Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into v-sabiraj-contrastprotecttemplateSpec

This commit is contained in:
v-sabiraj 2022-06-21 18:03:28 +05:30
Родитель 706271797c 1876208be1
Коммит c05dd120fd
502 изменённых файлов: 64153 добавлений и 6646 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
.github/workflows/convertKqlFuncYamlToArmTemplate.yaml поставляемый
Просмотреть файл

@ -44,7 +44,9 @@ jobs:
exit 1
fi
- name: Run kqlFuncYaml2Arm script
run: bash .script/kqlFuncYaml2Arm.sh
run: |
.script/kqlFuncYaml2Arm.ps1
shell: pwsh
- name: Commit changes
run: |
# Stage the files and commit

56
.github/workflows/runAsimTesters.yaml поставляемый Normal file
Просмотреть файл

@ -0,0 +1,56 @@
name: Run ASIM testers on "eco-connector-test" workspace
on:
pull_request_target:
types: [opened, edited, reopened, synchronize, labeled]
paths:
- 'Parsers/ASimDns/Parsers/**'
- 'Parsers/ASimNetworkSession/Parsers/**'
- 'Parsers/ASimWebSession/Parsers/**'
- 'Parsers/ASimProcessEvent/Parsers/**'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
runAsimTesters:
runs-on: ubuntu-latest
steps:
- name: Checkout pull request branch
uses: actions/checkout@v3
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token.
fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
- name: Login to Azure Public Cloud with AzPowershell
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Setup git config
run: |
git config --local user.name "github-actions[bot]"
git config --local user.email "<>"
- name: Merge master into pull request branch
run: |
git merge origin/master
Conflicts=$(git ls-files -u | wc -l)
if [ "$Conflicts" -gt 0 ] ; then
echo "There is a merge conflict. Aborting"
git merge --abort
exit 1
fi
- name: Run Asim testers
uses: azure/powershell@v1
with:
inlineScript: |
& ".script/tests/asimParsersTest/runAsimTesters.ps1"
azPSVersion: "latest"
errorActionPreference : continue
failOnStandardError: false

1
.gitignore поставляемый
Просмотреть файл

@ -105,7 +105,6 @@ ipch/
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e

2
.script/dataConnectorValidator.ts
Просмотреть файл

@ -74,7 +74,7 @@ function getConnectorCategory(dataTypes : any, instructionSteps:[])
{
return ConnectorCategory.AzureFunction;
}
else if(dataTypes[0].name.includes("meraki") && JSON.stringify(instructionSteps).includes("\"type\":\"InstallAgent\""))
else if((dataTypes[0].name.includes("meraki") || dataTypes[0].name.includes("vcenter")) && JSON.stringify(instructionSteps).includes("\"type\":\"InstallAgent\""))
{
return ConnectorCategory.SysLog;
}

19
.script/getModifiedASimSchemas.ps1 Normal file
Просмотреть файл

@ -0,0 +1,19 @@
function getModifiedAsimSchemas() {
$schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent")
$midifiedSchemas = @()
foreach ($schema in $schemas) {
$filesThatWereChanged= Invoke-Expression "git diff origin/master --name-only -- $($PSScriptRoot)/../Parsers/$($schema)/Parsers"
if ($filesThatWereChanged) {
Write-Host Files that were changed under Azure-Sentinel/Parsers/$schema/ARM:
Write-Host - $filesThatWereChanged
$midifiedSchemas += $schema
}
else {
Write-Host "No files were changed under Azure-Sentinel/Parsers/$schema/"
}
}
return $midifiedSchemas
}
getModifiedAsimSchemas

10
.script/kqlFuncYaml2Arm.ps1 Normal file
Просмотреть файл

@ -0,0 +1,10 @@
$failed=0
# The KqlFuncYaml2Arm script generates deployable ARM templates from KQL function YAML files.
# Currently, the script only runs on the Schemas listed below.
$modifiedSchemas = & "$($PSScriptRoot)/getModifiedASimSchemas.ps1"
foreach($schema in $modifiedSchemas) {
Remove-Item "$($PSScriptRoot)/../Parsers/$schema/ARM" -Recurse
python ASIM/dev/ASimYaml2ARM/KqlFuncYaml2Arm.py -m asim -d Parsers/$schema/ARM Parsers/$schema/Parsers
}
exit $failed

21
.script/kqlFuncYaml2Arm.sh
Просмотреть файл

@ -1,21 +0,0 @@
#!/bin/bash
failed=0
# The KqlFuncYaml2Arm script generates deployable ARM templates from KQL function YAML files.
# Currently, the script only runs on the Schemas listed below.
parsersSchemas=(ASimDns ASimNetworkSession ASimWebSession ASimProcessEvent)
for schema in ${parsersSchemas[@]}
do
filesThatWereChanged=$(echo $(git diff origin/master --name-only -- Parsers/$schema/))
if [ "$filesThatWereChanged" = "" ]; then
echo No files were changed under Azure-Sentinel/Parsers/$schema/
else
echo Regenerate ARM templates under Azure-Sentinel/Parsers/$schema/ARM
echo $filesThatWereChanged
rm -rf Parsers//$schema/ARM
python ASIM/dev/ASimYaml2ARM/KqlFuncYaml2Arm.py -m asim -d Parsers//$schema/ARM Parsers//$schema/Parsers
fi
done
exit $failed

16
.script/tests/KqlvalidationsTests/CustomFunctions/_ASIM_GetSourceBySourceType.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"FunctionName": "_ASIM_GetSourceBySourceType",
"FunctionParameters": [
{
"Name": "SourceType",
"Type": "string",
"IsRequired": true
}
],
"FunctionResultColumns": [
{
"Name": "print_0",
"Type": "dynamic"
}
]
}

89
.script/tests/KqlvalidationsTests/CustomTables/NetwrixAuditor.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"name": "NetwrixAuditor",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Double"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "SrcHostname",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "Object",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "AdditionalFields",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "TenanId",
"Type": "String"
},
{
"Name": "SourseSystem",
"Type": "String"
}
]
}

93
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_CL.json
Просмотреть файл

@ -1,93 +0,0 @@
{
"Name": "TrendMicro_XDR_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "impactScope_hostGuid_g",
"Type": "String"
},
{
"Name": "impactScope_hostname_s",
"Type": "String"
},
{
"Name": "impactScope_account_s",
"Type": "String"
},
{
"Name": "impactScope_accounts_s",
"Type": "String"
},
{
"Name": "alertProvider_s",
"Type": "String"
},
{
"Name": "alertTriggerTimestamp_t",
"Type": "DateTime"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "impactScope_s",
"Type": "Dynamic"
},
{
"Name": "impactScope_host_s",
"Type": "String"
},
{
"Name": "impactScope_hosts_s",
"Type": "String"
},
{
"Name": "model_s",
"Type": "String"
},
{
"Name": "indicators_s",
"Type": "Dynamic"
},
{
"Name": "matchedRules_s",
"Type": "Dynamic"
},
{
"Name": "modelSeverity_s",
"Type": "String"
},
{
"Name": "score_s",
"Type": "String"
},
{
"Name": "workbenchCompleteTimestamp_t",
"Type": "DateTime"
},
{
"Name": "workbenchId_s",
"Type": "String"
},
{
"Name": "workbenchLink_s",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_WORKBENCH_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name":"TrendMicro_XDR_WORKBENCH_CL",
"Properties":[
{
"Name":"workbenchName_s",
"Type":"String"
},
{
"Name":"description_s",
"Type":"String"
},
{
"Name":"workbenchId_s",
"Type":"String"
},
{
"Name":"workbenchLink_s",
"Type":"String"
},
{
"Name":"priorityScore_d",
"Type":"Int"
},
{
"Name":"createdTime_t",
"Type":"DateTime"
},
{
"Name":"severity_s",
"Type":"String"
},
{
"Name":"impactScope_Summary_s",
"Type":"String"
},
{
"Name":"alertProvider_s",
"Type":"String"
},
{
"Name":"UserAccountName_s",
"Type":"String"
},
{
"Name":"UserAccountNTDomain_s",
"Type":"String"
},
{
"Name":"FileName_s",
"Type":"String"
},
{
"Name":"FileDirectory_s",
"Type":"String"
},
{
"Name":"ProcessCommandLine_s",
"Type":"String"
},
{
"Name":"RegistryKey_s",
"Type":"String"
},
{
"Name":"RegistryValue_s",
"Type":"String"
},
{
"Name":"RegistryValueName_s",
"Type":"String"
}
]
}

49
.script/tests/KqlvalidationsTests/CustomTables/ZNAccessOrchestratorAuditNativePoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"name": "ZNAccessOrchestratorAuditNativePoller_CL",
"Properties": [
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "auditType_d",
"Type": "real"
},
{
"Name": "enforcementSource_d",
"Type": "real"
},
{
"Name": "userRole_d",
"Type": "real"
},
{
"Name": "destinationEntitiesList_s",
"Type": "string"
},
{
"Name": "details_s",
"Type": "string"
},
{
"Name": "reportedObjectId_g",
"Type": "string"
},
{
"Name": "performedBy_id_s",
"Type": "string"
},
{
"Name": "performedBy_name_s",
"Type": "string"
},
{
"Name": "performedBy_id_g",
"Type": "string"
},
{
"Name": "reportedObjectId_s",
"Type": "string"
}
]
}

49
.script/tests/KqlvalidationsTests/CustomTables/ZNAccessOrchestratorAudit_CL.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"name": "ZNAccessOrchestratorAudit_CL",
"Properties": [
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "auditType_d",
"Type": "real"
},
{
"Name": "enforcementSource_d",
"Type": "real"
},
{
"Name": "userRole_d",
"Type": "real"
},
{
"Name": "destinationEntitiesList_s",
"Type": "string"
},
{
"Name": "details_s",
"Type": "string"
},
{
"Name": "reportedObjectId_g",
"Type": "string"
},
{
"Name": "performedBy_id_s",
"Type": "string"
},
{
"Name": "performedBy_name_s",
"Type": "string"
},
{
"Name": "performedBy_id_g",
"Type": "string"
},
{
"Name": "reportedObjectId_s",
"Type": "string"
}
]
}

3
.script/tests/KqlvalidationsTests/FunctionSchemasLoaders/ParsersCustomJsonDirectoryFunctionsLoader.cs
Просмотреть файл

@ -32,7 +32,8 @@ namespace Kqlvalidations.Tests.FunctionSchemasLoaders
private Dictionary<string, List<Column>> GetSchemaToResultColumnsMapping(IEnumerable<FunctionSchema> sampleFunctions)
{
Dictionary<string, string> sampleFunctionToSchemaMapping = ParsersDatabase.Parsers.ToDictionary(keySelector: parser => parser.SampleFunctionName, elementSelector: parser => parser.Schema);
return sampleFunctions.ToDictionary(keySelector: sampleFunction => sampleFunctionToSchemaMapping[sampleFunction.FunctionName], elementSelector: sampleFunction => sampleFunction.FunctionResultColumns);
var sampleSchemaFunctions = sampleFunctions.Where(function => sampleFunctionToSchemaMapping.ContainsKey(function.FunctionName));
return sampleSchemaFunctions.ToDictionary(keySelector: sampleFunction => sampleFunctionToSchemaMapping[sampleFunction.FunctionName], elementSelector: sampleFunction => sampleFunction.FunctionResultColumns);
}
/// <summary>

40
.script/tests/asimParsersTest/convertYamlToObject.ps1 Normal file
Просмотреть файл

@ -0,0 +1,40 @@
Param([string]$Path)
function convertYamlToObject([System.IO.FileInfo] $Path) {
if (Get-Module -ListAvailable -Name powershell-yaml) {
Write-Verbose "Module already installed"
}
else {
Write-Verbose "Installing PowerShell-YAML module"
try {
Install-Module powershell-yaml -AllowClobber -Force -ErrorAction Stop
Import-Module powershell-yaml
}
catch {
Write-Error $_.Exception.Message
break
}
}
try {
$content = Get-ChildItem -Path $Path -Filter *.yaml -Recurse -ErrorAction Stop
}
catch {
Write-Error $_.Exception.Message
}
if ($content) {
Write-Host "'$($content.count)' templates found to convert"
$data = @()
$content | ForEach-Object {
$convert = $_ | Get-Content -Raw | ConvertFrom-Yaml -ErrorAction Stop
$data += $convert
}
}
else {
Write-Error "No YAML templates found"
break
}
return $data
}
convertYamlToObject $Path

92
.script/tests/asimParsersTest/runAsimTesters.ps1 Normal file
Просмотреть файл

@ -0,0 +1,92 @@
$global:failed=0
$global:subscriptionId="419581d6-4853-49bd-83b6-d94bb8a77887"
$global:workspaceId="059f037c-1b3b-42b1-bb90-e340e8c3142c"
$global:schemas = ("DNS", "WebSession", "NetworkSession", "ProcessEvent")
Class Parser {
[string] $Name;
[string] $OriginalQuery;
[string] $Schema;
[System.Collections.Generic.List`1[System.Object]] $Parameters
Parser([string] $Name, [string] $OriginalQuery, [string] $Schema, [System.Collections.Generic.List`1[System.Object]] $Parameters) {
$this.Name = $Name;
$this.OriginalQuery = $OriginalQuery;
$this.Schema = $Schema;
$this.Parameters = $Parameters;
}
}
function run {
$subscription = Select-AzSubscription -SubscriptionId $global:subscriptionId
$modifiedSchemas = & "$($PSScriptRoot)/../../getModifiedASimSchemas.ps1"
$modifiedSchemas | ForEach-Object { testSchema($_) }
}
function testSchema([string] $schema) {
$parsersAsObjects = & "$($PSScriptRoot)/convertYamlToObject.ps1" -Path "$($PSScriptRoot)/../../../Parsers/$($schema)/Parsers"
Write-Host "Testing $($schema) schema, $($parsersAsObjects.count) parsers were found"
$parsersAsObjects | ForEach-Object {
$functionName = "$($_.EquivalentBuiltInParser)V$($_.Parser.Version.Replace('.',''))"
if ($_.Parsers) {
Write-Host "The parser '$($functionName)' is a main parser, ignoring it"
}
else {
testParser([Parser]::new($functionName, $_.ParserQuery, $schema.replace("ASim", ""), $_.ParserParams))
}
}
}
function testParser([Parser] $parser) {
Write-Host "Testing parser- '$($parser.Name)'"
$letStatementName = "generated$($parser.Name)"
$parserAsletStatement = "let $($letStatementName)= ($(getParameters($parser.Parameters))) { $($parser.OriginalQuery) };"
Write-Host "-- Running schema test for '$($parser.Name)'"
$schemaTest = "$($parserAsletStatement)`r`n$($letStatementName) | getschema | invoke ASimSchemaTester('$($parser.Schema)')"
invokeAsimTester $schemaTest $parser.Name "schema"
Write-Host "-- Running data test for '$($parser.Name)'"
$dataTest = "$($parserAsletStatement)`r`n$($letStatementName) | invoke ASimDataTester('$($parser.Schema)')"
invokeAsimTester $dataTest $parser.Name "data"
}
function invokeAsimTester([string] $test, [string] $name, [string] $kind) {
$query = $test + " | where Result startswith '(0) Error:'"
try {
$rawResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $global:workspaceId -Query $query -ErrorAction Stop
if ($rawResults.Results) {
$resultsArray = [System.Linq.Enumerable]::ToArray($rawResults.Results)
if ($resultsArray.count) {
$errorMessage = "`r`n$($name) $($kind)- test failed with $($resultsArray.count) errors:`r`n"
$resultsArray | ForEach-Object { $errorMessage += "$($_.Result)`r`n" }
Write-Host $errorMessage
$global:failed = 1
}
else {
Write-Host " -- $($name) $($kind) test done successfully"
}
}
}
catch {
Write-Host $_
$global:failed = 1
}
}
function getParameters([System.Collections.Generic.List`1[System.Object]] $parserParams) {
$paramsArray = @()
if ($parserParams) {
$parserParams | ForEach-Object {
if ($_.Type -eq "string") {
$_.Default = "'$($_.Default)'"
}
$paramsArray += "$($_.Name):$($_.Type)= $($_.Default)"
}
return $paramsArray -join ','
}
return $paramsString
}
run
exit $global:failed

6
ASIM/ASimFullDeployment.json
Просмотреть файл

@ -25,14 +25,14 @@
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/FullDeploymentAuthentication.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}

21
ASIM/Library/Functions/ASIM_GetDisabledParsers.yaml
Просмотреть файл

@ -7,23 +7,18 @@ References:
Link: https://aka.ms/AboutASIM
Description: |
This ASIM function reads the ASimDisabledParsers watchlist and determined based on it if the the parser provided as parameter is disabled.
FunctionName: ASIM_IsDisabledParser
EquivalentBuiltInFunction: _ASIM_IsDisabledParser
FunctionName: ASIM_GetDisabledParsers
EquivalentBuiltInFunction: _ASIM_GetDisabledParsers
FunctionParams:
- Name: CallerContext
Type: string
- Name: SourceSpecificParser
Type: string
FunctionQuery: |
let function = (CallerContext:string, SourceSpecificParser:string) {
let DisabledParsers = materialize (
ASIM_GetWatchlistRaw (watchlist='ASimDisabledParsers', pack_array('Any',CallerContext))
| extend SourceSpecificParser = tostring(WatchlistItem.SourceSpecificParser)
| distinct SourceSpecificParser
| where isnotempty(SourceSpecificParser)
);
toscalar(SourceSpecificParser in (DisabledParsers) or 'Any' in (DisabledParsers))
let function = (CallerContext:string) {
ASIM_GetWatchlistRaw ('ASimDisabledParsers', pack_array('Any',CallerContext))
| extend SourceSpecificParser = tostring(WatchlistItem.SourceSpecificParser)
| where isnotempty(SourceSpecificParser)
| distinct SourceSpecificParser
};
function (CallerContext, SourceSpecificParser)
function (CallerContext)

2
ASIM/Library/Functions/ASIM_LookupDnsQueryType.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Function:
Title: An ASIM Function to get the DNS query type name (resource record type) based on a numerical query type
Title: An ASIM Function to returns the DNS query type name (resource record type) based on a numerical query type
Version: '0.1'
LastUpdated: Apr 28th 2022
References:

