Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3681 from socprime/digital_guardian_content 

add analytic content for Digital Guardian
This commit is contained in:
aprakash13 2021-12-30 13:30:55 -08:00 коммит произвёл GitHub
Родитель bb976ea44a 3b43a9ce0f
Коммит bea143b5ae
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
26 изменённых файлов: 1209 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

65
.script/tests/KqlvalidationsTests/CustomTables/DigitalGuardian.json Executable file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "Syslog (Digital Guardian)",
"Properties": [
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated [UTC]",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "EventTime [UTC]",
"Type": "DateTime"
},
{
"Name": "Facility",
"Type": "String"
},
{
"Name": "HostName",
"Type": "String"
},
{
"Name": "SeverityLevel",
"Type": "String"
},
{
"Name": "SyslogMessage",
"Type": "String"
},
{
"Name": "ProcessID",
"Type": "String"
},
{
"Name": "HostIP",
"Type": "Int"
},
{
"Name": "ProcessName",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
}
]
}

149
.script/tests/KqlvalidationsTests/CustomTables/DigitalGuardianDLPEvent.json Normal file
Просмотреть файл

@ -0,0 +1,149 @@
{
"name": "DigitalGuardianDLPEvent",
"Properties": [
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "Facility",
"Type": "String"
},
{
"Name": "HostName",
"Type": "String"
},
{
"Name": "SeverityLevel",
"Type": "String"
},
{
"Name": "SyslogMessage",
"Type": "String"
},
{
"Name": "ProcessID",
"Type": "Int32"
},
{
"Name": "HostIP",
"Type": "String"
},
{
"Name": "ProcessName",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
},
{
"Name": "DvcAvtion",
"Type": "String"
},
{
"Name": "DstUserName",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "DstPortNumber",
"Type": "String"
},
{
"Name": "email_recipients",
"Type": "String"
},
{
"Name": "email_sender",
"Type": "String"
},
{
"Name": "email_subject",
"Type": "String"
},
{
"Name": "http_url",
"Type": "String"
},
{
"Name": "IncidentId",
"Type": "String"
},
{
"Name": "IncidentStatus",
"Type": "String"
},
{
"Name": "IncidentsUrl",
"Type": "String"
},
{
"Name": "inspected_document",
"Type": "String"
},
{
"Name": "managed_device_id",
"Type": "String"
},
{
"Name": "MatchedPolicies",
"Type": "String"
},
{
"Name": "matches",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -53,6 +53,7 @@
"DDOS",
"DNS",
"Darktrace",
"DigitalGuardianDLP",
"Dynamics365",
"ESETEnterpriseInspector",
"ESETPROTECT",

34
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml Executable file
Просмотреть файл

@ -0,0 +1,34 @@
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
name: Digital Guardian - Sensitive data transfer over insecure channel
description: |
'Detects sensitive data transfer over insecure channel.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

28
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationOverDNS.yaml Executable file
Просмотреть файл

@ -0,0 +1,28 @@
id: 39e25deb-49bb-4cdb-89c1-c466d596e2bd
name: Digital Guardian - Exfiltration using DNS protocol
description: |
'Detects exfiltration using DNS protocol.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where DstPortNumber == 53
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

32
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianExfiltrationToFileShareServices.yaml Executable file
Просмотреть файл

@ -0,0 +1,32 @@
id: f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8
name: Digital Guardian - Exfiltration to online fileshare
description: |
'Detects exfiltration to online fileshare.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 10;
DigitalGuardianDLPEvent
| where isnotempty(inspected_document)
| where http_url contains 'dropbox' or http_url contains 'mega.nz'
| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)
| where f >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

35
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternal.yaml Executable file
Просмотреть файл

@ -0,0 +1,35 @@
id: edead9b5-243a-466b-ae78-2dae32ab1117
name: Digital Guardian - Exfiltration to private email
description: |
'Detects exfiltration to private email.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))
| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain != d_domain
| where s_user == d_user
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFileSentToExternalDomain.yaml Executable file
Просмотреть файл

@ -0,0 +1,34 @@
id: a19885c8-1e44-47e3-81df-d1d109f5c92d
name: Digital Guardian - Exfiltration to external domain
description: |
'Detects exfiltration to external domain.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let corp_domain = dynamic(['example.com']); //add all corporate domains to this list
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain in~ (corp_domain)
| where d_domain !in (corp_domain)
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

