Analytic Rules/InsiderRiskyAccessByApplication.yaml"
],
"Hunting Queries": [
"Hunting Queries/InsiderEntityAnomalyFollowedByIRMAlert.yaml",
"Hunting Queries/InsiderISPAnomalyCorrelatedToExfiltrationAlert.yaml",
"Hunting Queries/InsiderMultipleEntityAnomalies.yaml",
"Hunting Queries/InsiderPossibleSabotage.yaml",
"Hunting Queries/InsiderSignInRiskFollowedBySensitiveDataAccessyaml.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\MicrosoftInsiderRiskManagement",
"Version": "1.0.2"
}

Двоичные данные
Solutions/ThreatAnalysis&ResponsewithMITREATT&CK/Package/1.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

137
Solutions/ThreatAnalysis&ResponsewithMITREATT&CK/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,137 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nMITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 [MITRE ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "MITREATT&CK",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel"
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "MITREATT&CK",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
},
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
"label": "MITREATT&CK",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel"
}
},
{
"name": "workbook2-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "MITREATT&CK",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"workbook2-name": "[steps('workbooks').workbook2.workbook2-name]"
}
}
}

164
Solutions/ThreatAnalysis&ResponsewithMITREATT&CK/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/ThreatAnalysis&ResponsewithMITREATT&CK/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"planId": "azure-sentinel-solution-mitreattck",
"firstPublishDate": "2021-10-20",
"providers": ["Microsoft"],
"categories": {
"domains" : ["Security - Threat Protection", "Security - Others"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

14
Solutions/ThreatAnalysis&ResponsewithMITREATT&CK/data/Solution_MITREATT&CK.json Normal file
Просмотреть файл

@ -0,0 +1,14 @@
{
"Name": "MITREATT&CK",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 [MITRE ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)",
"WorkbookDescription": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
"Workbooks": [
"Workbooks/MITREATT&CK_CloudMatrix.json",
"Workbooks/MITREATT&CK.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\ThreatAnalysis&ResponsewithMITREATT&CK",
"Version": "1.0.3"
}

Двоичные данные
Solutions/ZeroTrust(TIC3.0)/Package/1.0.5.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

286
Solutions/ZeroTrust(TIC3.0)/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,286 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. Compliance isnt just an annual requirement, and organizations must monitor configurations over time like a muscle. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads' security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 11\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "ZeroTrust(TIC3.0)",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Gain insights into ZeroTrust logs."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "ZeroTrust(TIC3.0)",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for ZeroTrust(TIC3.0) that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

545
Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/ZeroTrust(TIC3.0)/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"planId": "azure-sentinel-solution-zerotrust",
"firstPublishDate": "2021-10-20",
"providers": ["Microsoft"],
"categories": {
"domains" : ["Identity", "Security - Others"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

27
Solutions/ZeroTrust(TIC3.0)/data/Solution_ZeroTrust(TIC3.0).json Normal file
Просмотреть файл

@ -0,0 +1,27 @@
{
"Name": "ZeroTrust(TIC3.0)",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Azure Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. Compliance isnt just an annual requirement, and organizations must monitor configurations over time like a muscle. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads' security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.",
"WorkbookDescription": "Gain insights into ZeroTrust logs.",
"Workbooks": [
"Workbooks/ZeroTrust(TIC3.0).json"
],
"Analytic Rules": [
"Analytic Rules/ZeroTrustDNSFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustDataProtectionFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustEmailFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustEnterpriseFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustFilesFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustIntrusionDetectionFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustNetworkingFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustResiliencyFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustUCCFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring.yaml",
"Analytic Rules/ZeroTrustWebFamilyControlsMonitoring.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\ZeroTrust(TIC3.0)",
"Version": "1.0.5"
}