2
ASIM/Library/Functions/ASIM_LookupDnsResponseCode.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Function:
Title: An ASIM Function to get the DNS response code name based on a numerical response code
Title: An ASIM Function to returns the DNS response code name based on a numerical response code
Version: '0.1'
LastUpdated: Apr 27th 2022
References:

2
ASIM/dev/ASimTester/ASimTester.csv
Просмотреть файл

@ -341,7 +341,7 @@ SrcGeoLongitude,real,Optional,WebSession,,,
NetworkApplicationProtocol,string,Optional,WebSession,Enumerated,,
NetworkProtocol,string,Optional,WebSession,NetworkProtocol,,
NetworkProtocolVersion,string,Optional,WebSession,Enumerated,IPv4|IPv6,
NetworkDirection,string,Optional,WebSession,Enumerated,Inbound|Outbound|Listen|Unknown,
NetworkDirection,string,Optional,WebSession,Enumerated,Inbound|Outbound|Listen|Unknown|Local|External|NA,
NetworkDuration,int,Optional,WebSession,,,
Duration,int,Alias,WebSession,,,NetworkDuration
NetworkIcmpCode,int,Optional,WebSession,,,

1 ColumnName ColumnType Class Schema LogicalType ListOfValues Aliased
341 NetworkApplicationProtocol string Optional WebSession Enumerated
342 NetworkProtocol string Optional WebSession NetworkProtocol
343 NetworkProtocolVersion string Optional WebSession Enumerated IPv4|IPv6
344 NetworkDirection string Optional WebSession Enumerated Inbound|Outbound|Listen|Unknown Inbound|Outbound|Listen|Unknown|Local|External|NA
345 NetworkDuration int Optional WebSession
346 Duration int Alias WebSession NetworkDuration
347 NetworkIcmpCode int Optional WebSession

2
ASIM/dev/ASimYaml2ARM/README.md
Просмотреть файл

@ -9,6 +9,8 @@ To use:
- Download all the files in this directory to a folder.
- Download and install the latest Python 3 for your platform, for example from [here](https://www.python.org/downloads/). This script was tested on Windows.
- Optionally enable the script to run as a command. This document assumes you performed this. On Windows do the following:
- Install the requirements.
- python -m pip install -r requirements.txt
- Add the folder to downloaded the files to to your system path.
- Add `.py` to your system PATHEXT system variable
- Run the following commands:

1
ASIM/dev/ASimYaml2ARM/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1 @@
yamale

0
Parsers/ASimAuthentication/ProductParsers/AADSTS.yaml → ASIM/library/Functions/ASIM_LookupAADcodes.yaml
Просмотреть файл

76
ASIM/library/Functions/ASIM_LookupICMPType.yaml Normal file
Просмотреть файл

@ -0,0 +1,76 @@
Function:
Title: An ASIM Function to return the ICMP type name
Version: '0.1'
LastUpdated: Jun 7th 2022
References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: IANA Protocol Numbers
Link: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types
Description: |
This ASIM function returns ICMP Type name associated with the numerical value provided as a parameter. For example, for 8, the function returns "Echo" (which is the type used by the ping command).
FunctionName: ASIM_LookupICMPType
EquivalentBuiltInFunction: _ASIM_LookupICMPType
FunctionParams:
- Name: NetworkIcmpCode
Type: int
FunctionQuery: |
let function = (NetworkIcmpCode:int) {
let ICMPTypeTable=dynamic
({
"0":"Echo Reply",
"1":"Unassigned",
"2":"Unassigned",
"3":"Destination Unreachable",
"4":"Source Quench (Deprecated)",
"5":"Redirect",
"6":"Alternate Host Address (Deprecated)",
"7":"Unassigned",
"8":"Echo",
"9":"Router Advertisement",
"10":"Router Solicitation",
"11":"Time Exceeded",
"12":"Parameter Problem",
"13":"Timestamp",
"14":"Timestamp Reply",
"15":"Information Request (Deprecated)",
"16":"Information Reply (Deprecated)",
"17":"Address Mask Request (Deprecated)",
"18":"Address Mask Reply (Deprecated)",
"19":"Reserved (for Security)",
"20":"Reserved (for Robustness Experiment)",
"21":"Reserved (for Robustness Experiment)",
"22":"Reserved (for Robustness Experiment)",
"23":"Reserved (for Robustness Experiment)",
"24":"Reserved (for Robustness Experiment)",
"25":"Reserved (for Robustness Experiment)",
"26":"Reserved (for Robustness Experiment)",
"27":"Reserved (for Robustness Experiment)",
"28":"Reserved (for Robustness Experiment)",
"29":"Reserved (for Robustness Experiment)",
"30":"Traceroute (Deprecated)",
"31":"Datagram Conversion Error (Deprecated)",
"32":"Mobile Host Redirect (Deprecated)",
"33":"IPv6 Where-Are-You (Deprecated)",
"34":"IPv6 I-Am-Here (Deprecated)",
"35":"Mobile Registration Request (Deprecated)",
"36":"Mobile Registration Reply (Deprecated)",
"37":"Domain Name Request (Deprecated)",
"38":"Domain Name Reply (Deprecated)",
"39":"SKIP (Deprecated)",
"40":"Photuris",
"41":"ICMP messages utilized by experimental mobility protocols such as Seamoby",
"42":"Extended Echo Request",
"43":"Extended Echo Reply",
"253":"RFC3692-style Experiment 1",
"254":"RFC3692-style Experiment 2",
"255":"Reserved"
});
let NetworkIcmpTypeLookup = ICMPTypeTable[tostring(NetworkIcmpCode)];
case (
NetworkIcmpTypeLookup != "", NetworkIcmpTypeLookup,
'Unassigned'
)
};
function(NetworkIcmpCode)

177
ASIM/library/Functions/ASIM_LookupNetworkProtocol.yaml Normal file
Просмотреть файл

@ -0,0 +1,177 @@
Function:
Title: An ASIM Function to return the IP network protocol name
Version: '0.1'
LastUpdated: Jun 7th 2022
References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: IANA Protocol Numbers
Link: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Description: |
This ASIM function returns IP network protocol name associated with the numerical value provided as a parameter. For example, for 6, the function returns "TCP".
FunctionName: ASIM_LookupNetworkProtocol
EquivalentBuiltInFunction: _ASIM_LookupNetworkProtocol
FunctionParams:
- Name: NetworkProtocol
Type: int
FunctionQuery: |
let function = (NetworkProtocol:int) {
let NetworkProtocolTable=dynamic
({
"0":"HOPOPT",
"1":"ICMP",
"2":"IGMP",
"3":"GGP",
"4":"IPv4",
"5":"ST",
"6":"TCP",
"7":"CBT",
"8":"EGP",
"9":"IGP",
"10":"BBN-RCC-MON",
"11":"NVP-II",
"12":"PUP",
"13":"ARGUS (deprecated)",
"14":"EMCON",
"15":"XNET",
"16":"CHAOS",
"17":"UDP",
"18":"MUX",
"19":"DCN-MEAS",
"20":"HMP",
"21":"PRM",
"22":"XNS-IDP",
"23":"TRUNK-1",
"24":"TRUNK-2",
"25":"LEAF-1",
"26":"LEAF-2",
"27":"RDP",
"28":"IRTP",
"29":"ISO-TP4",
"30":"NETBLT",
"31":"MFE-NSP",
"32":"MERIT-INP",
"33":"DCCP",
"34":"3PC",
"35":"IDPR",
"36":"XTP",
"37":"DDP",
"38":"IDPR-CMTP",
"39":"TP++",
"40":"IL",
"41":"IPv6",
"42":"SDRP",
"43":"IPv6-Route",
"44":"IPv6-Frag",
"45":"IDRP",
"46":"RSVP",
"47":"GRE",
"48":"DSR",
"49":"BNA",
"50":"ESP",
"51":"AH",
"52":"I-NLSP",
"53":"SWIPE (deprecated)",
"54":"NARP",
"55":"MOBILE",
"56":"TLSP",
"57":"SKIP",
"58":"IPv6-ICMP",
"59":"IPv6-NoNxt",
"60":"IPv6-Opts",
"61":"",
"62":"CFTP",
"63":"",
"64":"SAT-EXPAK",
"65":"KRYPTOLAN",
"66":"RVD",
"67":"IPPC",
"68":"",
"69":"SAT-MON",
"70":"VISA",
"71":"IPCV",
"72":"CPNX",
"73":"CPHB",
"74":"WSN",
"75":"PVP",
"76":"BR-SAT-MON",
"77":"SUN-ND",
"78":"WB-MON",
"79":"WB-EXPAK",
"80":"ISO-IP",
"81":"VMTP",
"82":"SECURE-VMTP",
"83":"VINES",
"84":"TTP",
// "84":"IPTM",
"85":"NSFNET-IGP",
"86":"DGP",
"87":"TCF",
"88":"EIGRP",
"89":"OSPFIGP",
"90":"Sprite-RPC",
"91":"LARP",
"92":"MTP",
"93":"AX.25",
"94":"IPIP",
"95":"MICP (deprecated)",
"96":"SCC-SP",
"97":"ETHERIP",
"98":"ENCAP",
"99":"",
"100":"GMTP",
"101":"IFMP",
"102":"PNNI",
"103":"PIM",
"104":"ARIS",
"105":"SCPS",
"106":"QNX",
"107":"A/N",
"108":"IPComp",
"109":"SNP",
"110":"Compaq-Peer",
"111":"IPX-in-IP",
"112":"VRRP",
"113":"PGM",
"114":"",
"115":"L2TP",
"116":"DDX",
"117":"IATP",
"118":"STP",
"119":"SRP",
"120":"UTI",
"121":"SMP",
"122":"SM (deprecated)",
"123":"PTP",
"124":"ISIS over IPv4",
"125":"FIRE",
"126":"CRTP",
"127":"CRUDP",
"128":"SSCOPMCE",
"129":"IPLT",
"130":"SPS",
"131":"PIPE",
"132":"SCTP",
"133":"FC",
"134":"RSVP-E2E-IGNORE",
"135":"Mobility Header",
"136":"UDPLite",
"137":"MPLS-in-IP",
"138":"manet",
"139":"HIP",
"140":"Shim6",
"141":"WESP",
"142":"ROHC",
"143":"Ethernet",
"253":"",
"254":"",
"255":"Reserved"
});
let NetworkProtocolLookup = NetworkProtocolTable[tostring(NetworkProtocol)];
case (
NetworkProtocolLookup != "", NetworkProtocolLookup,
'Unassigned'
)
};
function(NetworkProtocol)

80
ASIM/library/Functions/ASIM_ResolveICMPType.yaml Normal file
Просмотреть файл

@ -0,0 +1,80 @@
Function:
Title: An ASIM Function to set the NetworkIcmpType field
Version: '0.1'
LastUpdated: Jun 7th 2022
References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: KQL Invoke operator
Link: https://docs.microsoft.com/azure/data-explorer/kusto/query/invokeoperator
- Title: DNS resource record codes
Link: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types
Description: |
This ASIM tabular function is intended for use in ASIM Network related parsers and sets the NetworkIcmpCode and NetworkIcmpType fields based on a numerical protocol number provided as a parameter. For example, for the 8 as an input, the function sets NetworkIcmpCode to 8, and NetworkIcmpType to "Echo" . The function is invoked using the [invoke operator](https://docs.microsoft.com/azure/data-explorer/kusto/query/invokeoperator) and requires the source table to have a TimeGenerated field.
FunctionName: ASIM_ResolveICMPType
EquivalentBuiltInFunction: _ASIM_ResolveICMPType
FunctionParams:
- Name: T:(TimeGenerated:datetime)
Type: table
- Name: field
Type: string
FunctionQuery: |
let NetworkIcmpTypeLookup = datatable(NetworkIcmpCode:int, NetworkIcmpType:string) [
0,"Echo Reply",
1,"Unassigned",
2,"Unassigned",
3,"Destination Unreachable",
4,"Source Quench (Deprecated)",
5,"Redirect",
6,"Alternate Host Address (Deprecated)",
7,"Unassigned",
8,"Echo",
9,"Router Advertisement",
10,"Router Solicitation",
11,"Time Exceeded",
12,"Parameter Problem",
13,"Timestamp",
14,"Timestamp Reply",
15,"Information Request (Deprecated)",
16,"Information Reply (Deprecated)",
17,"Address Mask Request (Deprecated)",
18,"Address Mask Reply (Deprecated)",
19,"Reserved (for Security)",
20,"Reserved (for Robustness Experiment)",
21,"Reserved (for Robustness Experiment)",
22,"Reserved (for Robustness Experiment)",
23,"Reserved (for Robustness Experiment)",
24,"Reserved (for Robustness Experiment)",
25,"Reserved (for Robustness Experiment)",
26,"Reserved (for Robustness Experiment)",
27,"Reserved (for Robustness Experiment)",
28,"Reserved (for Robustness Experiment)",
29,"Reserved (for Robustness Experiment)",
30,"Traceroute (Deprecated)",
31,"Datagram Conversion Error (Deprecated)",
32,"Mobile Host Redirect (Deprecated)",
33,"IPv6 Where-Are-You (Deprecated)",
34,"IPv6 I-Am-Here (Deprecated)",
35,"Mobile Registration Request (Deprecated)",
36,"Mobile Registration Reply (Deprecated)",
37,"Domain Name Request (Deprecated)",
38,"Domain Name Reply (Deprecated)",
39,"SKIP (Deprecated)",
40,"Photuris",
41,"ICMP messages utilized by experimental mobility protocols such as Seamoby",
42,"Extended Echo Request",
43,"Extended Echo Reply",
253,"RFC3692-style Experiment 1",
254,"RFC3692-style Experiment 2",
255,"Reserved"
];
T
| extend NetworkIcmpCode = toint(column_ifexists(field,0))
| lookup NetworkIcmpTypeLookup on NetworkIcmpCode
| extend NetworkIcmpType =
case (
NetworkIcmpType != "", NetworkIcmpType,
'Unassigned'
)

181
ASIM/library/Functions/ASIM_ResolveNetworkProtocol.yaml Normal file
Просмотреть файл

@ -0,0 +1,181 @@
Function:
Title: An ASIM Function to set the NetworkProtocol field
Version: '0.1'
LastUpdated: Jun 7th 2022
References:
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: KQL Invoke operator
Link: https://docs.microsoft.com/azure/data-explorer/kusto/query/invokeoperator
- Title: DNS resource record codes
Link: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Description: |
This ASIM tabular function is intended for use in ASIM Network related parsers and sets the NetworkProtocol based on a numerical protocol number provided as a parameter. For example, for the protocol number 6 the function sets NetworkProtocol to TCP. The function also sets the auxiliary field NetworkProtocolNumber. The function is invoked using the [invoke operator](https://docs.microsoft.com/azure/data-explorer/kusto/query/invokeoperator) and requires the source table to have a TimeGenerated field.
FunctionName: ASIM_ResolveNetworkProtocol
EquivalentBuiltInFunction: _ASIM_ResolveNetworkProtocol
FunctionParams:
- Name: T:(TimeGenerated:datetime)
Type: table
- Name: field
Type: string
FunctionQuery: |
let NetworkProtocolLookup = datatable(NetworkProtocolNumber:int, NetworkProtocol:string) [
0,"HOPOPT",
1,"ICMP",
2,"IGMP",
3,"GGP",
4,"IPv4",
5,"ST",
6,"TCP",
7,"CBT",
8,"EGP",
9,"IGP",
10,"BBN-RCC-MON",
11,"NVP-II",
12,"PUP",
13,"ARGUS (deprecated)",
14,"EMCON",
15,"XNET",
16,"CHAOS",
17,"UDP",
18,"MUX",
19,"DCN-MEAS",
20,"HMP",
21,"PRM",
22,"XNS-IDP",
23,"TRUNK-1",
24,"TRUNK-2",
25,"LEAF-1",
26,"LEAF-2",
27,"RDP",
28,"IRTP",
29,"ISO-TP4",
30,"NETBLT",
31,"MFE-NSP",
32,"MERIT-INP",
33,"DCCP",
34,"3PC",
35,"IDPR",
36,"XTP",
37,"DDP",
38,"IDPR-CMTP",
39,"TP++",
40,"IL",
41,"IPv6",
42,"SDRP",
43,"IPv6-Route",
44,"IPv6-Frag",
45,"IDRP",
46,"RSVP",
47,"GRE",
48,"DSR",
49,"BNA",
50,"ESP",
51,"AH",
52,"I-NLSP",
53,"SWIPE (deprecated)",
54,"NARP",
55,"MOBILE",
56,"TLSP",
57,"SKIP",
58,"IPv6-ICMP",
59,"IPv6-NoNxt",
60,"IPv6-Opts",
61,"",
62,"CFTP",
63,"",
64,"SAT-EXPAK",
65,"KRYPTOLAN",
66,"RVD",
67,"IPPC",
68,"",
69,"SAT-MON",
70,"VISA",
71,"IPCV",
72,"CPNX",
73,"CPHB",
74,"WSN",
75,"PVP",
76,"BR-SAT-MON",
77,"SUN-ND",
78,"WB-MON",
79,"WB-EXPAK",
80,"ISO-IP",
81,"VMTP",
82,"SECURE-VMTP",
83,"VINES",
84,"TTP",
84,"IPTM",
85,"NSFNET-IGP",
86,"DGP",
87,"TCF",
88,"EIGRP",
89,"OSPFIGP",
90,"Sprite-RPC",
91,"LARP",
92,"MTP",
93,"AX.25",
94,"IPIP",
95,"MICP (deprecated)",
96,"SCC-SP",
97,"ETHERIP",
98,"ENCAP",
99,"",
100,"GMTP",
101,"IFMP",
102,"PNNI",
103,"PIM",
104,"ARIS",
105,"SCPS",
106,"QNX",
107,"A/N",
108,"IPComp",
109,"SNP",
110,"Compaq-Peer",
111,"IPX-in-IP",
112,"VRRP",
113,"PGM",
114,"",
115,"L2TP",
116,"DDX",
117,"IATP",
118,"STP",
119,"SRP",
120,"UTI",
121,"SMP",
122,"SM (deprecated)",
123,"PTP",
124,"ISIS over IPv4",
125,"FIRE",
126,"CRTP",
127,"CRUDP",
128,"SSCOPMCE",
129,"IPLT",
130,"SPS",
131,"PIPE",
132,"SCTP",
133,"FC",
134,"RSVP-E2E-IGNORE",
135,"Mobility Header",
136,"UDPLite",
137,"MPLS-in-IP",
138,"manet",
139,"HIP",
140,"Shim6",
141,"WESP",
142,"ROHC",
143,"Ethernet",
253,"",
254,"",
255,"Reserved"
];
T
| extend NetworkProtocolNumber = toint(column_ifexists(field,0))
| lookup NetworkProtocolLookup on NetworkProtocolNumber
| extend NetworkProtocol =
case (
NetworkProtocol != "", NetworkProtocol,
'Unassigned'
)