37
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianFilesSentToExternalDomain.yaml Executable file
Просмотреть файл

@ -0,0 +1,37 @@
id: 5f75a873-b524-4ba5-a3b8-2c20db517148
name: Digital Guardian - Bulk exfiltration to external domain
description: |
'Detects bulk exfiltration to external domain.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 10;
let corp_domain = dynamic(['example.com']);
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where isnotempty(inspected_document)
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
| where s_domain in~ (corp_domain)
| where d_domain !in (corp_domain)
| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)
| where f >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

31
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianMultipleIncidentsFromUser.yaml Executable file
Просмотреть файл

@ -0,0 +1,31 @@
id: e8901dac-2549-4948-b793-5197a5ed697a
name: Digital Guardian - Multiple incidents from user
description: |
'Detects multiple incidents from user.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
let threshold = 2;
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| summarize count() by SrcUserName, bin(TimeGenerated, 30m)
| where count_ >= threshold
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

29
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianPossibleProtocolAbuse.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: a374a933-f6c4-4200-8682-70402a9054dd
name: Digital Guardian - Possible SMTP protocol abuse
description: |
'Detects possible SMTP protocol abuse.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where NetworkApplicationProtocol =~ 'SMTP'
| where DstPortNumber != 25
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

28
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml Executable file
Просмотреть файл

@ -0,0 +1,28 @@
id: a14f2f95-bbd2-4036-ad59-e3aff132b296
name: Digital Guardian - Unexpected protocol
description: |
'Detects RDP protocol usage for data transfer which is not common.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where DstPortNumber == 3389
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

31
Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml Executable file
Просмотреть файл

@ -0,0 +1,31 @@
id: 07bca129-e7d6-4421-b489-32abade0b6a7
name: Digital Guardian - Incident with not blocked action
description: |
'Detects when incident has not block action.'
severity: High
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| where inc_act !contains 'Block'
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 1.0.0
kind: Scheduled

26
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianDomains.yaml Executable file
Просмотреть файл

@ -0,0 +1,26 @@
id: 444c91d4-e4b8-4adc-9b05-61fe908441b8
name: Digital Guardian - Incident domains
description: |
'Query searches for incident domains.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| extend u = parse_url(http_url)
| extend domain=u.Host
| summarize count() by tostring(domain), SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

24
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianFilesSentByUsers.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: 66dd7ab7-bbc0-48b7-a3b9-4e71e610df48
name: Digital Guardian - Files sent by users
description: |
'Query searches for files sent by users.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(inspected_document)
| summarize Files = makeset(inspected_document) by SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

25
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianIncidentsByUser.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 83d5652c-025c-4cee-9f33-3bc114648859
name: Digital Guardian - Users' incidents
description: |
'Query searches for users' incidents.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(IncidentStatus)
| where inc_act has 'New'
| summarize makeset(IncidentsUrl) by SrcUserName
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

24
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInsecureProtocolSources.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: 196930a4-bd79-4800-b2bb-582a8f1c8dd4
name: Digital Guardian - Insecure file transfer sources
description: |
'Query searches for insecure file transfer sources.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')
| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

24
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianInspectedFiles.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: e459b709-55f7-48b6-8afc-0ae1062d3584
name: Digital Guardian - Inspected files
description: |
'Query searches for inspected files.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(inspected_document)
| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

25
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianNewIncidents.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: ae482a2c-b4e7-46fc-aeb7-744f7aad27ea
name: Digital Guardian - New incidents
description: |
'Query searches for new incidents.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

25
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareDestinationPorts.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 82cba92e-fe2f-4bba-9b46-647040b24090
name: Digital Guardian - Rare destination ports
description: |
'Query searches for rare destination ports.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| summarize count() by DstIpAddr, DstPortNumber
| order by count_ asc
| top 10 by count_
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

30
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareNetworkProtocols.yaml Executable file
Просмотреть файл

@ -0,0 +1,30 @@
id: 8ab2f0db-baa1-495c-a8dd-718b81d0b8c7
name: Digital Guardian - Rare network protocols
description: |
'Query searches rare network protocols.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(NetworkApplicationProtocol)
| summarize count() by SrcIpAddr, SrcUserName
| order by count_ asc
| top 10 by count_
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

26
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianRareUrls.yaml Executable file
Просмотреть файл