4
DataConnectors/AWS-S3/AwsRequiredPolicies.md
Просмотреть файл

@ -74,7 +74,7 @@ These policies are required for all S3 connectors, regardless of AWS service.
"AWS": "${roleArn}"
},
"Action": [
"s3:GetObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::${bucketName}/*"
}
@ -116,7 +116,7 @@ Apply the following additional policies if you are ingesting GuardDuty findings.
]
},
"Action": [
"kms:Decrypt",
"kms:Decrypt"
],
"Resource": "*"
}

146
DataConnectors/AWS-S3/CloudFormation/cloudformationtemplateforAWSS3.txt Normal file
Просмотреть файл

@ -0,0 +1,146 @@
# This template creates SQS Queue and IAM Role for Sentinel
# S3 bucket where logs are fetched by Sentinel should be updated to send notifications to SQS as following
# This configuration is done in Control Tower managed stackset AWSControlTowerLoggingResources
# {
# 'QueueConfigurations': [
# {
# 'Id':'${eventNotificationName}',
# 'QueueArn': '${sqsArn}',
# 'Events': ['s3:ObjectCreated:*'],
# 'Filter': {
# 'Key': {
# 'FilterRules': [
# {
# 'Name': 'prefix',
# 'Value': '${eventNotificationPrefix}'
# }
# ]
# }
# }
# }
# ]
# }
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Azure Sentinel integration. Stack creates an Assume Role with minimal permissions to grant
Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice,
enable VPC Flow logs to VPCs of your choice, S3 bucket, SQS Queue, and S3 notifications,
in addition to some mandatory IAM policies.
Parameters:
SentinelSQSQueueName:
Default: "AzureSentinelNotifications"
Type: String
Description: >-
Prefix name for the Sentinel SQS Queue
LogBucketName:
Type: String
Description: >-
Log bucket name which will send SQS notifications for Azure Sentinel and from where Sentinel will fetch logs from.
SentinelAWSAccount:
Type: String
Description: >-
AWS Account ID from Azure Sentinel Workspace
SentinelWorkspaceID:
Type: String
Description: >-
Azure Sentinel Workspace ID
Outputs:
SentinelSQSQueueURL:
Description: >-
AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.
Value: !Ref SentinelSQSQueue
SentinelSQSQueueArn:
Description: >-
Log destination ARN to be used when setting up other accounts to exports
logs
Value: !GetAtt
- SentinelSQSQueue
- Arn
SentinelSQSQueueName:
Description: >-
Log destination ARN to be used when setting up other accounts to exports
logs
Value: !GetAtt
- SentinelSQSQueue
- QueueName
SentinelIAMRoleArn:
Description: >-
IAM Role ARN that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.
Value: !GetAtt
- SentinelIAMRole
- Arn
Resources:
# SQS Queue notifies Sentinel for new S3 objects
SentinelSQSQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub '${SentinelSQSQueueName}-${LogBucketName}'
Tags:
- Key: Bucket
Value: !Ref LogBucketName
# SQS Queue Policy that allows S3 to send notifications and Azure Sentinel to fetch them
SentinelSQSQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: 'allow s3 to send notification messages to SQS queue'
Action:
- "SQS:SendMessage"
Effect: "Allow"
Resource:
- !GetAtt
- SentinelSQSQueue
- Arn
Principal:
Service:
- "s3.amazonaws.com"
Condition:
ArnLike:
'aws:SourceArn': !Sub 'arn:aws:s3:*:*:${LogBucketName}'
- Sid: 'allow specific role to read/delete/change visibility of SQS messages and get queue url'
Action:
- "SQS:ChangeMessageVisibility"
- "SQS:DeleteMessage"
- "SQS:ReceiveMessage"
- "SQS:GetQueueUrl"
Effect: "Allow"
Resource:
- !GetAtt
- SentinelSQSQueue
- Arn
Principal:
AWS:
- !GetAtt
- SentinelIAMRole
- Arn
Queues:
- !Ref SentinelSQSQueue
SentinelIAMRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
AWS: !Sub "arn:${AWS::Partition}:iam::${SentinelAWSAccount}:root"
Condition:
StringEquals:
'sts:ExternalId': !Ref SentinelWorkspaceID
Policies:
- PolicyName: !Sub Sentinel-${LogBucketName}-${AWS::AccountId}
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: SentinelS3Access
Action:
- 's3:Get*'
- 's3:List*'
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${LogBucketName}/*

458
DataConnectors/CEF/cef_AMA_troubleshoot.py
Просмотреть файл

@ -4,11 +4,21 @@ import select
import sys
import re
# GENERAL SCRIPT CONSTANTS
LOG_OUTPUT_FILE = "/tmp/cef_troubleshooter_output_file.log"
COLLECT_OUTPUT_FILE = "/tmp/cef_troubleshooter_collection_output.log"
PATH_FOR_CSS_TICKET = "https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview"
FAILED_TESTS_COUNT = 0
NOT_RUN_TESTS_COUNT = 0
SCRIPT_VERSION = 1.0
SCRIPT_HELP_MESSAGE = "Usage: python cef_AMA_troubleshoot.py [OPTION]\n" \
"Runs CEF validation tests on the collector machine and generates a log file here- /tmp/cef_troubleshooter_output_file.log\n\n" \
" collect, runs the script in collect mode. Useful in case you want to open a ticket. Generates an output file here- /tmp/cef_troubleshooter_collection_output.log\n" \
" -h, --help display the help and exit\n\n" \
"Example:\n" \
" python cef_AMA_troubleshoot.py\n" \
" python cef_AMA_troubleshoot.py collect\n\n" \
"This script verifies the installation of the CEF connector on the collector machine. It returns a status for each test and action items to fix detected issues."
class ColorfulPrint:
@ -45,7 +55,117 @@ class ColorfulPrint:
print("\033[0;30;47m" + input_str + "\033[0m")
class BasicCommand(ColorfulPrint):
class ShellExecute(ColorfulPrint):
'''
This class is for executing all the shell related commands in the terminal for each test.
'''
def run_command(self):
'''
Running the bash commands using the subprocess library
'''
try:
self.command_result, self.command_result_err = subprocess.Popen(self.command_to_run, shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT).communicate()
except Exception:
self.command_result_err = "Error processing command"
if "not found" in str(self.command_result):
self.command_result_err = "Error running command: {}. Command does not exist. Please install it and run again.".format(
self.command_to_run)
def print_result_to_prompt(self):
'''
Printing the test's name and success status to the customer's prompt
'''
max_length = 47
if self.is_successful == "Warn":
self.print_warning(self.command_name + "-" * (max_length - len(self.command_name)) + "> Failed to check")
elif self.is_successful:
self.print_ok(self.command_name + "-" * (max_length - len(self.command_name)) + "> Success")
else:
self.print_error(self.command_name + "-" * (max_length - len(self.command_name)) + "> Failure")
def document_result(self):
'''
A simple way to only document the response to prompt and to the log file
Can be used in case some special commands that don't require a verification to be ran
'''
self.print_result_to_prompt()
self.log_result_to_file()
def log_result_to_file(self):
'''
Logging each test to a log file that can be used for troubleshooting. Is done by the use of the object repr function
'''
output = self.__repr__()
output_file = open(LOG_OUTPUT_FILE, 'a')
try:
output_file.write(output)
except Exception:
print(str(self.command_name.command) + "was not documented successfully")
output_file.close()
def run_full_test(self, exclude=False):
'''
A simple way to run a full test- executing the command, validating it's result, printing it to the prompt and logging it to a file
:param exclude: A parameter given to the is_command_successful function.
'''
self.run_command()
self.is_command_successful(exclude)
self.print_result_to_prompt()
self.log_result_to_file()
class FullVerification(ShellExecute):
'''
This class is running all the necessary verifications for the running test.
'''
def is_command_successful(self, exclude=False, should_fail=False):
'''
Verifying the command output indicates success. It's done by searching for key words in the result
:param exclude: If true, will verify the key words do not exist in the command result
:param should_fail: If true, will just return false and not run any further verification
:return: True if successful otherwise False.
'''
global FAILED_TESTS_COUNT, NOT_RUN_TESTS_COUNT
if "not found" in str(self.command_result):
self.is_successful = "Warn"
NOT_RUN_TESTS_COUNT += 1
return True
if self.command_result_err is None and self.command_result is not None and should_fail is not True:
self.command_result = str(self.command_result)
for key_word in self.result_keywords_array:
key_word = str(key_word)
if exclude:
if key_word in self.command_result:
self.fault_keyword = key_word
self.is_successful = False
FAILED_TESTS_COUNT += 1
return False
elif key_word not in self.command_result:
self.fault_keyword = key_word
self.is_successful = False
FAILED_TESTS_COUNT += 1
return False
self.is_successful = True
return True
self.is_successful = False
FAILED_TESTS_COUNT += 1
return False
def run_full_verification(self, exclude=False, should_fail=False):
'''
A simple way to run only the verification on documentation steps of the test.
Can be used in case some special commands are not run using the run_command function
:param exclude: A parameter given to the is_command_successful function.
:param should_fail: A parameter given to the is_command_successful function.
'''
self.is_command_successful(exclude, should_fail)
self.print_result_to_prompt()
self.log_result_to_file()
class BasicCommand(FullVerification):
'''
This class is for creating a command object. The object has execution, validation and documentation functions
'''
@ -78,108 +198,24 @@ class BasicCommand(ColorfulPrint):
delimiter).replace(
'%', '%%').replace('\\n', '\n')
def run_command(self):
'''
Running the bash commands using the subprocess library
:return:
'''
try:
self.command_result, self.command_result_err = subprocess.Popen(self.command_to_run, shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT).communicate()
except Exception:
self.command_result_err = "Error processing command"
if "not found" in str(self.command_result):
self.command_result_err = "Error running command: {}. Command does not exist. Please install it and run again".format(
self.command_to_run)
def is_command_successful(self, exclude=False, should_fail=False):
'''
Verifying the command output indicates success. It's done by searching for key words in the result
:param exclude: If true, will verify the key words do not exist in the command result
:param should_fail: If true, will just return false and not run any further verification
:return: True if successful otherwise False.
'''
global FAILED_TESTS_COUNT
if self.command_result_err is None and self.command_result is not None and should_fail is not True:
self.command_result = str(self.command_result)
for key_word in self.result_keywords_array:
key_word = str(key_word)
if exclude:
if key_word in self.command_result:
self.fault_keyword = key_word
self.is_successful = False
FAILED_TESTS_COUNT += 1
return False
elif key_word not in self.command_result:
self.fault_keyword = key_word
self.is_successful = False
FAILED_TESTS_COUNT += 1
return False
self.is_successful = True
return True
self.is_successful = False
FAILED_TESTS_COUNT += 1
return False
def print_result_to_prompt(self):
'''
Printing the test's name and success status to the customer's prompt
'''
max_length = 47
if self.is_successful:
self.print_ok(self.command_name + "-" * (max_length - len(self.command_name)) + "> Success")
else:
self.print_error(self.command_name + "-" * (max_length - len(self.command_name)) + "> Failure")
def log_result_to_file(self):
'''
Logging each test to a log file that can be used for troubleshooting. Is done by the use of the object repr function
:return:
'''
output = self.__repr__()
output_file = open(LOG_OUTPUT_FILE, 'a')
try:
output_file.write(output)
except Exception:
print(str(self.command_name.command) + "was not documented successfully")
output_file.close()
def run_full_test(self, exclude=False):
'''
A simple way to run a full test- executing the command, validating it's result, printing it to the prompt and logging it to a file
:param exclude: A parameter given to the is_command_successful function.
'''
self.run_command()
self.is_command_successful(exclude)
self.print_result_to_prompt()
self.log_result_to_file()
def run_full_verification(self, exclude=False, should_fail=False):
'''
A simple way to run only the verification on documentation steps of the test.
Can be used in case some special commands are not run using the run_command function
:param exclude: A parameter given to the is_command_successful function.
:param should_fail: A parameter given to the is_command_successful function.
'''
self.is_command_successful(exclude, should_fail)
self.print_result_to_prompt()
self.log_result_to_file()
def document_result(self):
'''
A simple way to only document the response to prompt and to the log file
Can be used in case some special commands that don't require a verification to be ran
'''
self.print_result_to_prompt()
self.log_result_to_file()
class AgentInstallationVerifications:
'''
This class is for agent related verifications
'''
# CONSTANTS
Agent_installation_doc = "https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage"
agent_not_installed_error_message = "Could not detect an AMA service running and listening on the machine." \
" Please follow this documentation in order to install it and verify your" \
" machine's operating system is in the supported list- {}".format(
Agent_installation_doc)
agent_not_running_error_message = "Detected AMA is installed on the machine but not running. Please start the agent by running " \
"\'service azuremonitoragent start\' \nif the agent service fails to start," \
" please run the following command to review the agent error log file here- " \
"\'cat /var/opt/microsoft/azuremonitoragent/log/mdsd.err | tail -n 15\'".format(
Agent_installation_doc)
oms_running_error_message = "Detected the OMS Agent running on your machine. If not necessary please remove it to avoid duplicated data in the workspace, which can result in an increase in costs"
def verify_agent_is_running(self):
'''
@ -193,20 +229,15 @@ class AgentInstallationVerifications:
if not command_object.is_successful:
if ("could not be found" or "no such service") in command_object.command_result:
command_object.is_successful = False
if not command_object.is_successful:
command_object.print_error(
"Could not detect an AMA service running and listening on the machine. Please follow this "
"documentation in order to install it and verify your machine's operating system is in the supported list- {}".format(
self.Agent_installation_doc))
command_object.print_error(self.agent_not_installed_error_message)
return False
command_object.print_error(
"Detected AMA is installed on the machine but not running. Please start the agent by running \'service azuremonitoragent start\' \nif the agent service fails to start, "
"please run the following command to review the agent error log file here- \'cat /var/opt/microsoft/azuremonitoragent/log/mdsd.err | tail -n 15\'".format(
self.Agent_installation_doc))
command_object.command_to_run = "sudo /opt/microsoft/azuremonitoragent/bin/mdsd -V"
command_object.run_command()
command_object.print_ok(
"Detected AMA running version- {}".format(command_object.command_result.decode('UTF-8').strip('\n')))
else:
command_object.print_error(self.agent_not_running_error_message)
else:
command_object.command_to_run = "sudo /opt/microsoft/azuremonitoragent/bin/mdsd -V"
command_object.run_command()
command_object.print_ok(
"Detected AMA running version- {}".format(command_object.command_result.decode('UTF-8').strip('\n')))
def print_arc_version(self):
'''
@ -230,11 +261,12 @@ class AgentInstallationVerifications:
result_keywords_array = ["25226", "LISTEN", "tcp"]
command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
command_object.run_full_test(exclude=True)
if not command_object.is_successful:
command_object.print_warning(
"Detected the OMS Agent running on your machine. If not necessary please remove it to avoid duplicated data in the workspace, which can result in an increase in costs")
if command_object.is_successful == "Warn":
command_object.print_warning(command_object.command_result_err)
elif not command_object.is_successful:
command_object.print_warning(self.oms_running_error_message)
def run_all_agent_verifications(self):
def run_all_verifications(self):
'''
This function is only called by main and runs all the tests in this class
'''
@ -247,9 +279,18 @@ class DCRConfigurationVerifications:
'''
This class is for data collection rules verifications
'''
# CONSTANTS
DCR_doc = "https://docs.microsoft.com/azure/azure-monitor/agents/data-collection-rule-overview"
DCRA_doc = "https://docs.microsoft.com/rest/api/monitor/data-collection-rule-associations"
CEF_stream_name = "SECURITY_CEF_BLOB"
DCR_missing_error_messgae = "Could not detect any data collection rule on the machine. The data reaching this server will not be forwarded to any workspace." \
" For explanation on how to install a Data collection rule please browse- {} \n " \
"In order to read about how to associate a DCR to a machine please review- {}".format(
DCR_doc, DCRA_doc)
DCR_missing_CEF_stream_error_message = "Could not detect any data collection rule for CEF data. No CEF events will " \
"be collected from this machine to any workspace. Please create a CEF DCR using the following documentation- " \
"{} and run again".format(DCR_doc)
CEF_multi_homing_message = "Detected multiple collection rules sending the CEF stream. This scenario is called multi-homing and might have effect on the agent's performance"
def verify_DCR_exists(self):
'''
@ -261,10 +302,7 @@ class DCRConfigurationVerifications:
command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
command_object.run_full_test()
if not command_object.is_successful:
command_object.print_error(
"Could not detect any data collection rule on the machine. The data reaching this server will not be forwarded to any workspace. For explanation on how to install a Data collection rule please browse- {} \n"
"In order to read about how to associate a DCR to a machine please review- {}".format(
self.DCR_doc, self.DCRA_doc))
command_object.print_error(self.DCR_missing_error_messgae)
return False
return True
@ -279,9 +317,7 @@ class DCRConfigurationVerifications:
command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
command_object.run_full_test()
if not command_object.is_successful:
command_object.print_error(
"Could not detect any data collection rule for CEF data. No CEF events will be collected from this machine to any workspace. Please create a CEF DCR using the following documentation- {} and run again".format(
self.DCR_doc))
command_object.print_error(self.DCR_missing_CEF_stream_error_message)
return False
return True
@ -323,8 +359,7 @@ class DCRConfigurationVerifications:
try:
if int(command_object.command_result) > 1:
command_object.run_full_verification(should_fail=True)
command_object.print_warning(
"Detected multiple collection rules sending the CEF stream. This scenario is called multi-homing and might have effect on the agent's performance")
command_object.print_warning(self.CEF_multi_homing_message)
else:
command_object.is_successful = True
command_object.document_result()
@ -332,7 +367,7 @@ class DCRConfigurationVerifications:
command_object.run_full_verification(should_fail=True)
command_object.print_warning("Failed to run this test since no DCRs were found")
def run_all_dcr_verifications(self):
def run_all_verifications(self):
'''
This function is only called by main and runs all the tests in this class
'''
@ -348,7 +383,15 @@ class SyslogDaemonVerifications(ColorfulPrint):
'''
This class is for Syslog daemon related verifications
'''
SYSLOG_DAEMON = ""
# CONSTANTS
SYSLOG_DAEMON = "rsyslog"
syslog_daemon_forwarding_path = {"rsyslog": "/etc/rsyslog.d/10-azuremonitoragent.conf",
"syslog-ng": "/etc/syslog-ng/conf.d/azuremonitoragent.conf"}
No_Syslog_daemon_error_message = "Could not detect any running Syslog daemon on the machine. The supported Syslog daemons are Rsyslog and Syslog-ng. Please install one of them and run this script again."
Syslog_daemon_not_listening_warning = "Warning: the Syslog daemon- {} is running but not listening on the machine or is listening to a non-default port".format(
SYSLOG_DAEMON)
Syslog_daemon_not_forwarding_error = "{} configuration was found invalid in this file {}. The forwarding of the syslog daemon to the agent might not work. Please install the agent in order to get the updated Syslog daemon forwarding configuration file, and try again.".format(
SYSLOG_DAEMON, syslog_daemon_forwarding_path[SYSLOG_DAEMON])
def determine_Syslog_daemon(self):
'''
@ -367,8 +410,7 @@ class SyslogDaemonVerifications(ColorfulPrint):
return True
is_Rsyslog_running.log_result_to_file()
is_Syslog_ng_running.log_result_to_file()
self.print_error(
"Could not detect any running Syslog daemon on the machine. The supported Syslog daemons are Rsyslog and Syslog-ng. Please install one of them and run this script again.")
self.print_error(self.No_Syslog_daemon_error_message)
return False
def verify_Syslog_daemon_listening(self):
@ -380,33 +422,29 @@ class SyslogDaemonVerifications(ColorfulPrint):
result_keywords_array = [self.SYSLOG_DAEMON, "LISTEN", ":514 "]
command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
command_object.run_full_test()
if not command_object.is_successful:
command_object.print_warning(
"Warning: the Syslog daemon- {} is running but not listening on the machine or it is listening to a non-default port".format(
self.SYSLOG_DAEMON))
if command_object.is_successful == "Warn":
command_object.print_warning(command_object.command_result_err)
elif not command_object.is_successful:
command_object.print_warning(self.Syslog_daemon_not_listening_warning)
def verify_Syslog_daemon_forwarding_configuration(self):
'''
Verify the syslog daemon forwarding configuration file has the correct forwarding configuration to the Unix domain socket.
'''
if self.SYSLOG_DAEMON != "":
syslog_daemon_forwarding_path = {"rsyslog": "/etc/rsyslog.d/10-azuremonitoragent.conf",
"syslog-ng": "/etc/syslog-ng/conf.d/azuremonitoragent.conf"}
syslog_daemon_forwarding_keywords = {
"rsyslog": ['omuxsock', 'azuremonitoragent', 'OMUxSockSocket', 'OMUxSockDefaultTemplate'],
"syslog-ng": ['destination', 'd_azure_mdsd', 'unix-dgram', 'azuremonitoragent', 'syslog', 'socket',
's_src']}
command_name = "verify_Syslog_daemon_forwarding_configuration"
command_to_run = "sudo cat " + syslog_daemon_forwarding_path[self.SYSLOG_DAEMON]
command_to_run = "sudo cat " + self.syslog_daemon_forwarding_path[self.SYSLOG_DAEMON]
result_keywords_array = syslog_daemon_forwarding_keywords[self.SYSLOG_DAEMON]
command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
command_object.run_full_test()
if not command_object.is_successful:
command_object.print_error(
"{} configuration was found invalid in this file {}. The forwarding of the syslog daemon to the agent might not work. Please install the agent in order to get the updated Syslog daemon forwarding configuration file, and try again.".format(
self.SYSLOG_DAEMON, syslog_daemon_forwarding_path[self.SYSLOG_DAEMON]))
command_object.print_error(self.Syslog_daemon_not_forwarding_error)
def run_all_syslog_daemon_verifications(self):
def run_all_verifications(self):
'''
This function is only called by main and runs all the tests in this class
'''
@ -419,7 +457,17 @@ class OperatingSystemVerifications:
'''
This class is for general operating system verifications
'''
# CONSTANTS
SELinux_documentation = "https://access.redhat.com/documentation/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes_changing-selinux-states-and-modes"
SELinux_running_error_message = "Detected SELinux running on the machine. The CEF connector does not support any form of hardening at the moment," \
"and having SELinux in Enforcing mode can harm the forwarding of data. Please disable SELinux by running the command \'setenforce 0\'." \
"This will disable SELinux temporarily. In order to disable permemently please follow this documentation- {}".format(
SELinux_documentation)
iptables_blocking_traffic_error_message = "Iptables might be blocking incoming traffic to the agent." \
" Please verify there are no firewall rules blocking incoming traffic to port 514 and run again."
Full_disk_error_message = "There is less than 1 GB of free disk space left on this machine." \
" Having a full disk can harm the agent functionality and eventually cause data loss" \
" Please free disk space on this machine and run again."
def verify_selinux_disabled(self):
'''
@ -430,12 +478,10 @@ class OperatingSystemVerifications:
result_keywords_array = ["Enforcing"]
command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
command_object.run_full_test(True)
if not command_object.is_successful:
command_object.print_error(
"Detected SELinux running on the machine. The CEF connector does not support any form of hardening at the moment,"
"and having SELinux in Enforcing mode can harm the forwarding of data. Please disable SELinux by running the command \'setenforce 0\'."
"This will disable SELinux temporarily. In order to disable permemently please follow this documentation- {}".format(
self.SELinux_documentation))
if command_object.is_successful == "Warn":
command_object.print_warning(command_object.command_result_err)
elif not command_object.is_successful:
command_object.print_error(self.SELinux_running_error_message)
def verify_iptables(self):
'''
@ -446,15 +492,16 @@ class OperatingSystemVerifications:
result_keywords_array = ["DROP", "REJECT"]
policy_command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
policy_command_object.run_full_test(exclude=True)
if policy_command_object.is_successful == "Warn":
policy_command_object.print_warning(policy_command_object.command_result_err)
return True
command_name = "verify_iptables_rules_permissive"
command_to_run = "sudo iptables -S | grep -E '514' | grep INPUT"
rules_command_object = BasicCommand(command_name, command_to_run, result_keywords_array)
rules_command_object.run_full_test(exclude=True)
if (not rules_command_object.is_successful or (not policy_command_object.is_successful and (
not rules_command_object.is_successful or rules_command_object.command_result == ""))):
policy_command_object.print_warning(
"Iptables might be blocking incoming traffic to the agent. Please verify there are no "
"firewall rules blocking incoming traffic to port 514 and run again.")
policy_command_object.print_warning(self.iptables_blocking_traffic_error_message)
def verify_free_disk_space(self):
'''
@ -467,14 +514,12 @@ class OperatingSystemVerifications:
command_object.run_command()
if int(command_object.command_result) < minimal_free_space_kb:
command_object.run_full_verification(should_fail=True)
command_object.print_error("There is less than 1 GB of free disk space left on this machine."
"Having a full disk can harm the agent functionality and eventually cause data loss"
"Please free disk space on this machine and run again.")
command_object.print_error(self.Full_disk_error_message)
else:
command_object.is_successful = True
command_object.document_result()
def run_all_os_verifications(self):
def run_all_verifications(self):
'''
This function is only called by main and runs all the tests in this class
'''
@ -487,7 +532,12 @@ class IncomingEventsVerifications:
'''
This class is for sending and capturing CEF events in the incoming stream of events to the syslog daemon port
'''
fixed_cef_message = "0|TestCommonEventFormat|MOCK|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_time deviceExternalId=0002D01655 src=1.1.1.1 dst=2.2.2.2 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=3.3.3.3 cs1Label=Rule cs1=CEF_TEST_InternetDNS"
# CONSTANTS
Fixed_cef_message = "0|TestCommonEventFormat|MOCK|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_time deviceExternalId=0002D01655 src=1.1.1.1 dst=2.2.2.2 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=3.3.3.3 cs1Label=Rule cs1=CEF_TEST_InternetDNS"
Tcpdump_not_installed_error_message = "Notice that \'tcpdump\' is not installed in your Linux machine.\nWe cannot monitor traffic without it.\nPlease install \'tcpdump\'."
Logger_not_installed_error_message = "Warning: Could not execute \'logger\' command. This means that no mock message was sent to your workspace."
CEF_events_found_message = "Found CEF events in stream. Please verify CEF events arrived at your workspace"
CEF_events_not_found_error_message = "Could not locate \"CEF\" message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic"
def handle_tcpdump_line(self, line):
'''
@ -520,8 +570,7 @@ class IncomingEventsVerifications:
line = str(tcp_dump.stdout.readline())
# Handle command not found
if "command not found" in line:
print(
"Notice that \'tcpdump\' is not installed in your Linux machine.\nWe cannot monitor traffic without it.\nPlease install \'tcpdump\'.")
print(self.Tcpdump_not_installed_error_message)
command_object.command_result = line
command_object.run_full_verification()
return False
@ -538,12 +587,10 @@ class IncomingEventsVerifications:
if self.handle_tcpdump_line(line):
command_object.command_result = line
command_object.run_full_verification()
command_object.print_ok(
"Found CEF events in stream. Please verify CEF events arrived at your workspace")
command_object.print_ok(self.CEF_events_found_message)
return True
end_seconds = int(round(time.time()))
command_object.print_error(
"Could not locate \"CEF\" message in tcpdump. Please verify CEF events can be sent to the machine and there is not firewall blocking incoming traffic")
command_object.print_error(self.CEF_events_not_found_error_message)
command_object.command_result = str(line)
command_object.run_full_verification()
return False
@ -556,7 +603,7 @@ class IncomingEventsVerifications:
'''
try:
for index in range(0, amount):
command_tokens = ["logger", "-p", "local4.warn", "-t", "CEF:", self.fixed_cef_message, "-P", str(port),
command_tokens = ["logger", "-p", "local4.warn", "-t", "CEF:", self.Fixed_cef_message, "-P", str(port),
"-n",
"127.0.0.1"]
logger = subprocess.Popen(command_tokens, stdout=subprocess.PIPE)
@ -564,10 +611,9 @@ class IncomingEventsVerifications:
if e is not None:
print("Error could not send cef mock message")
except OSError:
print(
"Warning: Could not execute \'logger\' command. This means that no mock message was sent to your workspace.")
print(self.Logger_not_installed_error_message)
def run_incoming_events_verifications(self):
def run_all_verifications(self):
'''
This function is only called by main and runs all the tests in this class
'''
@ -603,13 +649,15 @@ class SystemInfo():
"syslog_ng_dir": ["sudo ls -la /etc/syslog-ng/conf.d/"],
"syslog_ng_dir_content": ["sudo grep -r ^ /etc/syslog-ng/conf.d/"],
"is_syslog_ng_running_from_boot": ["sudo sudo systemctl list-unit-files --type=service | grep syslog-ng"],
"agent_log_snip": ["sudo tail -n 15 /var/opt/microsoft/azuremonitoragent/log/mdsd.err"],
"agent_log_snip_err": ["sudo tail -n 15 /var/opt/microsoft/azuremonitoragent/log/mdsd.err"],
"agent_log_snip_warn": ["sudo tail -n 15 /var/opt/microsoft/azuremonitoragent/log/mdsd.warn"],
"agent_log_snip_info": ["sudo tail -n 15 /var/opt/microsoft/azuremonitoragent/log/mdsd.info"],
"is_AMA__running_from_boot": ["sudo systemctl list-unit-files --type=service | grep azuremonitoragent"],
"AMA_service_status": ["sudo service azuremonitoragent status"],
"DCR_config_dir": ["sudo ls -la /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/"],
"messages_log_snip": ["sudo tail -n 15 /var/log/messages"],
"syslog_log_snip": ["sudo tail -n 15 /var/log/syslog"],
"top_processes": ["sudo top -bcn1 -w512 head -n 20"],
"top_processes": ["sudo top -bcn1 -w512 | head -n 20"],
}
def __repr__(self, command_object):
@ -642,59 +690,67 @@ class SystemInfo():
self.append_content_to_file(command_object)
def main():
feature_flag = "collect"
printer = ColorfulPrint()
def verify_root_privileges(printer):
o, e = subprocess.Popen(['id', '-u'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
if int(o) != 0:
printer.print_error(
"This script must be run in elevated privileges since some of the tests require root privileges")
exit()
if len(sys.argv) > 1 and str(sys.argv[1]) == feature_flag:
printer.print_notice("Starting to collect data. This may take a couple of seconds")
time.sleep(2)
subprocess.Popen(['rm', COLLECT_OUTPUT_FILE, '2>', '/dev/null'],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
system_info = SystemInfo()
system_info.handle_commands()
printer.print_notice(
"Finished collecting data \nPlease provide CSS with this file for further investigation- {} \n"
"In order to open a support case please browse: {}".format(
COLLECT_OUTPUT_FILE, PATH_FOR_CSS_TICKET))
time.sleep(1)
def main():
collection_feature_flag = "collect"
running_in_collect_mode = False
help_feature_flag = ['-h', '-H', '-help', '--help', '-Help', '--Help']
printer = ColorfulPrint()
verify_root_privileges(printer)
if len(sys.argv) > 1:
if str(sys.argv[1]) == collection_feature_flag:
running_in_collect_mode = True
printer.print_notice("Starting to collect data. This may take a couple of seconds")
time.sleep(2)
subprocess.Popen(['rm', COLLECT_OUTPUT_FILE, '2>', '/dev/null'],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
system_info = SystemInfo()
system_info.handle_commands()
print(
"Finished collecting data \nPlease provide CSS with this file for further investigation- {} \n"
"In order to open a support case please browse: {}".format(
COLLECT_OUTPUT_FILE, PATH_FOR_CSS_TICKET))
time.sleep(1)
# Print help message on how to use the script
elif str(sys.argv[1]) in help_feature_flag:
print(SCRIPT_HELP_MESSAGE)
exit()
else:
print("python cef_AMA_troubleshoot.py: unrecognized option '{}'\n"
"Try 'python cef_AMA_troubleshoot.py --help' for more information.".format(str(sys.argv[1])))
exit()
class_tests_array = [
(AgentInstallationVerifications(), "Starting validation tests for AMA"),
(DCRConfigurationVerifications(), "Starting validation tests for data collection rules"),
(SyslogDaemonVerifications(), "Starting validation tests for the Syslog daemon"),
(OperatingSystemVerifications(), "Starting validation tests for the operating system"),
(IncomingEventsVerifications(), "Starting validation tests for capturing incoming events")]
printer.print_notice("\nStarting to run the CEF validation script")
time.sleep(1)
subprocess.Popen(['rm', LOG_OUTPUT_FILE, '2>', '/dev/null'],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
printer.print_notice("Please validate you are sending CEF messages to the agent machine")
# Create agent_verification object
printer.print_notice("\n----- Starting validation tests for AMA -------------------------")
agent_verifications = AgentInstallationVerifications()
agent_verifications.run_all_agent_verifications()
# Create dcr_verification object
printer.print_notice("\n----- Starting validation tests for data collection rules -------")
dcr_verification = DCRConfigurationVerifications()
dcr_verification.run_all_dcr_verifications()
# Create Syslog daemon verification object
printer.print_notice("\n----- Starting validation tests for the Syslog daemon -----------")
syslog_daemon_verification = SyslogDaemonVerifications()
syslog_daemon_verification.run_all_syslog_daemon_verifications()
# Create operating system level verifications
printer.print_notice("\n----- Starting validation tests for the operating system --------")
os_verification = OperatingSystemVerifications()
os_verification.run_all_os_verifications()
# Create incoming events verification
printer.print_notice("\n----- Starting validation tests for capturing incoming events ---")
incoming_events = IncomingEventsVerifications()
incoming_events.run_incoming_events_verifications()
for class_test in class_tests_array:
printer.print_notice("\n----- {} {}".format(class_test[1], '-' * (60 - len(class_test[1]))))
verification_object = class_test[0]
verification_object.run_all_verifications()
if NOT_RUN_TESTS_COUNT > 0:
printer.print_warning("\nTotal amount of tests that failed to run: " + str(NOT_RUN_TESTS_COUNT))
if FAILED_TESTS_COUNT > 0:
printer.print_error("\nTotal amount of failed tests is: " + str(FAILED_TESTS_COUNT))
else:
printer.print_ok("All tests passed successfully")
printer.print_notice("This script generated an output file located here - {}"
"\nPlease review if you would like to get more information on failed tests.".format(
"\nPlease review it if you would like to get more information on failed tests.".format(
LOG_OUTPUT_FILE))
if not feature_flag:
if not running_in_collect_mode:
printer.print_notice(
"\nIf you would like to open a support case please run this script with the \'collect\' feature flag in order to collect additional system data for troubleshooting."
"\'python cef_AMA_troubleshoot.py collect\'")

8
DataConnectors/Logstash-VMSS/logstash.conf
Просмотреть файл

@ -64,10 +64,13 @@ output {
"deviceCustomFloatingPoint4",
"deviceCustomFloatingPoint4Label",
"deviceCustomNumber1",
"fieldDeviceCustomNumber1",
"deviceCustomNumber1Label",
"deviceCustomNumber2",
"fieldDeviceCustomNumber2",
"deviceCustomNumber2Label",
"deviceCustomNumber3",
"fieldDeviceCustomNumber3",
"deviceCustomNumber3Label",
"baseEventCount",
"deviceCustomString1",
@ -131,8 +134,9 @@ output {
"destinationLatitude",
"categoryDeviceType",
"managerReceiptTime",
"agentMacAddress"
"agentMacAddress",
"reason"
]
}
}
}
}