@ -0,0 +1,26 @@
id: b9a69da9-1ca0-4e09-a24f-5d88d57e0402
name: Digital Guardian - Rare Urls
description: |
'Query searches for rare Urls.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| summarize count() by SrcUserName, http_url
| order by count_ asc
| top 10 by count_
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

24
Solutions/DigitalGuardianDLP/Hunting Queries/DigitalGuardianUrlByUser.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: 310433ca-67aa-406d-bbdf-c167a474b0a0
name: Digital Guardian - Urls used
description: |
'Query searches for URLs used.'
severity: Medium
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
dataTypes:
- DigitalGuardianDLPEvent
tactics:
- Exfiltration
relevantTechniques:
- T1048
query: |
DigitalGuardianDLPEvent
| where TimeGenerated > ago(24h)
| where isnotempty(http_url)
| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies
| extend AccountCustomEntity = SrcUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

422
Solutions/DigitalGuardianDLP/Workbooks/DigitalGuardian.json Normal file
Просмотреть файл

@ -0,0 +1,422 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "**NOTE**: This data connector depends on a parser based on Kusto Function **DigitalGuardianDLPEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-DigitalGuardian-parser)"
},
"name": "text - 8"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"description": "Sets the time name for analysis",
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Events Over Time",
"color": "green",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"graphSettings": {
"type": 0
}
},
"customWidth": "45",
"name": "query - 12",
"styleSettings": {
"maxWidth": "55"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| summarize count() by NetworkApplicationProtocol",
"size": 3,
"title": "Network Protocols",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 10"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Data Connector Statistics",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr)",
"size": 3,
"title": "IP Addresses",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"customWidth": "50",
"name": "query - 3",
"styleSettings": {
"margin": "10",
"padding": "10"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| where isnotempty(SrcUserName)\n| summarize dcount(SrcUserName)",
"size": 3,
"title": "Users",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| where isnotempty(SrcIpAddr)\n| summarize dcount(SrcIpAddr)",
"size": 3,
"title": "Hosts",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| where isnotempty(IncidentId)\n| summarize dcount(IncidentId)",
"size": 3,
"title": "Total Incidents",
"noDataMessage": "0",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"customWidth": "50",
"name": "query - 3"
}
]
},
"customWidth": "20",
"name": "group - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr\r\n| top 10 by count_",
"size": 3,
"title": "Top Source Addresses",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"titleContent": {
"columnMatch": "cat",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "purple"
}
},
"showBorder": false
}
},
"customWidth": "35",
"name": "query - 0",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| where isnotempty(SrcUserName)\n| summarize count() by SrcUserName\n| top 10 by count_",
"size": 3,
"title": "Top Users",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "35",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| where isnotempty(http_url)\n| extend u = parse_url(http_url)\n| extend Domain = tostring(u.Host)\n| summarize count() by Domain\n| project Domain, EventCount=count_",
"size": 3,
"title": "Top domains",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"rowLimit": 10
}
},
"customWidth": "30",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\n| where isnotempty(DstUserName)\n| summarize f = makeset(inspected_document) by DstUserName\n| project Email = DstUserName, Files = f, FileCount = array_length(f)",
"size": 0,
"title": "Top Recipients",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"rowLimit": 10
},
"tileSettings": {
"titleContent": {
"columnMatch": "User",
"formatter": 1
},
"leftContent": {
"columnMatch": "TotalMailsReceived",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "magenta"
}
},
"showBorder": false
}
},
"customWidth": "40",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\r\n| where isnotempty(inspected_document)\r\n| order by TimeGenerated\r\n| project File=inspected_document, User=SrcUserName, Policy=MatchedPolicies",
"size": 0,
"title": "Inspected files",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total Bytes (KB)",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
}
],
"filter": true
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "User",
"formatter": 1
},
"leftContent": {
"columnMatch": "TrafficVolume(MB)",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "55",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DigitalGuardianDLPEvent\r\n| where isnotempty(IncidentStatus)\r\n| extend inc_act = split(IncidentStatus, ',')\r\n| where inc_act has 'New'\r\n| order by TimeGenerated\r\n| project TimeGenerated, User=SrcUserName, File=inspected_document, MatchedPolicies\r\n",
"size": 0,
"title": "New Incidents",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"name": "query - 1"
}
],
"fromTemplateId": "sentinel-DigitalGuardianWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 194 KiB

Двоичные данные
Solutions/DigitalGuardianDLP/Workbooks/Images/DigitalGuardianWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 204 KiB