302
DataConnectors/O365 Data/readme.md
Просмотреть файл

@ -1,151 +1,151 @@
# Deploy Function App for getting Office 365 Management API data into Azure Sentinel
This function app will poll O365 Activity Managment API every 5 mins for logs. It is designed to get Audit.General and DLP.All events.
## How to Ingest Office 365 Audit.General and DLP.All Activity Logs into Azure Sentinel
The Office 365 data connector in Azure Sentinel supports ongoing user and admin activity logs for Microsoft 365 workloads, Exchange Online, SharePoint Online and Microsoft Teams. The activity logs include details of action such as file downloads, access request send, change to group event, mailbox operations. Once the activity logs are ingested into Azure Sentinel, it can be used for custom analytics rules, hunting, visualization as well as for investigation process.
The Azure Sentinel data connector for Office 365 uses the [Office 365 Activity Management API](https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference). Below is a summary of which content types are part of the Office 365 Activity Management API and their mapping with Azure Sentinel.
| Content Type | Description | Azure Sentinel Mapping |
| ------------ | ----------- | ---------------------- |
| Audit.AzureActiveDirectory | Azure Active Directory logs thats relates to Office 365 only | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.Exchange | User and Admin Activities in Exchange Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.SharePoint | User and Admin Activities in SharePoint Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.General | Includes all other workloads not included in the previous content types | Not supported with the default connector for Office 365 in Azure Sentinel |
| DLP.All | DLP events only for all workloads | Not supported with the default connector for Office 365 in Azure Sentinel |
Specifically, Audit.General activity logs could be of interest in SIEM if there is a need for correlation with alerts from Defender for Office 365 and alerts from Security and Compliance Center. As follow most asked use cases are:
- Usage of Security and Compliance Center alerts
- Alerts generated by Defender for Office 365
- Safe Links time-of-block and block override
- Phishing and malware alerts for files in SharePoint Online, OneDrive for Business, and Microsoft Teams
- Usage of Phishing and malware events
This document covers the required steps to ingest Audit.General and DLP.All activity logs from the Office 365 Management Activity API into Azure Sentinel and how to use the ingested alerts. For the ingestion of activity logs I will use an Azure Function App connector. The Azure Function App is published [here](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data).
The Azure Function App uses a PowerShell script to collect Office 365 Audit.General and DLP.All Activity logs and ingests into a custom table in Azure Sentinel (custom tables end with _CL when created in Log Analytics). The secrets for the required connections are stored in Azure Key Vault.
![Function App](./images/Picture1.png)<br>
Lets get started with the configuration!
### Preparation
The following tasks describe the necessary preparation and configurations steps.
- Onboard Azure Sentinel
- Register an application in Azure AD
- Create an Office 365 Management Activity API Subscription
- Deploy the Azure Function App
- Post Configuration Steps for the Function App and Key Vault
- How to Use the Activity Logs in Azure Sentinel
## Onboarding Azure Sentinel
Onboarding Azure Sentinel is not part of this document post. However, required guidance can be found [here](https://docs.microsoft.com/azure/sentinel/quickstart-onboard).
### Register an application in Azure AD
The Azure AD app is later required to use it as service principle for the [Azure Funtion App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data) app.
1. Go to **Azure Active Directory** / **App Registrations**
2. Create **New Registration**<br>
![App Registration](./images/Picture2.png)<br>
3. Call it "O365APItoAzureSentinel". Click **Register**.
4. Click **API Permissions** Blade.
5. Click **Add a Permission**.
6. Click **Office 365 Management APIs**.
7. Click **Appplication Permissions**
8. Check **ActivityFeed.Read** and **ActivityFeed.ReadDlp**. Click **Add permissions**.<br>
![Permissions](./images/Picture5.png)<br>
9. Click **Grant admin consent for ...**.<br>
![Admin Consent](./images/Picture6.png)<br>
10. Click **Certificates and Secrets** blade.
11. Click **New Client Secret**.
12. Enter a description, select **never**. Click **Add**.<br>
![Secret](./images/Picture3.png)<br>
13. **IMPORTANT**. Click **copy** next to the new secret and paste it somewhere temporaily. You can not come back to get the secret once you leave the blade.
14. Copy the **client Id** from the application properties and paste it somewhere.
15. Also copy the **tenant Id** from the AAD directory properties blade.
For the deployment of [Azure Funtion App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data), make a note of following settings:
- The Azure AD Application ID
- The Azure AD Application Secret
- The Tenant ID
- The Tenant Domain
### Create an Office 365 Management Activity API Subscription
After successfully creating the service principles, run the following PowerShell script to register the API subscription.
1. Open a PowerShell terminal.
2. Run the following, replacing variables with strings from the previous steps.
```powerhshell
$ClientID = "<GUID> from AAD App Registration"
$ClientSecret = "<clientSecret> from AAD App Registrtion"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "<domain>.onmicrosoft.com"
$TenantGUID = "<tenantguid> from AAD"
$resource = "https://manage.office.com"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$publisher = "<randomGuid>" Get a guid from https://guidgenerator.com/
```
3. Run this command to enable **Audit.General** Subscription.
```powershell
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher"
```
4. Run this command to enable **DLP.ALL** subscription
```powershell
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=DLP.ALL&PublisherIdentifier=$Publisher"
```
5. A successful output looks like as below. <br>
![Output](./images/Picture7.png)<br>
### Deploy the Azure Function App
Thanks to the published ARM template the deployment of the [Azure Funtion App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data) is done with just a few clicks.
1. Click to **Deploy the template / Deploy to Azure** below.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FO365%20Data%2Fazuredeploy.json)
2. Now it is time to use the noted details from previous steps.
- Select the right **Subscription**, **Resource Group** and **Region** where you what to deploy the Azure Funtion App.
- Fill the Instance Details **Client ID**, **Client Secret**, **Tenant Domain**, **Publisher Guid**.
- There is also a need of **Workspace ID** and **Workspace Key** from where Azure Sentinel is deployed.
- The Content Types you can leave as default with **Audit.General**, or you can also add **DLP.All** as well. Or use only **DLP.All**.
![Deployment](./images/picture9.png)
3. Click to **Review + create**, review the configuration and click **Create**.
4. Now the deployment of ARM template is completed.
![Complete](./images/picture10.png)
### Post Configuration Steps for the Azure Function App
1. For the final configuration of Azure Function App open the Azure Portal and navigate to **Azure Function App** > The name of the Function App > **Configuration**.<br>
![configuration](./images/Picture17.png)<br>
2. In the **Configuration** edit the **clientSecret** and **workspaceKey** settings. Click to Edit and paste the noted Secret Identifiers as value and **Save** the configuration. The Secret Identifiers should have this format:
- @Microsoft.KeyVault(SecretUri=https:///secrets/O365Tenant1_clientSecret/).
3. Once the configuration is finished the **clientSecret** and **workspaceKey** settings should have a green checkmark.
## How to use the Activity Logs in Azure Sentinel
Once the Azure Function App is functional you can query the General.Audit and DLP.All activity logs. The activity will reside in a Custom Table as configured in the Azure Function App above. The following table includes sample Kusto Language Queries (KQL). You can see these are using the Custom Logs (Custom log tables always end in “_CL”) and the values we mentioned earlier.<br>
![Review](./images/Picture19.png)<br>
***Note***: Custom Logs are a billable data source. The record types that are important have been added below, as simple starting queries.
| Member Name | Kusto Language Query (KQL) |
| ----------- | -------------------------- |
| ThreatIntelligence | O365_CL \| where RecordType_d == "28" |
| ThreatIntelligenceUrl | O365_CL \| where RecordType_d == "41" |
| ThreatIntelligenceAtpContent | O365_CL \| where RecordType_d == "47" |
| SecurityComplianceAlerts | O365_CL \| where RecordType_d == "40" |
An example results for the Defender for Office Safe Attachment block detection alert.
```KQL
O365_CL
| where RecordType_d == "28"
```
![Query](./images/Picture20.png)
### Summary
In this document I have shown how you can onboard Office 365 Management Activity API General.Audit and DLP.All activity logs, and some basics queries for you to start to build out your use cases with Defender for Office and Security and Compliance Center alerts. This solution helps you extend, correlate and enrich the data you have with the existing O365 connector, giving you more insights.
# Deploy Function App for getting Office 365 Management API data into Azure Sentinel
This function app will poll O365 Activity Management API every 5 mins for logs. It is designed to get Audit.General and DLP.All events.
## How to Ingest Office 365 Audit.General and DLP.All Activity Logs into Azure Sentinel
The Office 365 data connector in Azure Sentinel supports ongoing user and admin activity logs for Microsoft 365 workloads, Exchange Online, SharePoint Online and Microsoft Teams. The activity logs include details of action such as file downloads, access request send, change to group event, mailbox operations. Once the activity logs are ingested into Azure Sentinel, it can be used for custom analytics rules, hunting, visualization as well as for investigation process.
The Azure Sentinel data connector for Office 365 uses the [Office 365 Activity Management API](https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference). Below is a summary of which content types are part of the Office 365 Activity Management API and their mapping with Azure Sentinel.
| Content Type | Description | Azure Sentinel Mapping |
| ------------ | ----------- | ---------------------- |
| Audit.AzureActiveDirectory | Azure Active Directory logs thats relates to Office 365 only | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.Exchange | User and Admin Activities in Exchange Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.SharePoint | User and Admin Activities in SharePoint Online | Supported with the default connector for [Office 365](https://docs.microsoft.com/azure/sentinel/connect-office-365) in Azure Sentinel |
| Audit.General | Includes all other workloads not included in the previous content types | Not supported with the default connector for Office 365 in Azure Sentinel |
| DLP.All | DLP events only for all workloads | Not supported with the default connector for Office 365 in Azure Sentinel |
Specifically, Audit.General activity logs could be of interest in SIEM if there is a need for correlation with alerts from Defender for Office 365 and alerts from Security and Compliance Center. As follow most asked use cases are:
- Usage of Security and Compliance Center alerts
- Alerts generated by Defender for Office 365
- Safe Links time-of-block and block override
- Phishing and malware alerts for files in SharePoint Online, OneDrive for Business, and Microsoft Teams
- Usage of Phishing and malware events
This document covers the required steps to ingest Audit.General and DLP.All activity logs from the Office 365 Management Activity API into Azure Sentinel and how to use the ingested alerts. For the ingestion of activity logs I will use an Azure Function App connector. The Azure Function App is published [here](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data).
The Azure Function App uses a PowerShell script to collect Office 365 Audit.General and DLP.All Activity logs and ingests into a custom table in Azure Sentinel (custom tables end with _CL when created in Log Analytics). The secrets for the required connections are stored in Azure Key Vault.
![Function App](./images/Picture1.png)<br>
Lets get started with the configuration!
### Preparation
The following tasks describe the necessary preparation and configurations steps.
- Onboard Azure Sentinel
- Register an application in Azure AD
- Create an Office 365 Management Activity API Subscription
- Deploy the Azure Function App
- Post Configuration Steps for the Function App and Key Vault
- How to Use the Activity Logs in Azure Sentinel
## Onboarding Azure Sentinel
Onboarding Azure Sentinel is not part of this document post. However, required guidance can be found [here](https://docs.microsoft.com/azure/sentinel/quickstart-onboard).
### Register an application in Azure AD
The Azure AD app is later required to use it as service principle for the [Azure Function App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data) app.
1. Go to **Azure Active Directory** / **App Registrations**
2. Create **New Registration**<br>
![App Registration](./images/Picture2.png)<br>
3. Call it "O365APItoAzureSentinel". Click **Register**.
4. Click **API Permissions** Blade.
5. Click **Add a Permission**.
6. Click **Office 365 Management APIs**.
7. Click **Application Permissions**
8. Check **ActivityFeed.Read** and **ActivityFeed.ReadDlp**. Click **Add permissions**.<br>
![Permissions](./images/Picture5.png)<br>
9. Click **Grant admin consent for ...**.<br>
![Admin Consent](./images/Picture6.png)<br>
10. Click **Certificates and Secrets** blade.
11. Click **New Client Secret**.
12. Enter a description, select **never**. Click **Add**.<br>
![Secret](./images/Picture3.png)<br>
13. **IMPORTANT**. Click **copy** next to the new secret and paste it somewhere temporarily. You can not come back to get the secret once you leave the blade.
14. Copy the **client Id** from the application properties and paste it somewhere.
15. Also copy the **tenant Id** from the AAD directory properties blade.
For the deployment of [Azure Function App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data), make a note of following settings:
- The Azure AD Application ID
- The Azure AD Application Secret
- The Tenant ID
- The Tenant Domain
### Create an Office 365 Management Activity API Subscription
After successfully creating the service principles, run the following PowerShell script to register the API subscription.
1. Open a PowerShell terminal.
2. Run the following, replacing variables with strings from the previous steps.
```powershell
$ClientID = "<GUID> from AAD App Registration"
$ClientSecret = "<clientSecret> from AAD App Registration"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "<domain>.onmicrosoft.com"
$TenantGUID = "<tenantguid> from AAD"
$resource = "https://manage.office.com"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$publisher = "<randomGuid>" Get a guid from https://guidgenerator.com/
```
3. Run this command to enable **Audit.General** Subscription.
```powershell
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher"
```
4. Run this command to enable **DLP.ALL** subscription
```powershell
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=DLP.ALL&PublisherIdentifier=$Publisher"
```
5. A successful output looks like as below. <br>
![Output](./images/Picture7.png)<br>
### Deploy the Azure Function App
Thanks to the published ARM template the deployment of the [Azure Function App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data) is done with just a few clicks.
1. Click to **Deploy the template / Deploy to Azure** below.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FO365%20Data%2Fazuredeploy.json)
2. Now it is time to use the noted details from previous steps.
- Select the right **Subscription**, **Resource Group** and **Region** where you what to deploy the Azure Function App.
- Fill the Instance Details **Client ID**, **Client Secret**, **Tenant Domain**, **Publisher Guid**.
- There is also a need of **Workspace ID** and **Workspace Key** from where Azure Sentinel is deployed.
- The Content Types you can leave as default with **Audit.General**, or you can also add **DLP.All** as well. Or use only **DLP.All**.
![Deployment](./images/picture9.png)
3. Click to **Review + create**, review the configuration and click **Create**.
4. Now the deployment of ARM template is completed.
![Complete](./images/picture10.png)
### Post Configuration Steps for the Azure Function App
1. For the final configuration of Azure Function App open the Azure Portal and navigate to **Azure Function App** > The name of the Function App > **Configuration**.<br>
![configuration](./images/Picture17.png)<br>
2. In the **Configuration** edit the **clientSecret** and **workspaceKey** settings. Click to Edit and paste the noted Secret Identifiers as value and **Save** the configuration. The Secret Identifiers should have this format:
- @Microsoft.KeyVault(SecretUri=https:///secrets/O365Tenant1_clientSecret/).
3. Once the configuration is finished the **clientSecret** and **workspaceKey** settings should have a green checkmark.
## How to use the Activity Logs in Azure Sentinel
Once the Azure Function App is functional you can query the General.Audit and DLP.All activity logs. The activity will reside in a Custom Table as configured in the Azure Function App above. The following table includes sample Kusto Language Queries (KQL). You can see these are using the Custom Logs (Custom log tables always end in “_CL”) and the values we mentioned earlier.<br>
![Review](./images/Picture19.png)<br>
***Note***: Custom Logs are a billable data source. The record types that are important have been added below, as simple starting queries.
| Member Name | Kusto Language Query (KQL) |
| ----------- | -------------------------- |
| ThreatIntelligence | O365_CL \| where RecordType_d == "28" |
| ThreatIntelligenceUrl | O365_CL \| where RecordType_d == "41" |
| ThreatIntelligenceAtpContent | O365_CL \| where RecordType_d == "47" |
| SecurityComplianceAlerts | O365_CL \| where RecordType_d == "40" |
An example results for the Defender for Office Safe Attachment block detection alert.
```KQL
O365_CL
| where RecordType_d == "28"
```
![Query](./images/Picture20.png)
### Summary
In this document I have shown how you can onboard Office 365 Management Activity API General.Audit and DLP.All activity logs, and some basics queries for you to start to build out your use cases with Defender for Office and Security and Compliance Center alerts. This solution helps you extend, correlate and enrich the data you have with the existing O365 connector, giving you more insights.

12
DataConnectors/ReadMe.md
Просмотреть файл

@ -187,10 +187,18 @@ Once you have a working POC, you are ready to build, validate the data connector
>>**Note**: This json is loaded only in your session and not shared out. The logo wont show up since its not part of the json. Connector logo will be included when Microsoft builds and deploys the data connector.
4. **Prepare sample data for validation and submission** – Plan to submit some real-world, sanitized sample data for your connectors that covers all types of logs, events, alerts, etc. depending on the data type. This is the test validation set that can be used to build other contribution types on top of this data connector. The format for this file can be json / csv (json preferred) file with the column names / property names adhering to the data type property names. The data file name needs to be the same name as the data type name. Submit the sample data file via a GitHub PR to the ['Sample data' folder](https://aka.ms/azuresentinelgithubsampledata) in the right subfolder - CEF / Syslog / Custom depending on the type of data connector.
4. **Prepare sample data for validation and submission** – Plan to submit some real-world, sanitized raw sample data/logs for your connectors that covers all types of logs, events, alerts, etc. depending on the data type. Sample data is extremely useful when troubleshooting issues, supporting and/or enhancing the Data Connectors with more Security-focused content (such as Analytics, Hunting Queries, Workbooks, etc.). The following guidelines are designed to help committing sample data in a usable format into GitHub:
1. The extension for the file can be .json (for API based Data Connector) / .txt (for Syslog/CEF based data Connectors) with the column names / property names adhering to the data type property names.
2. Submit the Sample Data via a GitHub PR. All sample data files must reside inside a folder called "Sample Data" within the Solution folder. Example folder structure - "Azure-Sentinel/Solutions/<ProductName>/Sample Data/".
3. Important: Please ensure all sample data has been scrubbed to remove all sensitive PII information that may exist in the logs. The intent is to understand the "what" and "how" from the logs not the "who".
_**IMPORTANT!:** Detailed guidance on Sample Data contribution including expected file names, format, file extensions and extraction method is available [here](https://github.com/Azure/Azure-Sentinel/master/tree/Sample%20Data/README.md)_
5. **Submit your data connector** - Follow the [general contribution guidelines for Microsoft Sentinel](https://aka.ms/sentinelgithubcontributionguidelines) to open a Pull Request (PR) to submit the data connector:
1. The json file in the ['Connectors' folder](https://aka.ms/azuresentinelgithubdataconnectors)
2. The sample data file in the right subfolder of ['Sample data' folder](https://aka.ms/azuresentinelgithubsampledata)
2. The sample data file in the right folder. Example folder structure - "Azure-Sentinel/Solutions/<ProductName>/Sample Data/"
3. The company logo adhering to the following requirements in the ['Logo' folder](https://aka.ms/azuresentinelgithublogos)
1. Logo needs to be in SVG format and under 5 Kb
2. Ensure raw file of logo does **not** have any of the following:

8
DataConnectors/UniFiSG/ui-logstash.conf
Просмотреть файл

@ -381,10 +381,13 @@ output {
"deviceCustomFloatingPoint4",
"deviceCustomFloatingPoint4Label",
"deviceCustomNumber1",
"fieldDeviceCustomNumber1",
"deviceCustomNumber1Label",
"deviceCustomNumber2",
"fieldDeviceCustomNumber2",
"deviceCustomNumber2Label",
"deviceCustomNumber3",
"fieldDeviceCustomNumber3"
"deviceCustomNumber3Label",
"baseEventCount",
"deviceCustomString1",
@ -501,7 +504,8 @@ output {
"destinationGeoCountryCode3",
"destinationASNsOrg",
"destinationASN",
"destinationDnsDomain"
"destinationDnsDomain",
"reason"
]
}
}
@ -513,4 +517,4 @@ output {
# }
# }
}
}
}

4
Detections/AuditLogs/UserAssignedPrivilegedRole.yaml
Просмотреть файл

@ -31,6 +31,8 @@ query: |
| where RoleName contains "Admin"
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
// Uncomment below to not alert for PIM activations
//| where Initiator != "MS-PIM"
| extend Target = tostring(TargetResources.userPrincipalName)
| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result
| extend AccountCustomEntity = Target
@ -43,5 +45,5 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.1
version: 1.0.2
kind: scheduled

29
Detections/AzureDevOpsAuditing/NRT_ADOAuditStreamDisabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: 74ed028d-e392-40b7-baef-e69627bf89d1
name: NRT Azure DevOps Audit Stream Disabled
description: |
'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams
before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action
its unlikely to have a high false positive rate.'
severity: High
requiredDataConnectors: []
tactics:
- DefenseEvasion
relevantTechniques:
- T1562.008
query: |
AzureDevOpsAuditing
| where OperationName =~ "AuditLog.StreamDisabledByUser"
| extend StreamType = tostring(Data.ConsumerType)
| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: NRT

20
Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml
Просмотреть файл

@ -21,7 +21,7 @@ relevantTechniques:
- T1046
query: |
CommonSecurityLog
CommonSecurityLog
| where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny")
// filter out common usage ports. Add ports that are legitimate for your environment
| where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
@ -30,20 +30,26 @@ query: |
| where DestinationPort !between (toint(49512) .. toint(65535))
| where Computer != ""
| where DestinationIP !startswith "10."
| extend Reason = coalesce(
column_ifexists("Reason", ""),
extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
| where AdditionalExtensions !has "reason=aged-out"
| where Reason !has "aged-out"
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
| where AdditionalExtensions !has "reason=tcp-fin"
| where Reason !has "tcp-fin"
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
// TCP RST-server - Occurs when the server sends a TCP reset to the client
// | where AdditionalExtensions has "reason=tcp-rst-from-server"
// TCP RST-client - Occurs when the client sends a TCP reset to the server
// | where AdditionalExtensions has "reason=tcp-rst-from-client"
| extend reason = tostring(split(AdditionalExtensions, ";")[3])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
// Already performed
//| extend reason = tostring(split(AdditionalExtensions, ";")[3])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
| where count_ >= 10
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
entityMappings:
- entityType: Account
@ -58,5 +64,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

13
Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml
Просмотреть файл

@ -36,15 +36,22 @@ query: |
| extend IP = tostring(InitiatedBy.user.ipAddress)
| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))
| where Target in (VIPUsers)
| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result
// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.
//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result
// Comment out this line below, if line above is used.
| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Target
columnName: Targets
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Initiator
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP
version: 1.0.5
version: 1.0.6
kind: Scheduled

69
Detections/SigninLogs/SigninBruteForce-AzurePortal.yaml
Просмотреть файл

@ -3,8 +3,7 @@ name: Brute force attack against Azure Portal
description: |
'Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures
and by a successful authentication within a given time window.
(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)
Default Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.
Default Failure count is 5 and default Time Window is 20 minutes.
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.'
severity: Medium
requiredDataConnectors:
@ -23,47 +22,47 @@ tactics:
relevantTechniques:
- T1110
query: |
let failureCountThreshold = 5;
let successCountThreshold = 1;
let authenticationWindow = 20m;
let aadFunc = (tableName:string){
let timeRange = 24h;
let failureCountThreshold = 5;
let authenticationWindow = 20m;
let aadFunc = (tableName:string){
table(tableName)
| where AppDisplayName has "Azure Portal"
| extend
| where AppDisplayName has "Azure Portal"
| extend
DeviceDetail = todynamic(DeviceDetail),
//Status = todynamic(Status),
LocationDetails = todynamic(LocationDetails)
| extend
OS = DeviceDetail.operatingSystem,
Browser = DeviceDetail.browser,
| extend
OS = tostring(DeviceDetail.operatingSystem),
Browser = tostring(DeviceDetail.browser),
//StatusCode = tostring(Status.errorCode),
//StatusDetails = tostring(Status.additionalDetails),
State = tostring(LocationDetails.state),
City = tostring(LocationDetails.city),
Region = tostring(LocationDetails.countryOrRegion)
// Split out failure versus non-failure types
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
IPAddress = make_set(IPAddress),
make_set(OS),
make_set(Browser),
make_set(City),
make_set(State),
make_set(Region),
make_set(ResultType),
FailureCount = countif(FailureOrSuccess=="Failure"),
SuccessCount = countif(FailureOrSuccess=="Success"),
take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @"[a-f\d]+\-[a-f\d]+\-[a-f\d]+\-[a-f\d]+\-[a-f\d]+")),
take_anyif(UserDisplayName, isnotempty(UserDisplayName))
by bin(TimeGenerated, authenticationWindow), UserId, AppDisplayName, Type
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| mv-expand IPAddress
| extend IPAddress = tostring(IPAddress)
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
};
// Split out failure versus non-failure types
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
// bin outcomes based on authenticationWindow
| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @"[a-f\d]+\-[a-f\d]+\-[a-f\d]+\-[a-f\d]+\-[a-f\d]+")),
take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType
// sort for sessionizing - by UserPrincipalName and time of the authentication outcome
| sort by UserPrincipalName asc, TimeGenerated asc
| serialize
// sessionize into failure groupings until either the account changes or there is a success
| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == "Success")
// count the failures in each session
| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type
// the session must not start with a success, and must end with one
| where array_index_of(list_FailureOrSuccess, "Success") != 0
| where array_index_of(list_FailureOrSuccess, "Success") == array_length(list_FailureOrSuccess) - 1
| project-away SessionStartedUtc, list_FailureOrSuccess
// where the number of failures before the success is above the threshold
| where FailureCountBeforeSuccess >= failureCountThreshold
// expand out ip for entity assignment
| mv-expand IPAddress
| extend IPAddress = tostring(IPAddress)
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
@ -76,5 +75,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
version: 2.0.0
kind: Scheduled

5
Detections/ThreatIntelligenceIndicator/IPEntity_AzureKeyVault.yaml
Просмотреть файл

@ -23,7 +23,8 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
@ -51,5 +52,5 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
version: 1.1.0
version: 1.1.1
kind: Scheduled

5
Detections/ThreatIntelligenceIndicator/IPEntity_AzureSQL.yaml
Просмотреть файл

@ -20,7 +20,8 @@ query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
@ -48,5 +49,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 1.1.0
version: 1.1.1
kind: Scheduled

8
Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml
Просмотреть файл

@ -28,7 +28,7 @@ query: |
| where isnotempty(Url)
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
OfficeActivity
OfficeActivity
| where TimeGenerated >= ago(dt_lookBack)
//Extract the Url from a number of potential fields
| extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))
@ -37,7 +37,7 @@ query: |
| extend Url = tostring(split(Url, ';')[0])
| extend OfficeActivity_TimeGenerated = TimeGenerated
// Project a single user identity that we can use for entity mapping
| extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue)))
| extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))
) on Url
| where OfficeActivity_TimeGenerated < ExpirationDateTime
| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url
@ -53,5 +53,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: URLCustomEntity
version: 1.2.1
kind: Scheduled
version: 1.2.2
kind: Scheduled

4
Hunting Queries/LAQueryLogs/CrossServiceADXQueries.yaml
Просмотреть файл

@ -18,7 +18,7 @@ query: |
let ExtractQueriedClusterAddress = @"([^\w]|^)adx\s*\(([^\)]*)\)";
LAQueryLogs
| where QueryText matches regex StringToSearch
| extend QueriedClusterAddress = extract_all(ExtractQueriedClusterAddress, dynamic([2]), QueryText)[0]
| mv-expand QueriedClusterAddress
| extend QueriedClusterAddress = extract_all(ExtractQueriedClusterAddress, dynamic([2]), QueryText)
| mv-expand QueriedClusterAddress to typeof(string)
| where isnotempty(QueriedClusterAddress)
| project TimeGenerated, AADEmail, QueriedClusterAddress, ResponseCode, QueryText, RequestTarget

21
Hunting Queries/Microsoft 365 Defender/Campaigns/redmenshen-bpfdoor-backdoor.yaml Normal file
Просмотреть файл

@ -0,0 +1,21 @@
id: bfb8eaed-941c-4866-a2cc-d5d4465bfc2a
name: RedMenshen-BPFDoor-backdoor
description: |
This query was originally published by PWC Security Research Team.
BPFDoor is custom backdoor malware used by Red Menshen. The BPFDoor allows an adversary to backdoor a system and remotely execute codes without opening any new network ports or firewall rules.
References:
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
relevantTechniques:
- T1095
- T1059.004
- T1070
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine has ("/dev/shm/kdmtmpflush") or FileName has ("haldrund.pid", "kdevrund.pid")

23
Hunting Queries/Microsoft 365 Defender/Execution/detect-office-apps-spawn-msdt-CVE-2022-30190.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: cd1c9815-1f2c-483e-a875-b81bfcc1489b
name: detect-office-applications-spawning-msdt-CVE-2022-30190
description: |
This query detects possible abuse of ms-msdt MSProtocol URI scheme to load and execute malicious code via Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190).
The following query detects when Microsoft Office software spawns an instance of the MSDT utility, msdt.exe.
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
https://attack.mitre.org/techniques/T1221/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense Evasion
relevantTechniques:
- T1221
query: |
// Office products spawning MSDT
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
and FileName =~"msdt.exe"

23
Hunting Queries/Microsoft 365 Defender/Exploits/CVE-2022-26134-Confluence.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: 500e4cf1-9c25-4dfa-88f1-a23d95407e35
name: Suspicious Tomcat Confluence Process Launch
description: |
The query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134
Read more here:.
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
https://nvd.nist.gov/vuln/detail/CVE-2022-26134
Tags: #exploit #CVE-2022-26134
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Privilege Escalation
relevantTechniques:
- T1203
query: |
DeviceProcessEvents
| where InitiatingProcessFileName hasprefix "tomcat" and InitiatingProcessCommandLine has "confluence"
| where (ProcessCommandLine has_any("certutil", "whoami", "nltest", " dir ", "curl", "ifconfig", "cat ", "net user",
"net time /domain","tasklist","-c ls","ipconfig","arp","ping","net view","net group","netstat", "wmic datafile"))
or (FileName =~ "powershell.exe" and ProcessCommandLine hasprefix "-e")

25
Hunting Queries/Microsoft 365 Defender/Exploits/VMWare-LPE-2022-22960.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 1d468d49-ffea-4daf-ba6b-72525ec17b61
name: VMWare-LPE-2022-22960
description: |
The query checks process command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
This vulnerability of VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.
CVE: CVE-2022-22960.
Read more here:.
https://www.cisa.gov/uscert/ncas/alerts/aa22-138b
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
Tags: #exploit #CVE-2022-22960
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Privilege Escalation
relevantTechniques:
- T1204
- T1548
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine has ("/opt/vmware/certproxy/bing/certproxyService.sh", "/horizon/scripts/exportCustomGroupUsers.sh", "/horizon/scripts/extractUserIdFromDatabase.sh")
or FileName has ("certproxyService.sh", "exportCustomGroupUsers.sh", "extractUserIdFromDatabase.sh ")
| project Timestamp, DeviceName , FileName, ProcessCommandLine, InitiatingProcessCommandLine

30
Hunting Queries/Microsoft 365 Defender/General queries/Endpoint Linux AV Signature and Platform Versions Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 255b7323-409d-4b83-a215-34eb11b7c162
name: Endpoint Linux AV Signature and Platform Versions
description: |
This query will identify the Microsoft Defender Antivirus Engine version and Microsoft Defender Antivirus Security Intelligence version for Linux Servers.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSecureConfigurationAssessment
tactics: []
relevantTechniques: []
query: |
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-6095" and isnotnull(Context)
| where OSPlatform =="Linux"
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend AVProductVersion = tostring(avdata[0][3])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, AVProductVersion, IsCompliant, IsApplicable
entityMappings:
- entityType: IoT device
fieldMappings:
- identifier: DeviceId
columnName: DeviceId
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName

36
Hunting Queries/Microsoft 365 Defender/General queries/Endpoint Linux Agent Health Status Report Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: 3ad91268-5076-403d-9228-5fe8eb661ec3
name: Endpoint Linux Agent Health Status Report
description: |
This query will provide a report on Linux configurations for Microsoft Defender Endpoint Protection.
Tests which are reporting "BAD" as a result imply that the associated capability is not configured per best practice recommendation.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSecureConfigurationAssessment
tactics: []
relevantTechniques: []
query: |
DeviceTvmSecureConfigurationAssessment
| where OSPlatform == "Linux"
| where ConfigurationId in ('scid-6001', 'scid-6002', 'scid-6090', 'scid-6091', 'scid-6094', 'scid-6095')
| extend Ted = case(
ConfigurationId == "scid-6001", "SensorDataCollection",
ConfigurationId == "scid-6002", "ImpairedCommunications",
ConfigurationId == "scid-6095", "AntivirusSignatureVersion",
ConfigurationId == "scid-6090", "RealtimeProtection",
ConfigurationId == "scid-6091", "PUAProtection",
ConfigurationId == "scid-6094", "CloudProtection",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Ted, Result)
| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId
| evaluate bag_unpack(Tests)
entityMappings:
- entityType: IoT device
fieldMappings:
- identifier: DeviceId
columnName: DeviceId
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: FullName

38
Hunting Queries/SecurityEvent/KrbRelayUpServiceCreation Normal file
Просмотреть файл

@ -0,0 +1,38 @@
id: 06f83b36-a1df-4045-98a5-deda74d84e4a
name: KrbRelayUp Local Privilege Escalation Service Creation
description: |
'This query detects the default service name created by KrbRelayUp. KrbRelayUp is Local Privilege Escalation tool that combine features of Rubeus and KrbRelay.
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- Event
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1543
query: |
let MaliciousService = dynamic (["KrbSCM"]);
Event
| where Source == "Service Control Manager" and EventID == 7045
| parse EventData with * 'ServiceName">' ServiceName "<" * 'ImagePath">' ImagePath "<" *
| where ServiceName has_any (MaliciousService) or ImagePath has_any (MaliciousService)
| parse EventData with * 'AccountName">' AccountName "<" *
|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountName
- entityType: File
fieldMappings:
- identifier: Name
columnName: ImagePath
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer

1
Logos/ZeroNetworks.svg Normal file
Просмотреть файл

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 180 180"><rect width="180" height="180" fill="#08084c"/><polygon points="121.01 54.78 81.46 54.78 63.86 72.89 92.28 72.89 59.02 107.11 59.02 125.22 121.01 125.22 121.01 107.11 87.76 107.11 121.01 72.89 121.01 54.78" fill="#fff"/><path d="M59,54.78H74.33L59,70.57Zm85,66.36a8,8,0,1,0-8,8,8,8,0,0,0,8-8" fill="#39ffbd"/></svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 377 B

4
Logos/oracle_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,4 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M0 51.0053H75V23.5714H0V51.0053Z" fill="#E32124"/>
<path d="M65.3392 34.5458C65.3941 34.5458 65.4505 34.5458 65.4821 34.4895C65.4903 34.4661 65.4972 34.4414 65.4972 34.418C65.4972 34.3699 65.4738 34.3301 65.434 34.3067C65.3941 34.2902 65.3543 34.2902 65.2677 34.2902H65.2279V34.5376H65.3392V34.5458ZM65.2677 34.1556C65.3859 34.1556 65.4422 34.1556 65.4903 34.1789C65.6483 34.227 65.6648 34.3699 65.6648 34.418C65.6648 34.4263 65.6648 34.4579 65.6566 34.4895C65.6483 34.5211 65.6332 34.5857 65.5453 34.6406C65.5288 34.6489 65.5288 34.6489 65.5054 34.6571L65.7047 35.0226H65.5137L65.3392 34.6887H65.2279V35.0226H65.052V34.1556H65.2677ZM65.3392 35.3798C65.7679 35.3798 66.11 35.0308 66.11 34.609C66.11 34.1789 65.7679 33.8382 65.3392 33.8382C64.9174 33.8382 64.5752 34.1789 64.5752 34.609C64.5752 35.0308 64.9174 35.3798 65.3392 35.3798ZM64.7346 34.609C64.7346 34.2751 65.0053 33.9962 65.3392 33.9962C65.6799 33.9962 65.9506 34.2751 65.9506 34.609C65.9506 34.9347 65.6731 35.2136 65.3392 35.2136C65.0122 35.2136 64.7346 34.9347 64.7346 34.609ZM59.3745 39.5157C58.3577 39.5157 57.5058 38.8314 57.2434 37.9012H62.8742L63.6532 36.692H57.2365C57.4907 35.7618 58.3577 35.0707 59.3663 35.0707H63.2479L64.0187 33.8615H59.2797C57.3794 33.8615 55.8446 35.3963 55.8446 37.2884C55.8446 39.1818 57.3794 40.7152 59.2797 40.7152H63.351L64.1218 39.5074H59.3663L59.3745 39.5157ZM43.2407 40.7234C41.3486 40.7234 39.8138 39.1886 39.8138 37.2966C39.8138 35.4046 41.3486 33.8698 43.2407 33.8698H47.9797L47.2006 35.0776H43.3204C42.0961 35.0776 41.1027 36.0724 41.1027 37.2966C41.1027 38.5209 42.0961 39.5157 43.3204 39.5157H48.0759L47.2968 40.7234H43.2256H43.2407ZM18.1935 39.5157C19.4178 39.5157 20.4194 38.5209 20.4194 37.2966C20.4194 36.0724 19.426 35.0776 18.1935 35.0776H14.3847C13.1604 35.0776 12.1656 36.0724 12.1656 37.2966C12.1656 38.5209 13.1604 39.5157 14.3847 39.5157H18.1935ZM14.2968 40.7234C12.3965 40.7234 10.8617 39.1886 10.8617 37.2966C10.8617 35.4046 12.3965 33.8698 14.2968 33.8698H18.2814C20.1735 33.8698 21.7083 35.4046 21.7083 37.2966C21.7083 39.1886 20.1735 40.7234 18.2814 40.7234H14.2968ZM28.1799 38.5058C29.4688 38.5058 30.502 37.4642 30.502 36.1836C30.502 34.9031 29.4688 33.8615 28.1799 33.8615H22.4076V40.7234H23.7281V35.0707H28.0934C28.6979 35.0707 29.1981 35.5708 29.1981 36.1836C29.1981 36.7951 28.6979 37.2884 28.0934 37.2884H24.3711L28.2995 40.7234H30.2162L27.5685 38.5058H28.1799ZM49.9995 39.5157V33.8698H48.6873V40.0721C48.6873 40.2466 48.7519 40.406 48.8783 40.5324C49.0061 40.652 49.1806 40.7317 49.3633 40.7317H55.383L56.162 39.5225H50.0078L49.9995 39.5157ZM33.8574 38.3065H37.3804L35.52 35.3084L32.1014 40.7317H30.5501L34.7011 34.227C34.8838 33.9646 35.1861 33.8052 35.52 33.8052C35.8374 33.8052 36.1397 33.9563 36.3224 34.2119L40.4899 40.7317H38.9317L38.1994 39.5225H34.6379L33.8574 38.3148V38.3065Z" fill="#FEFEFE"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.9 KiB

4
Parsers/ASim WindowsEvent/ARM/MicrosoftWindowsEventFullDeployment.json
Просмотреть файл

@ -82,10 +82,10 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"Workspace": {
"value": "[parameters('workspaceName')]"
},
"location": {
"WorkspaceRegion": {
"value": "[parameters('location')]"
}
}

45
Parsers/ASimAuthentication/ARM/AADSTS/AADSTS.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASIM_AADSTSErrorCodes",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "An ASIM function to lookup AAD STS messages",
"category": "ASIM",
"FunctionAlias": "ASIM_AADSTSErrorCodes",
"query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n'0', 'Success',\n'53003', 'Logon violates policy',\n'50034', 'No such user or password',\n'50059', 'No such user or password',\n'50053', 'User locked',\n'50055', 'Password expired',\n'50056', 'Incorrect password',\n'50057', 'User disabled',\n'50058', 'Logon violates policy',\n'50011', 'Logon violates policy', \n'50064', 'No such user or password',\n'50076', 'Logon violates policy',\n'50079', 'Logon violates policy',\n'50105', 'Logon violates policy',\n'50126', 'No such user or password',\n'50126', 'No such user or password',\n'50132', 'Password expired',\n'50133', 'Password expired',\n'50144', 'Password expired',\n'50173', 'Password expired',\n'80012', 'Logon violates policy',\n'51004', 'No such user or password',\n'50072', 'Logon violates policy',\n'50005', 'Logon violates policy',\n'50020', 'Logon violates policy',\n'50074', 'Logon violates policy', \n'70008', 'Password expired',\n'700016', 'No such user or password', \n'500011', 'No such user or password' \n];\nFailedReason",
"version": 1
}
}
]
}
]
}

18
Parsers/ASimAuthentication/ARM/AADSTS/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Azure Active Directory ASIM Normalization Parser
ARM template for ASIM schema parser for Azure Active Directory.
This ASIM function returns the AAD STS message associated with the AAD STS error codes.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM normalization schema reference](https://aka.ms/ASimDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASim%2FARM%2FAADSTS%2FAADSTS.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASim%2FARM%2FAADSTS%2FAADSTS.json)

25
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Просмотреть файл

@ -2,31 +2,38 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthentication",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Source Agnostic Authentication Parser",
"category": "Security",
"displayName": "Authentication ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimAuthentication",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty\n , ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) ))\n , ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) ))\n , ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) ))\n , ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) ))\n , ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))\n , ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) ))\n",
"version": 1,

13
Parsers/ASimAuthentication/ARM/ASimAuthentication/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# ASIM Authentication Normalization source agnostic parser
# Source agnostic ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Source agnostic.
This ASIM parser supports normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema.ParserName: ASimAuthentication
This template deploys the ASIM Authentication source agnostic parser. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthentication%2FASimAuthentication.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthentication%2FASimAuthentication.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthentication%2FASimAuthentication.json)

31
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationAADManagedIdentitySignInLogs",
"name": "ASimAuthenticationAADManagedIdentity",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory managed identity authentication",
"category": "Security",
"FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
"query": "let AADMIAuthentication=(disabled:bool=false){\n AADManagedIdentitySignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Managed Identity'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventOriginalResultDetails = ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcDvcIpAddr = IPAddress\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventOriginalResultDetails \n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppName\n , TargetAppId\n | lookup AADSTSErrorCodes on ResultType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n };\nAADMIAuthentication(disabled)",
"displayName": "Authentication ASIM parser for AAD managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADManagedIdentity",
"query": "let AADMIAuthentication=(disabled:bool=false){\n AADManagedIdentitySignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventOriginalResultDetails = ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcDvcIpAddr = IPAddress\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventOriginalResultDetails \n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppName\n , TargetAppId\n | lookup ASIM_AADSTSErrorCodes on ResultType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n };\nAADMIAuthentication(disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure active directory managed identity signin logs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports normalizing Azure Active Directory Managed Identity sign in logs, stored in the AADManagedIdentitySignInLogs table, to the ASIM Authentication schema.ParserName: ASimAuthenticationAADManagedIdentitySignInLogs
This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADManagedIdentity%2FASimAuthenticationAADManagedIdentity.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADManagedIdentity%2FASimAuthenticationAADManagedIdentity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADManagedIdentity%2FASimAuthenticationAADManagedIdentity.json)

27
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory non interactive authentication",
"category": "Security",
"displayName": "Authentication ASIM parser for AAD non-interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
"query": "let AADNIAuthentication=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Non Interactive'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetUserType='NonInteractive'\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADNIAuthentication(disabled)",
"query": "let AADNIAuthentication=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetUserType='NonInteractive'\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup ASIM_AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADNIAuthentication(disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure active directory nonInteractive signin logs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports normalizing Azure Active Directory Non Interactive sign in logs, stored in the AADNonInteractiveUserSignInLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADNonInteractive%2FASimAuthenticationAADNonInteractive.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADNonInteractive%2FASimAuthenticationAADNonInteractive.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADNonInteractive%2FASimAuthenticationAADNonInteractive.json)

27
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationAADServicePrincipalSignInLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory service principal authentication",
"category": "Security",
"displayName": "Authentication ASIM parser for AAD service principal sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs",
"query": "let AADSvcPrincipal=(disabled:bool=false){\n AADServicePrincipalSignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Service Principal'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventResultDetails= ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , TargetSessionId=CorrelationId\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventResultDetails\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADSvcPrincipal(disabled)",
"query": "let AADSvcPrincipal=(disabled:bool=false){\n AADServicePrincipalSignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventResultDetails= ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , TargetSessionId=CorrelationId\n , SrcDvcIpAddr=IPAddress\n | lookup ASIM_AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventResultDetails\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADSvcPrincipal(disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure active directory service principal signin logs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports normalizing Azure Active Directory Service Principal sign in logs, stored in the AADServicePrincipalSignInLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADServicePrincipalSignInLogs%2FASimAuthenticationAADServicePrincipalSignInLogs.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADServicePrincipalSignInLogs%2FASimAuthenticationAADServicePrincipalSignInLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADServicePrincipalSignInLogs%2FASimAuthenticationAADServicePrincipalSignInLogs.json)

27
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationSigninLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory authentication",
"category": "Security",
"displayName": "Authentication ASIM parser for AAD interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSigninLogs",
"query": "let AADSigninLogs=(disabled:bool=false){\nSigninLogs | where not(disabled)\n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Sign In Logs'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n , SrcDvcIpAddr\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs(disabled)\n",
"query": "let AADSigninLogs=(disabled:bool=false){\nSigninLogs | where not(disabled)\n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup ASIM_AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n , SrcDvcIpAddr\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs(disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure SigninLogs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports normalizing Azure Active Directory Interactive sign in logs, stored in the SigninLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADSigninLogs%2FASimAuthenticationAADSigninLogs.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADSigninLogs%2FASimAuthenticationAADSigninLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADSigninLogs%2FASimAuthenticationAADSigninLogs.json)

27
Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationAWSCloudTrail",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM AWS authentication",
"category": "Security",
"displayName": "Authentication ASIM parser for AWS sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAWSCloudTrail",
"query": "let AWSLogon=(disabled:bool=false){\nAWSCloudTrail | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | extend\n EventVendor = 'AWS'\n , EventProduct='AWSCloudTrail'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType='Logon'\n , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n , TargetUsernameType='Simple'\n , TargetUserIdType='AWSId'\n | project-rename\n EventOriginalUid= AwsEventId\n , EventOriginalResultDetails= ErrorMessage\n , TargetUsername= UserIdentityUserName\n , TargetUserType=UserIdentityType\n , TargetUserId=UserIdentityAccountId \n , SrcDvcIpAddr=SourceIpAddress\n , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n User=TargetUsername\n , LogonTarget=tostring(split(TargetUrl,'?')[0])\n , Dvc=EventVendor\n };\n AWSLogon(disabled)\n",
"query": "let AWSLogon=(disabled:bool=false){\nAWSCloudTrail | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | extend\n EventVendor = 'AWS'\n , EventProduct='CloudTrail'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType='Logon'\n , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n , TargetUsernameType='Simple'\n , TargetUserIdType='AWSId'\n | project-rename\n EventOriginalUid= AwsEventId\n , EventOriginalResultDetails= ErrorMessage\n , TargetUsername= UserIdentityUserName\n , TargetUserType=UserIdentityType\n , TargetUserId=UserIdentityAccountId \n , SrcDvcIpAddr=SourceIpAddress\n , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n User=TargetUsername\n , LogonTarget=tostring(split(TargetUrl,'?')[0])\n , Dvc=EventVendor\n };\n AWSLogon(disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Amazon web services cloud trail ASIM Authentication Normalization Parser
# AWS ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AWS.
This ASIM parser supports normalizing Amazon Web Service sign in logs, stored in the AWSCloudTrail table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAWSCloudTrail%2FASimAuthenticationAWSCloudTrail.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAWSCloudTrail%2FASimAuthenticationAWSCloudTrail.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAWSCloudTrail%2FASimAuthenticationAWSCloudTrail.json)

27
Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationM365Defender",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser",
"category": "Security",
"displayName": "Authentication ASIM parser for M365 Defender Device Logon Events",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationM365Defender",
"query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n ];\nlet AuthM365D=(disabled:bool=false){\n DeviceLogonEvents | where not(disabled)\n //\n | project-rename \n EventOriginalResultDetails=FailureReason \n | extend \n // ---- Event\n EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n , EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventOriginalType = LogonType\n , EventProduct='M365 Defender for EndPoint'\n , EventResult = case(ActionType =='LogonSuccess', 'Success'\n , ActionType=='LogonFailed', 'Failure'\n , ActionType=='LogonAttempted', 'NA'\n , 'NA')\n , EventSchemaVersion='0.1.0'\n , EventType='Logon'\n , EventVendor ='Microsoft'\n // ---- Target and Actor Users\n | project-rename \n TargetUserId=AccountSid\n , ActorUserId =InitiatingProcessAccountSid\n , ActorUserUpn=InitiatingProcessAccountUpn\n , ActorUserObjectId=InitiatingProcessAccountObjectId\n | extend \n TargetUserIdType ='SID'\n , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n , TargetUsernameType='Windows'\n , ActorUserIdType='SID'\n , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n , 'Simple')\n , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n , TargetDvcFQDN=DeviceName\n | project-rename \n LogonProtocol=Protocol\n , TargetDvcId=DeviceId\n , SrcDvcIpAddr=RemoteIP\n , OriginalEventUid=ReportId\n , SrcDvcHostname=RemoteDeviceName \n //\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime=InitiatingProcessCreationTime\n , ActingProcessPath=InitiatingProcessFolderPath\n , ActingProcessId=InitiatingProcessId\n , ActingProcessMD5=InitiatingProcessMD5\n , ActingProcessSHA1=InitiatingProcessSHA1\n , ActingProcessSHA256= InitiatingProcessSHA256\n , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n , ParentProcessName=InitiatingProcessParentFileName\n , ParentProcessId=InitiatingProcessParentId\n , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n | extend \n ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n , ActingProcessPath\n , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n , TargetDvcHostnameType='FQDN'\n , TargetDvcIdType='MDE'\n , TargetPortNumber=RemotePort\n , TargetSessionId = tostring(LogonId)\n | lookup FaliureReason on EventOriginalResultDetails \n // TargetUrl \n // ----------- Alias\n | extend \n User=TargetUsername \n , LogonTarget=TargetDvcHostname\n , Dvc=TargetDvcHostname\n };AuthM365D(disabled)\n",
"query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n ];\nlet AuthM365D=(disabled:bool=false){\n DeviceLogonEvents | where not(disabled)\n //\n | project-rename \n EventOriginalResultDetails=FailureReason \n | extend \n // ---- Event\n EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n , EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventOriginalType = LogonType\n , EventProduct='M365 Defender for EndPoint'\n , EventResult = case(ActionType =='LogonSuccess', 'Success'\n , ActionType=='LogonFailed', 'Failure'\n , ActionType=='LogonAttempted', 'NA'\n , 'NA')\n , EventSchemaVersion='0.1.0'\n , EventType='Logon'\n , EventVendor ='Microsoft'\n // ---- Target and Actor Users\n | project-rename \n TargetUserId=AccountSid\n , ActorUserId =InitiatingProcessAccountSid\n , ActorUserUpn=InitiatingProcessAccountUpn\n , ActorUserObjectId=InitiatingProcessAccountObjectId\n | extend \n TargetUserIdType ='SID'\n , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n , TargetUsernameType='Windows'\n , ActorUserIdType='SID'\n , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n , 'Simple')\n , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n , TargetDvcFQDN=DeviceName\n | project-rename \n LogonProtocol=Protocol\n , TargetDvcId=DeviceId\n , SrcDvcIpAddr=RemoteIP\n , OriginalEventUid=ReportId\n , SrcDvcHostname=RemoteDeviceName \n //\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime=InitiatingProcessCreationTime\n , ActingProcessPath=InitiatingProcessFolderPath\n , ActingProcessMD5=InitiatingProcessMD5\n , ActingProcessSHA1=InitiatingProcessSHA1\n , ActingProcessSHA256= InitiatingProcessSHA256\n , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n , ParentProcessName=InitiatingProcessParentFileName\n , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n | extend \n ActingProcessId=tostring(InitiatingProcessId)\n , ParentProcessId=tostring(InitiatingProcessParentId)\n , ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n , ActingProcessPath\n , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n , TargetDvcHostnameType='FQDN'\n , TargetDvcIdType='MDE'\n , TargetPortNumber=RemotePort\n , TargetSessionId = tostring(LogonId)\n | lookup FaliureReason on EventOriginalResultDetails \n // TargetUrl \n // ----------- Alias\n | extend \n User=TargetUsername \n , LogonTarget=TargetDvcHostname\n , Dvc=TargetDvcHostname\n };AuthM365D(disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft 365 Defender ASIM Authentication Normalization Parser
# M365 Defender for EndPoint ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint.
This ASIM parser supports normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Microsoft 365 Defender. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationM365Defender%2FASimAuthenticationM365Defender.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationM365Defender%2FASimAuthenticationM365Defender.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationM365Defender%2FASimAuthenticationM365Defender.json)

27
Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json
Просмотреть файл

@ -2,33 +2,40 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationMD4IoT",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint",
"category": "Security",
"displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationMD4IoT",
"query": "let Authentication_MD4IoT=(disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Azure Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName),\n SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(disabled)",
"query": "let Authentication_MD4IoT=(disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName),\n SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft Defender for IoT - Endpoint ASIM Authentication Normalization Parser
# Microsoft Defender for IoT ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Microsoft Defender for IoT.
This ASIM parser supports normalizing Microsoft Defender for IoT endpoint logs to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftMD4IoT%2FASimAuthenticationMicrosoftMD4IoT.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftMD4IoT%2FASimAuthenticationMicrosoftMD4IoT.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftMD4IoT%2FASimAuthenticationMicrosoftMD4IoT.json)

29
Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft Windows Events ASIM Authentication Normalization Parser
# Windows Security Events ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Windows Security Events.
This ASIM parser supports normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftWindowsEvent%2FASimAuthenticationMicrosoftWindowsEvent.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftWindowsEvent%2FASimAuthenticationMicrosoftWindowsEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftWindowsEvent%2FASimAuthenticationMicrosoftWindowsEvent.json)

25
Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
Просмотреть файл

@ -2,31 +2,38 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationOktaSSO",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Okta identity management authentication parser",
"category": "Security",
"displayName": "Authentication ASIM parser for Okta",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationOktaSSO",
"query": "let OktaSignin=(disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL | where not(disabled)\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='Upn'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s\n ,EventOriginalResultDetails=outcome_reason_s\n , LogonMethod = authenticationContext_credentialType_s\n , TargetSessionId=authenticationContext_externalSessionId_s\n , TargetUserId= actor_id_s\n , TargetUsername=actor_alternateId_s\n , TargetUserType=actor_type_s\n , SrcDvcOs=client_userAgent_os_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s\n , ActingAppName = client_userAgent_browser_s\n , SrcIsp=securityContext_isp_s\n , SrcGeoCity=client_geographicalContext_city_s\n , SrcGeoCountry=client_geographicalContext_country_s\n , EventOriginalUid = uuid_g\n | project-reorder\n EventProduct\n , EventOriginalUid\n , TimeGenerated\n , EventMessage\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , EventType\n , EventSubType\n , LogonMethod\n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , TargetUserType\n , SrcDvcOs\n , HttpUserAgent\n , SrcIsp\n , SrcGeoCity\n , SrcGeoCountry\n , SrcGeoLongitude\n , SrcGeoLatitude\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n };\nOktaSignin(disabled)\n",
"version": 1,

13
Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Okta identity management ASIM Authentication Normalization Parser
# Okta ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Okta.
This ASIM parser supports normalizing Okta sign in logs, stored in the Okta_CL table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationOktaOSS%2FASimAuthenticationOktaOSS.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationOktaOSS%2FASimAuthenticationOktaOSS.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationOktaOSS%2FASimAuthenticationOktaOSS.json)

46
Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# PostgreSQL ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for PostgreSQL.
This ASIM parser supports normalizing PostgreSQL sign in logs to the ASIM Authentication schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPostgreSQL%2FASimAuthenticationPostgreSQL.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPostgreSQL%2FASimAuthenticationPostgreSQL.json)

535
Parsers/ASimAuthentication/FullDeploymentAuthentication.json → Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Просмотреть файл

@ -2,51 +2,38 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAADSTSErrCodes",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AADSTSErrorCodes/AADSTSErrorCodes.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationAADManagedIdentity",
"name": "linkedAADSTS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AADSTS/AADSTS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -54,87 +41,7 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationAADNonInteractive",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationAADServicePrincipalSignInLogs",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationAADSigninLogs",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationAWSCloudTrail",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationGeneric",
"name": "linkedASimAuthentication",
"properties": {
"mode": "Incremental",
"templateLink": {
@ -142,11 +49,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -154,7 +61,107 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationM365D",
"name": "linkedASimAuthenticationAADManagedIdentity",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuthenticationAADNonInteractive",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuthenticationAADServicePrincipalSignInLogs",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuthenticationAADSigninLogs",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuthenticationAWSCloudTrail",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuthenticationM365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
@ -162,11 +169,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -174,7 +181,7 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationMicrosoftMD4IoT",
"name": "linkedASimAuthenticationMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
@ -182,11 +189,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -194,7 +201,7 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationMicrosoftWindowsEvent",
"name": "linkedASimAuthenticationMicrosoftWindowsEvent",
"properties": {
"mode": "Incremental",
"templateLink": {
@ -202,11 +209,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -214,7 +221,7 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedAuthenticationOktaOSS",
"name": "linkedASimAuthenticationOktaOSS",
"properties": {
"mode": "Incremental",
"templateLink": {
@ -222,11 +229,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -234,7 +241,27 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedimAuthenticationGeneric",
"name": "linkedASimAuthenticationPostgreSQL",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedimAuthentication",
"properties": {
"mode": "Incremental",
"templateLink": {
@ -242,11 +269,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -262,11 +289,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -282,11 +309,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -302,11 +329,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -322,11 +349,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -342,91 +369,11 @@
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
"Workspace": {
"value": "[parameters('Workspace')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationM365D",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationMicrosoftWindowsEvent",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationOktaOSS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
@ -443,14 +390,114 @@
},
"parameters": {
"Workspace": {
"value": "[parameters('workspaceName')]"
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('location')]"
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationM365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationMicrosoftWindowsEvent",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationOktaOSS",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuthenticationPostgreSQL",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
}
],
],
"outputs": {}
}
}

17
Parsers/ASimAuthentication/ARM/README.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
# Advanced Security Information Model (ASIM) Authentication parsers
This template deploys all ASIM Authentication parsers.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimAuthenticationARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimAuthenticationARMgov)
<br>

13
Parsers/ASimAuthentication/ARM/imAuthentication/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft Windows Events ASIM Authentication Normalization Parser
# Source agnostic ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Source agnostic.
This ASIM parser supports filtering and normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema.
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json)

27
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "imAuthentication",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Source Agnostic Authentication Parser",
"category": "Security",
"displayName": "Authentication ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imAuthentication",
"query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n };\nGeneric(starttime, endtime, targetusername_has)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure active directory managed identity signin logs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports filtering and normalizing Azure Active Directory Managed Identity sign in logs, stored in the AADManagedIdentitySignInLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationAADManagedIdentitySignInLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory managed identity authentication",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for AAD managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs",
"query": "let AADMIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADManagedIdentitySignInLogs | where not(disabled)\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Managed Identity'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventOriginalResultDetails = ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcDvcIpAddr = IPAddress\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventOriginalResultDetails \n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppName\n , TargetAppId\n | lookup AADSTSErrorCodes on ResultType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n };\nAADMIAuthentication(starttime, endtime, targetusername_has, disabled)",
"query": "let AADMIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADManagedIdentitySignInLogs | where not(disabled)\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventOriginalResultDetails = ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcDvcIpAddr = IPAddress\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventOriginalResultDetails \n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppName\n , TargetAppId\n | lookup ASIM_AADSTSErrorCodes on ResultType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n };\nAADMIAuthentication(starttime, endtime, targetusername_has, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure active directory nonInteractive signin logs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports filtering and normalizing Azure Active Directory Non Interactive sign in logs, stored in the AADNonInteractiveUserSignInLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationAADNonInteractiveUserSignInLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory non interactive authentication",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for AAD non-interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs",
"query": "let AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Non Interactive'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetUserType='NonInteractive'\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADNIAuthentication(starttime, endtime, targetusername_has, disabled)",
"query": "let AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetUserType='NonInteractive'\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup ASIM_AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADNIAuthentication(starttime, endtime, targetusername_has, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure active directory service principal signin logs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports filtering and normalizing Azure Active Directory Service Principal sign in logs, stored in the AADServicePrincipalSignInLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationAADServicePrincipalSignInLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory service principal authentication",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for AAD service principal sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs",
"query": "let AADSvcPrincipal=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADServicePrincipalSignInLogs | where not(disabled)\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (ServicePrincipalName =~ targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Service Principal'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventResultDetails= ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , TargetSessionId=CorrelationId\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventResultDetails\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADSvcPrincipal(starttime, endtime, targetusername_has, disabled)",
"query": "let AADSvcPrincipal=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADServicePrincipalSignInLogs | where not(disabled)\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (ServicePrincipalName =~ targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventResultDetails= ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , TargetSessionId=CorrelationId\n , SrcDvcIpAddr=IPAddress\n | lookup ASIM_AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventResultDetails\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADSvcPrincipal(starttime, endtime, targetusername_has, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Azure SigninLogs ASIM Authentication Normalization Parser
# AAD ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AAD.
This ASIM parser supports filtering and normalizing Azure Active Directory Interactive sign in logs, stored in the SigninLogs table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationSigninLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Azure active directory authentication",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for AAD interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationSigninLogs",
"query": "let AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nSigninLogs | where not(disabled)\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Sign In Logs'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n , SrcDvcIpAddr\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs(starttime, endtime, targetusername_has, disabled)\n",
"query": "let AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nSigninLogs | where not(disabled)\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup ASIM_AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n , SrcDvcIpAddr\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs(starttime, endtime, targetusername_has, disabled)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Amazon web services cloud trail ASIM Authentication Normalization Parser
# AWS ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for AWS.
This ASIM parser supports filtering and normalizing Amazon Web Service sign in logs, stored in the AWSCloudTrail table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationAWSCloudTrail",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM AWS authentication",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for AWS sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAWSCloudTrail",
"query": "let AWSLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nAWSCloudTrail | where not(disabled)\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (UserIdentityPrincipalid has targetusername_has ))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n | where EventName == 'ConsoleLogin'\n | extend\n EventVendor = 'AWS'\n , EventProduct='AWSCloudTrail'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType='Logon'\n , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n , TargetUsernameType='Simple'\n , TargetUserIdType='AWSId'\n , TargetUsername= tostring(split(UserIdentityPrincipalid,':',1))\n | project-rename\n EventOriginalUid= AwsEventId\n , EventOriginalResultDetails= ErrorMessage\n , TargetUserType=UserIdentityType\n , TargetUserId=UserIdentityAccountId \n , SrcDvcIpAddr=SourceIpAddress\n , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n User=TargetUsername\n , LogonTarget=tostring(split(TargetUrl,'?')[0])\n , Dvc=EventVendor\n };\n AWSLogon(starttime, endtime, targetusername_has, disabled)\n",
"query": "let AWSLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nAWSCloudTrail | where not(disabled)\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (UserIdentityPrincipalid has targetusername_has ))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n | where EventName == 'ConsoleLogin'\n | extend\n EventVendor = 'AWS'\n , EventProduct='CloudTrail'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType='Logon'\n , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n , TargetUsernameType='Simple'\n , TargetUserIdType='AWSId'\n , TargetUsername= tostring(split(UserIdentityPrincipalid,':',1))\n | project-rename\n EventOriginalUid= AwsEventId\n , EventOriginalResultDetails= ErrorMessage\n , TargetUserType=UserIdentityType\n , TargetUserId=UserIdentityAccountId \n , SrcDvcIpAddr=SourceIpAddress\n , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n User=TargetUsername\n , LogonTarget=tostring(split(TargetUrl,'?')[0])\n , Dvc=EventVendor\n };\n AWSLogon(starttime, endtime, targetusername_has, disabled)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

11
Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft Sentinel ASIM Authentication Normalization Parser
This template deploys the ASIM Authentication schema parser for Microsoft Sentinel. The parser is a part of the Advanced Security Information Model.
ARM template for ASIM Authentication schema parser for Microsoft Sentinel.
This function returns an empty ASIM Authentication schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json)

2
Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json
Просмотреть файл

@ -32,7 +32,7 @@
],
"properties": {
"etag": "*",
"displayName": "ASIM Empty Authentication Table",
"displayName": "Authentication ASIM schema function",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationEmpty",
"query": "let EmptyAuthenticationTable=(){\n datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcHostname:string\n , SrcDvcType:string\n , SrcDvcIpAddr:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetDvcId:string\n , TargetDvcHostname:string\n , TargetDvcType:string\n , TargetDvcIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , _ResourceId:string\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , ActorUserIdType: string\t \n , ActorUsernameType: string\t \n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , User: string\t\n , SrcDvcHostnameType: string\t\n \t, LogonTarget: string\t \n\t, TargetDvcHostnameType: string\t\n , TargetDvc: string\t\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , AdditionalFields:dynamic\n )[]\n};\nEmptyAuthenticationTable\n",

13
Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# M365 Defender ASIM Authentication Normalization Parser
# M365 Defender for EndPoint ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint.
This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for M365 Defender. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationM365Defender",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationM365Defender",
"query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n ];\nlet AuthM365D=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n DeviceLogonEvents | where not(disabled)\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (AccountName has targetusername_has))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n //\n | project-rename \n EventOriginalResultDetails=FailureReason \n | extend \n // ---- Event\n EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n , EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventOriginalType = LogonType\n , EventProduct='M365 Defender for EndPoint'\n , EventResult = case(ActionType =='LogonSuccess', 'Success'\n , ActionType=='LogonFailed', 'Failure'\n , ActionType=='LogonAttempted', 'NA'\n , 'NA')\n , EventSchemaVersion='0.1.0'\n , EventType='Logon'\n , EventVendor ='Microsoft'\n // ---- Target and Actor Users\n | project-rename \n TargetUserId=AccountSid\n , ActorUserId =InitiatingProcessAccountSid\n , ActorUserUpn=InitiatingProcessAccountUpn\n , ActorUserObjectId=InitiatingProcessAccountObjectId\n | extend \n TargetUserIdType ='SID'\n , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n , TargetUsernameType='Windows'\n , ActorUserIdType='SID'\n , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n , 'Simple')\n , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n , TargetDvcFQDN=DeviceName\n | project-rename \n LogonProtocol=Protocol\n , TargetDvcId=DeviceId\n , SrcDvcIpAddr=RemoteIP\n , OriginalEventUid=ReportId\n , SrcDvcHostname=RemoteDeviceName \n //\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime=InitiatingProcessCreationTime\n , ActingProcessPath=InitiatingProcessFolderPath\n , ActingProcessId=InitiatingProcessId\n , ActingProcessMD5=InitiatingProcessMD5\n , ActingProcessSHA1=InitiatingProcessSHA1\n , ActingProcessSHA256= InitiatingProcessSHA256\n , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n , ParentProcessName=InitiatingProcessParentFileName\n , ParentProcessId=InitiatingProcessParentId\n , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n | extend \n ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n , ActingProcessPath\n , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n , TargetDvcHostnameType='FQDN'\n , TargetDvcIdType='MDE'\n , TargetPortNumber=RemotePort\n , TargetSessionId = tostring(LogonId)\n | lookup FaliureReason on EventOriginalResultDetails \n // TargetUrl \n // ----------- Alias\n | extend \n User=TargetUsername \n , LogonTarget=TargetDvcHostname\n , Dvc=TargetDvcHostname\n };AuthM365D(starttime, endtime, targetusername_has, disabled)",
"query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n ];\nlet AuthM365D=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n DeviceLogonEvents | where not(disabled)\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (AccountName has targetusername_has))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n //\n | project-rename \n EventOriginalResultDetails=FailureReason \n | extend \n // ---- Event\n EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n , EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventOriginalType = LogonType\n , EventProduct='M365 Defender for EndPoint'\n , EventResult = case(ActionType =='LogonSuccess', 'Success'\n , ActionType=='LogonFailed', 'Failure'\n , ActionType=='LogonAttempted', 'NA'\n , 'NA')\n , EventSchemaVersion='0.1.0'\n , EventType='Logon'\n , EventVendor ='Microsoft'\n // ---- Target and Actor Users\n | project-rename \n TargetUserId=AccountSid\n , ActorUserId =InitiatingProcessAccountSid\n , ActorUserUpn=InitiatingProcessAccountUpn\n , ActorUserObjectId=InitiatingProcessAccountObjectId\n | extend \n TargetUserIdType ='SID'\n , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n , TargetUsernameType='Windows'\n , ActorUserIdType='SID'\n , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n , 'Simple')\n , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n , TargetDvcFQDN=DeviceName\n | project-rename \n LogonProtocol=Protocol\n , TargetDvcId=DeviceId\n , SrcDvcIpAddr=RemoteIP\n , OriginalEventUid=ReportId\n , SrcDvcHostname=RemoteDeviceName \n //\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime=InitiatingProcessCreationTime\n , ActingProcessPath=InitiatingProcessFolderPath\n , ActingProcessMD5=InitiatingProcessMD5\n , ActingProcessSHA1=InitiatingProcessSHA1\n , ActingProcessSHA256= InitiatingProcessSHA256\n , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n , ParentProcessName=InitiatingProcessParentFileName\n , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n | extend \n ActingProcessId=tostring(InitiatingProcessId)\n , ParentProcessId=tostring(InitiatingProcessParentId)\n , ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n , ActingProcessPath\n , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n , TargetDvcHostnameType='FQDN'\n , TargetDvcIdType='MDE'\n , TargetPortNumber=RemotePort\n , TargetSessionId = tostring(LogonId)\n | lookup FaliureReason on EventOriginalResultDetails \n // TargetUrl \n // ----------- Alias\n | extend \n User=TargetUsername \n , LogonTarget=TargetDvcHostname\n , Dvc=TargetDvcHostname\n };AuthM365D(starttime, endtime, targetusername_has, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft Defender for IoT - Endpoint ASIM Authentication Normalization Parser
# Microsoft Defender for IoT ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Microsoft Defender for IoT.
This ASIM parser supports filtering and normalizing Microsoft Defender for IoT endpoint logs to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json
Просмотреть файл

@ -2,35 +2,42 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"location": {
"type": "string"
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimAuthenticationMD4IoT",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint",
"category": "Security",
"displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationMD4IoT",
"query": "let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or EventDetails has targetusername_has)\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Azure Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n // ************************************************************************* \n // <Postfilterring>\n // *************************************************************************\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n // ************************************************************************* \n // <Postfilterring>\n // *************************************************************************\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(starttime, endtime, targetusername_has, disabled)",
"query": "let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or EventDetails has targetusername_has)\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n // ************************************************************************* \n // <Postfilterring>\n // *************************************************************************\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n // ************************************************************************* \n // <Postfilterring>\n // *************************************************************************\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(starttime, endtime, targetusername_has, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*', disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
}
}
]

13
Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md
Просмотреть файл

@ -1,15 +1,18 @@
# Microsoft Windows Events ASIM Authentication Normalization Parser
# Windows Security Events ASIM Authentication Normalization Parser
ARM template for ASIM Authentication schema parser for Windows Security Events.
This ASIM parser supports filtering and normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema.
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Advanced Security Information Model.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Microsoft Sentinel Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json)

29
Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше