Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #2507 from socprime/InsightVMCloud 

InsightVMCloud: data_connector,parsers,datasamples
This commit is contained in:
v-jayakal 2021-06-30 22:28:12 -07:00 коммит произвёл GitHub
Родитель 975228f7f0 62a3643190
Коммит c47bb815b2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
15 изменённых файлов: 3442 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

121
.script/tests/KqlvalidationsTests/CustomTables/NexposeInsightVMCloud_assets_CL.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"Name":"NexposeInsightVMCloud_assets_CL",
"Properties":[
{
"Name":"EventVendor",
"Type":"String"
},
{
"Name":"EventProduct",
"Type":"String"
},
{
"Name":"assessed_for_policies_b",
"Type":"Bool"
},
{
"Name":"assessed_for_vulnerabilities_b",
"Type":"Bool"
},
{
"Name":"credential_assessments_s",
"Type":"String"
},
{
"Name":"critical_vulnerabilities_d",
"Type":"Double"
},
{
"Name":"exploits_d",
"Type":"Double"
},
{
"Name":"host_name_s",
"Type":"String"
},
{
"Name":"id_s",
"Type":"String"
},
{
"Name":"ip_s",
"Type":"String"
},
{
"Name":"last_assessed_for_vulnerabilities_t",
"Type":"DateTime"
},
{
"Name":"last_scan_end_t",
"Type":"DateTime"
},
{
"Name":"last_scan_start_t",
"Type":"DateTime"
},
{
"Name":"malware_kits_d",
"Type":"Double"
},
{
"Name":"moderate_vulnerabilities_d",
"Type":"Double"
},
{
"Name":"os_architecture_s",
"Type":"String"
},
{
"Name":"os_description_s",
"Type":"String"
},
{
"Name":"os_family_s",
"Type":"String"
},
{
"Name":"os_name_s",
"Type":"String"
},
{
"Name":"os_system_name_s",
"Type":"String"
},
{
"Name":"os_type_s",
"Type":"String"
},
{
"Name":"os_vendor_s",
"Type":"String"
},
{
"Name":"os_version_s",
"Type":"String"
},
{
"Name":"risk_score_d",
"Type":"Double"
},
{
"Name":"severe_vulnerabilities_d",
"Type":"Double"
},
{
"Name":"total_vulnerabilities_d",
"Type":"Double"
},
{
"Name":"unique_identifiers_s",
"Type":"String"
},
{
"Name":"same_s",
"Type":"String"
},
{
"Name":"mac_s",
"Type":"String"
}
]
}

197
.script/tests/KqlvalidationsTests/CustomTables/NexposeInsightVMCloud_vulnerabilities_CL.json Normal file
Просмотреть файл

@ -0,0 +1,197 @@
{
"Name":"NexposeInsightVMCloud_vulnerabilities_CL",
"Properties":[
{
"Name":"EventVendor",
"Type":"String"
},
{
"Name":"EventProduct",
"Type":"String"
},
{
"Name":"asset_id_s",
"Type":"String"
},
{
"Name":"host_name_s",
"Type":"String"
},
{
"Name":"ip_s",
"Type":"String"
},
{
"Name":"vuln_details_added_t",
"Type":"DateTime"
},
{
"Name":"vuln_details_categories_s",
"Type":"String"
},
{
"Name":"vuln_details_cves_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_access_complexity_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_access_vector_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_authentication_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_availability_impact_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_confidentiality_impact_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_exploit_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_cvss_v2_impact_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_cvss_v2_integrity_impact_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v2_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_cvss_v2_vector_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_attack_complexity_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_attack_vector_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_availability_impact_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_confidentiality_impact_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_exploit_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_cvss_v3_impact_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_cvss_v3_integrity_impact_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_privileges_required_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_scope_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_cvss_v3_user_interaction_s",
"Type":"String"
},
{
"Name":"vuln_details_cvss_v3_vector_s",
"Type":"String"
},
{
"Name":"vuln_details_denial_of_service_b",
"Type":"Bool"
},
{
"Name":"vuln_details_description_s",
"Type":"String"
},
{
"Name":"vuln_details_exploits_s",
"Type":"String"
},
{
"Name":"vuln_details_id_s",
"Type":"String"
},
{
"Name":"vuln_details_links_s",
"Type":"String"
},
{
"Name":"vuln_details_malware_kits_s",
"Type":"String"
},
{
"Name":"vuln_details_modified_t",
"Type":"DateTime"
},
{
"Name":"vuln_details_pci_cvss_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_pci_fail_b",
"Type":"Bool"
},
{
"Name":"vuln_details_pci_severity_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_pci_special_notes_s",
"Type":"String"
},
{
"Name":"vuln_details_pci_status_s",
"Type":"String"
},
{
"Name":"vuln_details_published_t",
"Type":"DateTime"
},
{
"Name":"vuln_details_references_s",
"Type":"String"
},
{
"Name":"vuln_details_risk_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_severity_s",
"Type":"String"
},
{
"Name":"vuln_details_severity_score_d",
"Type":"Double"
},
{
"Name":"vuln_details_title_s",
"Type":"String"
}
]
}

1517
Sample Data/Custom/NexposeInsightVMCloud_assets_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

887
Sample Data/Custom/NexposeInsightVMCloud_vulnerabilities_CL.json Normal file
Просмотреть файл

@ -0,0 +1,887 @@
[
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-17",
"host_name":"srv-gr-002.company.com",
"ip":"10.1.1.6",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"",
"cvss_v2_access_complexity":"medium",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":8.588799953460693,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":4.3,
"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"The server supports one or more weak key exchange algorithms. It is highly adviseable to remove weak key exchange algorithm support from SSH configuration files on hosts to prevent them from being used to establish connections.",
"exploits":[
],
"id":"ssh-weak-kex-algorithms",
"links":[
{
"href":"https://wiki.mozilla.org/Security/Guidelines/OpenSSH",
"id":"https://wiki.mozilla.org/Security/Guidelines/OpenSSH",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2020-04-07T00:00:00Z",
"pci_cvss_score":4.3,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"2017-07-13T00:00:00Z",
"references":"url:https://wiki.mozilla.org/Security/Guidelines/OpenSSH",
"risk_score":405.49,
"severity":"severe",
"severity_score":4,
"title":"SSH Server Supports Weak Key Exchange Algorithms"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2011-04-01T00:00:00Z",
"categories":"DNS,ISC,ISC BIND",
"cves":"",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":5.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"This DNS server is susceptible to DNS cache snooping, whereby an attacker can make non-recursive queries to a DNS server, looking for records potentially already resolved by this DNS server for other clients. Depending on the response, an attacker can use this information to potentially launch other attacks.",
"exploits":[
],
"id":"dns-allows-cache-snooping",
"links":[
{
"href":"http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf",
"id":"http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2016-04-08T00:00:00Z",
"pci_cvss_score":5.0,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"1990-01-01T00:00:00Z",
"references":"url:http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf",
"risk_score":599.57,
"severity":"severe",
"severity_score":5,
"title":"DNS server allows cache snooping"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2011-04-01T00:00:00Z",
"categories":"DNS,ISC,ISC BIND",
"cves":"",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":5.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"This DNS server is susceptible to DNS cache snooping, whereby an attacker can make non-recursive queries to a DNS server, looking for records potentially already resolved by this DNS server for other clients. Depending on the response, an attacker can use this information to potentially launch other attacks.",
"exploits":[
],
"id":"dns-allows-cache-snooping",
"links":[
{
"href":"http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf",
"id":"http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2016-04-08T00:00:00Z",
"pci_cvss_score":5.0,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"1990-01-01T00:00:00Z",
"references":"url:http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf",
"risk_score":599.57,
"severity":"severe",
"severity_score":5,
"title":"DNS server allows cache snooping"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2014-12-10T00:00:00Z",
"categories":"DNS,Denial of Service,ISC,ISC BIND",
"cves":"",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":0.0,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":0.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic. \n\n A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target's address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, \"ANY\" which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies. \n\n While the most common form of this attack that US-CERT has observed involves DNS servers configured to allow unrestricted recursive resolution for any client on the Internet, attacks can also involve authoritative name servers that do not provide recursive resolution. The attack method is similar to open recursive resolvers, but is more difficult to mitigate since even a server configured with best practices can still be used in an attack. In the case of authoritative servers, mitigation should focus on using Response Rate Limiting to restrict the amount of traffic.",
"exploits":[
],
"id":"dns-amplification",
"links":[
{
"href":"http://www.us-cert.gov/cas/techalerts/TA13-088A.html",
"id":"TA13-088A",
"source":"cert"
},
{
"href":"http://www.us-cert.gov/cas/techalerts/TA14-017A.html",
"id":"TA14-017A",
"source":"cert"
}
],
"malware_kits":[
],
"modified":"2018-03-21T00:00:00Z",
"pci_cvss_score":0.0,
"pci_fail":false,
"pci_severity_score":1,
"pci_special_notes":"",
"pci_status":"pass",
"published":"2013-03-29T00:00:00Z",
"references":"cert:TA13-088A,cert:TA14-017A",
"risk_score":0.0,
"severity":"moderate",
"severity_score":1,
"title":"DNS Traffic Amplification"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2010-02-26T00:00:00Z",
"categories":"DNS,Denial of Service,ISC,ISC BIND",
"cves":"",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"partial",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":2.862749751806259,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":5.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:P)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":true,
"description":"Allowing nameservers to process recursive queries coming from any system may, in certain situations, help attackers conduct denial of service or cache poisoning attacks.",
"exploits":[
],
"id":"dns-processes-recursive-queries",
"links":[
{
"href":"http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf",
"id":"http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2012-10-23T00:00:00Z",
"pci_cvss_score":5.0,
"pci_fail":false,
"pci_severity_score":2,
"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ",
"pci_status":"pass",
"published":"1990-01-01T00:00:00Z",
"references":"url:http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf",
"risk_score":199.86,
"severity":"severe",
"severity_score":5,
"title":"Nameserver Processes Recursive Queries"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2010-02-26T00:00:00Z",
"categories":"DNS,Denial of Service,ISC,ISC BIND",
"cves":"",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"partial",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":2.862749751806259,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":5.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:P)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":true,
"description":"Allowing nameservers to process recursive queries coming from any system may, in certain situations, help attackers conduct denial of service or cache poisoning attacks.",
"exploits":[
],
"id":"dns-processes-recursive-queries",
"links":[
{
"href":"http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf",
"id":"http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2012-10-23T00:00:00Z",
"pci_cvss_score":5.0,
"pci_fail":false,
"pci_severity_score":2,
"pci_special_notes":"Denial-of-Service-only vulnerability marked as compliant. ",
"pci_status":"pass",
"published":"1990-01-01T00:00:00Z",
"references":"url:http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf",
"risk_score":199.86,
"severity":"severe",
"severity_score":5,
"title":"Nameserver Processes Recursive Queries"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2004-11-01T00:00:00Z",
"categories":"Network",
"cves":"CVE-1999-0524",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"local",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":3.948735978603363,
"cvss_v2_impact_score":0.0,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":0.0,
"cvss_v2_vector":"(AV:L/AC:L/Au:N/C:N/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the remote host's date and time. This information could theoretically be used against some systems to exploit weak time-based random number generators in other services.\n\nIn addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP timestamp requests.",
"exploits":[
],
"id":"generic-icmp-timestamp",
"links":[
{
"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/322",
"id":"322",
"source":"xf"
},
{
"href":"http://nvd.nist.gov/vuln/detail/CVE-1999-0524",
"id":"CVE-1999-0524",
"source":"cve"
},
{
"href":"http://www.osvdb.org/95",
"id":"95",
"source":"osvdb"
},
{
"href":"https://exchange.xforce.ibmcloud.com/vulnerabilities/306",
"id":"306",
"source":"xf"
}
],
"malware_kits":[
],
"modified":"2019-06-11T00:00:00Z",
"pci_cvss_score":0.0,
"pci_fail":false,
"pci_severity_score":1,
"pci_special_notes":"",
"pci_status":"pass",
"published":"1997-08-01T00:00:00Z",
"references":"xf:306,xf:322,osvdb:95,cve:CVE-1999-0524",
"risk_score":0.0,
"severity":"moderate",
"severity_score":1,
"title":"ICMP timestamp response"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2011-04-01T00:00:00Z",
"categories":"Network",
"cves":"",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":0.0,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":0.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:N/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.",
"exploits":[
],
"id":"generic-tcp-timestamp",
"links":[
{
"href":"http://www.ietf.org/rfc/rfc1323.txt",
"id":"http://www.ietf.org/rfc/rfc1323.txt",
"source":"url"
},
{
"href":"http://www.forensicswiki.org/wiki/TCP_timestamps",
"id":"http://www.forensicswiki.org/wiki/TCP_timestamps",
"source":"url"
},
{
"href":"http://uptime.netcraft.com",
"id":"http://uptime.netcraft.com",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2018-03-21T00:00:00Z",
"pci_cvss_score":0.0,
"pci_fail":false,
"pci_severity_score":1,
"pci_special_notes":"",
"pci_status":"pass",
"published":"1997-08-01T00:00:00Z",
"references":"url:http://uptime.netcraft.com,url:http://www.forensicswiki.org/wiki/TCP_timestamps,url:http://www.ietf.org/rfc/rfc1323.txt",
"risk_score":0.0,
"severity":"moderate",
"severity_score":1,
"title":"TCP timestamp response"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"",
"cvss_v2_access_complexity":"high",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":4.927999973297119,
"cvss_v2_impact_score":0.0,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":0.0,
"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:N/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"Since 3DES (Triple Data Encryption Standard) only provides an effective security of 112 bits, it is considered close to end of life by some agencies. ECRYPT II (from 2012) recommends for generic application independent long-term protection of at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.",
"exploits":[
],
"id":"ssh-3des-ciphers",
"links":[
{
"href":"https://bettercrypto.org/static/applied-crypto-hardening.pdf",
"id":"https://bettercrypto.org/static/applied-crypto-hardening.pdf",
"source":"url"
},
{
"href":"http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf",
"id":"http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2020-03-31T00:00:00Z",
"pci_cvss_score":0.0,
"pci_fail":false,
"pci_severity_score":1,
"pci_special_notes":"",
"pci_status":"pass",
"published":"2009-02-01T00:00:00Z",
"references":"url:http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf,url:https://bettercrypto.org/static/applied-crypto-hardening.pdf",
"risk_score":0.0,
"severity":"moderate",
"severity_score":1,
"title":"SSH Server Supports 3DES Cipher Suite"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"",
"cvss_v2_access_complexity":"high",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":4.927999973297119,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":2.6,
"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:P/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"SSH contains a vulnerability in the way certain types of errors are handled. Attacks leveraging this vulnerabilty would lead to the loss of the SSH session. According to CPNI Vulnerability Advisory SSH: \n\n If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. If OpenSSH is used in the standard configuration, then the attacker's success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known.",
"exploits":[
],
"id":"ssh-cbc-ciphers",
"links":[
{
"href":"https://www.kb.cert.org/vuls/id/958563",
"id":"https://www.kb.cert.org/vuls/id/958563",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2020-03-31T00:00:00Z",
"pci_cvss_score":2.6,
"pci_fail":false,
"pci_severity_score":2,
"pci_special_notes":"",
"pci_status":"pass",
"published":"2013-02-08T00:00:00Z",
"references":"url:https://www.kb.cert.org/vuls/id/958563",
"risk_score":497.83,
"severity":"moderate",
"severity_score":3,
"title":"SSH CBC vulnerability"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"CVE-2015-4000",
"cvss_v2_access_complexity":"medium",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"none",
"cvss_v2_exploit_score":8.588799953460693,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"partial",
"cvss_v2_score":4.3,
"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:N/I:P/A:N)",
"cvss_v3_attack_complexity":"high",
"cvss_v3_attack_vector":"network",
"cvss_v3_availability_impact":"none",
"cvss_v3_confidentiality_impact":"none",
"cvss_v3_exploit_score":2.2211673,
"cvss_v3_impact_score":1.4123999999999999,
"cvss_v3_integrity_impact":"low",
"cvss_v3_privileges_required":"none",
"cvss_v3_scope":"unchanged",
"cvss_v3_score":3.7,
"cvss_v3_user_interaction":"none",
"cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"denial_of_service":false,
"description":"The prime modulus offered when diffie-hellman-group1-sha1 is used only has a size of 1024 bits. This size is considered weak and within theoretical range of the so-called Logjam attack.",
"exploits":[
],
"id":"ssh-cve-2015-4000",
"links":[
{
"href":"http://nvd.nist.gov/vuln/detail/CVE-2015-4000",
"id":"CVE-2015-4000",
"source":"cve"
},
{
"href":"https://weakdh.org/",
"id":"https://weakdh.org/",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2020-07-13T00:00:00Z",
"pci_cvss_score":4.3,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"2015-05-20T00:00:00Z",
"references":"cve:CVE-2015-4000,url:https://weakdh.org/",
"risk_score":196.45,
"severity":"severe",
"severity_score":4,
"title":"SSH Server Supports diffie-hellman-group1-sha1"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"CVE-2016-2183",
"cvss_v2_access_complexity":"low",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":9.996799945831299,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":5.0,
"cvss_v2_vector":"(AV:N/AC:L/Au:N/C:P/I:N/A:N)",
"cvss_v3_attack_complexity":"low",
"cvss_v3_attack_vector":"network",
"cvss_v3_availability_impact":"none",
"cvss_v3_confidentiality_impact":"high",
"cvss_v3_exploit_score":3.8870427750000003,
"cvss_v3_impact_score":3.5952,
"cvss_v3_integrity_impact":"none",
"cvss_v3_privileges_required":"none",
"cvss_v3_scope":"unchanged",
"cvss_v3_score":7.5,
"cvss_v3_user_interaction":"none",
"cvss_v3_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"denial_of_service":false,
"description":"Legacy block ciphers having a block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. The security of a block cipher is often reduced to the key size k: the best attack should be the exhaustive search of the key, with complexity 2 to the power of k. However, the block size n is also an important security parameter, defining the amount of data that can be encrypted under the same key. This is particularly important when using common modes of operation: we require block ciphers to be secure with up to 2 to the power of n queries, but most modes of operation (e.g. CBC, CTR, GCM, OCB, etc.) are unsafe with more than 2 to the power of half n blocks of message (the birthday bound). With a modern block cipher with 128-bit blocks such as AES, the birthday bound corresponds to 256 exabytes. However, for a block cipher with 64-bit blocks, the birthday bound corresponds to only 32 GB, which is easily reached in practice. Once a collision between two cipher blocks occurs it is possible to use the collision to extract the plain text data.",
"exploits":[
],
"id":"ssh-cve-2016-2183-sweet32",
"links":[
{
"href":"https://sweet32.info/",
"id":"https://sweet32.info/",
"source":"url"
},
{
"href":"http://nvd.nist.gov/vuln/detail/CVE-2016-2183",
"id":"CVE-2016-2183",
"source":"cve"
}
],
"malware_kits":[
],
"modified":"2020-04-01T00:00:00Z",
"pci_cvss_score":5.0,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"2016-08-24T00:00:00Z",
"references":"cve:CVE-2016-2183,url:https://sweet32.info/",
"risk_score":527.51,
"severity":"severe",
"severity_score":5,
"title":"SSH Birthday attacks on 64-bit block ciphers (SWEET32)"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"",
"cvss_v2_access_complexity":"medium",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":8.588799953460693,
"cvss_v2_impact_score":2.8627500620484354,
"cvss_v2_integrity_impact":"none",
"cvss_v2_score":4.3,
"cvss_v2_vector":"(AV:N/AC:M/Au:N/C:P/I:N/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"The server supports one or more weak key exchange algorithms. It is highly adviseable to remove weak key exchange algorithm support from SSH configuration files on hosts to prevent them from being used to establish connections.",
"exploits":[
],
"id":"ssh-weak-kex-algorithms",
"links":[
{
"href":"https://wiki.mozilla.org/Security/Guidelines/OpenSSH",
"id":"https://wiki.mozilla.org/Security/Guidelines/OpenSSH",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2020-04-07T00:00:00Z",
"pci_cvss_score":4.3,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"2017-07-13T00:00:00Z",
"references":"url:https://wiki.mozilla.org/Security/Guidelines/OpenSSH",
"risk_score":405.49,
"severity":"severe",
"severity_score":4,
"title":"SSH Server Supports Weak Key Exchange Algorithms"
}
},
{
"asset_id":"1b09c714-daaa-4d5e-88af-730e1167c6fc-default-asset-34",
"host_name":null,
"ip":"101.111.152.254",
"vuln_details":{
"added":"2020-03-31T00:00:00Z",
"categories":"Network,SSH",
"cves":"",
"cvss_v2_access_complexity":"high",
"cvss_v2_access_vector":"network",
"cvss_v2_authentication":"none",
"cvss_v2_availability_impact":"none",
"cvss_v2_confidentiality_impact":"partial",
"cvss_v2_exploit_score":4.927999973297119,
"cvss_v2_impact_score":4.938243839970231,
"cvss_v2_integrity_impact":"partial",
"cvss_v2_score":4.0,
"cvss_v2_vector":"(AV:N/AC:H/Au:N/C:P/I:P/A:N)",
"cvss_v3_attack_complexity":null,
"cvss_v3_attack_vector":null,
"cvss_v3_availability_impact":null,
"cvss_v3_confidentiality_impact":null,
"cvss_v3_exploit_score":0.0,
"cvss_v3_impact_score":null,
"cvss_v3_integrity_impact":null,
"cvss_v3_privileges_required":null,
"cvss_v3_scope":null,
"cvss_v3_score":0.0,
"cvss_v3_user_interaction":null,
"cvss_v3_vector":null,
"denial_of_service":false,
"description":"The SSH server supports cryptographically weak Hash-based message authentication codes (HMACs) including MD5 or 96-bit Hash-based algorithms.",
"exploits":[
],
"id":"ssh-weak-message-authentication-code-algorithms",
"links":[
{
"href":"http://csrc.nist.gov/archive/ipsec/papers/rfc2403-hmacmd5.txt",
"id":"http://csrc.nist.gov/archive/ipsec/papers/rfc2403-hmacmd5.txt",
"source":"url"
}
],
"malware_kits":[
],
"modified":"2020-03-31T00:00:00Z",
"pci_cvss_score":4.0,
"pci_fail":true,
"pci_severity_score":3,
"pci_special_notes":"",
"pci_status":"fail",
"published":"2014-01-06T00:00:00Z",
"references":"url:http://csrc.nist.gov/archive/ipsec/papers/rfc2403-hmacmd5.txt",
"risk_score":557.98,
"severity":"severe",
"severity_score":4,
"title":"SSH Weak Message Authentication Code Algorithms"
}
}
]

Двоичные данные
Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloudAPISentinelConn.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

202
Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloudAPISentinelConnector/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,202 @@
import requests
from requests.packages.urllib3.util.retry import Retry
import azure.functions as func
import base64
import hmac
import hashlib
import json
import datetime
import os
import re
import logging
from .state_manager import StateManager
insightvm_apikey = os.environ['InsightVMAPIKey']
region = os.environ['InsightVMCloudRegion']
insightvm_url = f"https://{region}.api.insight.rapid7.com/vm/v4/integration/"
customer_id = os.environ['WorkspaceID']
shared_key = os.environ['WorkspaceKey']
connection_string = os.environ['AzureWebJobsStorage']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Invalid Log Analytics Uri.")
class InsightVMAPIv4integration:
def __init__(self, base_url, api_key):
self.sentinel = ProcessToSentinel()
self.base_url = base_url
self.api_key = api_key
self.headers = {
'Accept': "application/json",
'Content-Type': "application/json",
'X-Api-Key': self.api_key
}
retries = Retry(
total=5,
status_forcelist={500, 408, 413},
backoff_factor=1,
respect_retry_after_header=True
)
adapter = requests.adapters.HTTPAdapter(max_retries=retries)
self.session = requests.Session()
self.session.mount('https://', adapter)
self.start_time, self.end_time = self.generate_date()
self.success_processed = 0
self.fail_processed = 0
def get_asset_list(self):
assets_data = "data"
page_num = 0
while assets_data is not None:
try:
r = self.session.post(url="{}/{}".format(self.base_url, "assets"),
headers=self.headers,
verify=True,
params = {
"size": 100,
"page": page_num,
"includeSame": True,
"includeUniqueIdentifiers": True
})
assets_data = r.json().get("data")
if assets_data is not None:
if len(assets_data) == 0:
assets_data = None
if 200 <= r.status_code <= 299:
page_num += 1
if assets_data is not None:
if 200 <= self.sentinel.post_data(json.dumps(assets_data), len(assets_data), "assets") <= 299:
self.success_processed += len(assets_data)
else:
self.fail_processed += len(assets_data)
vuln_data = self.vulnerabilities_info_enrich(assets_data)
if 200 <= self.sentinel.post_data(json.dumps(vuln_data), len(vuln_data), "vulnerabilities") <= 299:
self.success_processed += len(vuln_data)
else:
self.fail_processed += len(vuln_data)
else:
logging.error("Error. Code: {}. Meaning: {}.".format(r.status_code,r.json().get("message")))
except Exception as err:
logging.error("Something wrong. Exception error text: {}".format(err))
def vulnerabilities_info_enrich(self, asset_chunk_data):
vuln_list = []
for asset in asset_chunk_data:
for vuln in asset.get("same"):
vuln_list.append(vuln.get("vulnerability_id")) if vuln.get(
"vulnerability_id") not in vuln_list else vuln_list
vuln_dict_list = self.get_vulnerabilities_info_list(str(vuln_list))
vuln_chunk_data = []
for asset in asset_chunk_data:
for vuln in asset.get("same"):
for vuln_dict_list_item in vuln_dict_list:
if vuln.get("vulnerability_id") == vuln_dict_list_item.get("id"):
vuln_chunk_data.append({
"asset_id": asset.get("id"),
"host_name": asset.get("host_name"),
"ip": asset.get("ip"),
"vuln_details": vuln_dict_list_item
})
return vuln_chunk_data
def get_vulnerabilities_info_list(self, vulns_array):
data = "data"
body = \
{
"vulnerability": f"id IN {vulns_array}"
}
page_num = 0
vulnerabilities_results = []
while data is not None:
try:
r = self.session.post(url="{}/{}".format(self.base_url, "vulnerabilities"),
headers=self.headers,
verify=True,
data = json.dumps(body),
params={
"size": 1000,
"page": page_num
})
data = r.json().get("data")
if data is not None:
if len(data) == 0:
data = None
if 200 <= r.status_code <= 299:
page_num += 1
if data is not None:
vulnerabilities_results.extend(data)
else:
logging.error("Error. Code: {}. Meaning: {}.".format(r.status_code, r.json().get("message")))
except Exception as err:
logging.error("Something wrong. Exception error text: {}".format(err))
return vulnerabilities_results
def generate_date(self):
current_time = datetime.datetime.utcnow().replace(second=0, microsecond=0)
state = StateManager(connection_string=connection_string)
past_time = state.get()
if past_time is not None:
logging.info("The last time point is: {}".format(past_time))
else:
logging.info("There is no last time point, trying to get events for last day.")
past_time = (current_time - datetime.timedelta(days=1)).strftime("%Y-%m-%dT%H:%M:%SZ")
state.post(current_time.strftime("%Y-%m-%dT%H:%M:%SZ"))
return (past_time, current_time.strftime("%Y-%m-%dT%H:%M:%SZ"))
class ProcessToSentinel:
def __init__(self):
self.logAnalyticsUri = logAnalyticsUri
self.processed_events_success = 0
self.processed_events_fail = 0
def build_signature(self, date, content_length, method, content_type, resource):
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
encoded_hash = base64.b64encode(
hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(customer_id, encoded_hash)
return authorization
def post_data(self, body, chunk_count, table):
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = self.build_signature(rfc1123date, content_length, method, content_type,
resource)
uri = self.logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': 'NexposeInsightVMCloud_'+table,
'x-ms-date': rfc1123date
}
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
logging.info("Chunk was processed({} events) to the table: {}".format(chunk_count, table))
else:
logging.error("Error during sending events to Azure Sentinel. Response code:{}".format(response.status_code))
return response.status_code
def main(mytimer: func.TimerRequest) -> None:
if mytimer.past_due:
logging.info('The timer is past due!')
logging.info('Starting program')
api = InsightVMAPIv4integration(insightvm_url,insightvm_apikey)
start_time, end_time = api.generate_date()
logging.info("Time period parameters: from {} - to {}.".format(start_time, end_time))
api.get_asset_list()
sentinel_class_vars = vars(api)
success_processed, fail_processed = sentinel_class_vars["success_processed"], \
sentinel_class_vars["fail_processed"]
logging.info("Total events processed successfully: {}, failed: {}. Period: {} - {}"
.format(success_processed, fail_processed, start_time, end_time))

11
Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloudAPISentinelConnector/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 0 * * * *"
}
]
}

22
Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloudAPISentinelConnector/state_manager.py Normal file
Просмотреть файл

@ -0,0 +1,22 @@
from azure.storage.fileshare import ShareClient
from azure.storage.fileshare import ShareFileClient
from azure.core.exceptions import ResourceNotFoundError
class StateManager:
def __init__(self, connection_string, share_name='funcstatemarkershare', file_path='funcstatemarkerfile'):
self.share_cli = ShareClient.from_connection_string(conn_str=connection_string, share_name=share_name)
self.file_cli = ShareFileClient.from_connection_string(conn_str=connection_string, share_name=share_name, file_path=file_path)
def post(self, marker_text: str):
try:
self.file_cli.upload_file(marker_text)
except ResourceNotFoundError:
self.share_cli.create_share()
self.file_cli.upload_file(marker_text)
def get(self):
try:
return self.file_cli.download_file().readall().decode()
except ResourceNotFoundError:
return None

143
Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloud_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,143 @@
{
"id":"InsightVMCloudAPI",
"title":"Rapid7 Insight Platform Vulnerability Management Reports",
"publisher":"Rapid7",
"descriptionMarkdown":"The [Rapid7 Insight VM](https://www.rapid7.com/products/insightvm/) Report data connector provides the capability to ingest Scan reports and vulnerability data into Azure Sentinel through the REST API from the Rapid7 Insight platform (Managed in the cloud). Refer to [API documentation](https://docs.rapid7.com/insight/api-overview/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"additionalRequirementBanner":"This data connector depends on a parsers based on a Kusto Function to work as expected [**InsightVMAssets**](https://aka.ms/sentinel-InsightVMAssets-parser) and [**InsightVMVulnerabilities**](https://aka.ms/sentinel-InsightVMVulnerabilities-parser) which is deployed with the Azure Sentinel Solution.",
"graphQueries":[
{
"metricName":"Total data received",
"legend":"NexposeInsightVMCloud_assets_CL",
"baseQuery":"NexposeInsightVMCloud_assets_CL"
},
{
"metricName":"Total data received",
"legend":"NexposeInsightVMCloud_vulnerabilities_CL",
"baseQuery":"NexposeInsightVMCloud_vulnerabilities_CL"
}
],
"sampleQueries":[
{
"description":"Insight VM Report Events - Assets information",
"query":"NexposeInsightVMCloud_assets_CL\n | sort by TimeGenerated desc"
},
{
"description":"Insight VM Report Events - Vulnerabilities information",
"query":"NexposeInsightVMCloud_vulnerabilities_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes":[
{
"name":"NexposeInsightVMCloud_assets_CL",
"lastDataReceivedQuery":"NexposeInsightVMCloud_assets_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name":"NexposeInsightVMCloud_vulnerabilities_CL",
"lastDataReceivedQuery":"NexposeInsightVMCloud_vulnerabilities_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias":[
{
"type":"IsConnectedQuery",
"value":[
"NexposeInsightVMCloud_assets_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
"NexposeInsightVMCloud_vulnerabilities_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability":{
"status":1,
"isPreview":true
},
"permissions":{
"resourceProvider":[
{
"provider":"Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText":"read and write permissions are required.",
"providerDisplayName":"Workspace",
"scope":"Workspace",
"requiredPermissions":{
"write":true,
"read":true,
"delete":true
}
},
{
"provider":"Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText":"read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName":"Keys",
"scope":"Workspace",
"requiredPermissions":{
"action":true
}
}
],
"customs":[
{
"name":"Microsoft.Web/sites permissions",
"description":"Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name":"REST API Credentials/permissions",
"description":"**InsightVMAPIKey** is required for REST API. [See the documentation to learn more about API](https://docs.rapid7.com/insight/api-overview/). Check all [requirements and follow the instructions](https://docs.rapid7.com/insight/managing-platform-api-keys/) for obtaining credentials."
}
]
},
"instructionSteps":[
{
"title":"",
"description":">**NOTE:** This connector uses Azure Functions to connect to the Insight VM API to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title":"",
"description":">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description":">**NOTE:** This data connector depends on a parsers based on a Kusto Function to work as expected [**InsightVMAssets**](https://aka.ms/sentinel-InsightVMAssets-parser) and [**InsightVMVulnerabilities**](https://aka.ms/sentinel-InsightVMVulnerabilities-parser) which is deployed with the Azure Sentinel Solution."
},
{
"title":"",
"description":"**STEP 1 - Configuration steps for the Insight VM Cloud**\n\n [Follow the instructions](https://docs.rapid7.com/insight/managing-platform-api-keys/) to obtain the credentials. \n"
},
{
"title":"",
"description":"**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions":[
{
"parameters":{
"fillWith":[
"WorkspaceId"
],
"label":"Workspace ID"
},
"type":"CopyableLabel"
},
{
"parameters":{
"fillWith":[
"PrimaryKey"
],
"label":"Primary Key"
},
"type":"CopyableLabel"
}
]
},
{
"title":"Option 1 - Azure Resource Manager (ARM) Template",
"description":"Use this method for automated deployment of the Rapid7 Insight Vulnerability Management Report data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-InsightVMCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **InsightVMAPIKey**, choose **InsightVMCloudRegion** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title":"Option 2 - Manual Deployment of Azure Functions",
"description":"Use the following step-by-step instructions to deploy the Rapid7 Insight Vulnerability Management Report data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title":"",
"description":"**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://aka.ms/sentinel-InsightVMCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. InsightVMXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title":"",
"description":"**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tInsightVMAPIKey\n\t\tInsightVMCloudRegion\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
}
]
}

211
Solutions/Rapid7InsightVM/Data Connectors/azuredeploy_Connector_InsightVMCloudAPI_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,211 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "InsVMCloud",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "securestring",
"defaultValue": "<workspaceKey>"
},
"InsightVMAPIKey": {
"type": "securestring",
"defaultValue": "<InsightVMAPIKey>"
},
"InsightVMCloudRegion": {
"type": "string",
"allowedValues": [
"us",
"us2",
"us3",
"eu",
"ca",
"au",
"ap"
],
"defaultValue": "us",
"metadata": {
"description": "The region code for the region that hosts your data."
}
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"InsightVMAPIKey": "[parameters('InsightVMAPIKey')]",
"InsightVMCloudRegion": "[parameters('InsightVMCloudRegion')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-InsightVMCloudAPI-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

15
Solutions/Rapid7InsightVM/Data Connectors/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

4
Solutions/Rapid7InsightVM/Data Connectors/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

7
Solutions/Rapid7InsightVM/Data Connectors/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
azure-functions
requests
azure-storage-file-share==12.3.0

43
Solutions/Rapid7InsightVM/Parsers/InsightVMAssets.txt Normal file
Просмотреть файл

@ -0,0 +1,43 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as InsightVMAssets.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. InsightVMAssets | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let Insight_VM_assets_view = view () {
NexposeInsightVMCloud_assets_CL
| extend packed = pack(
"AssessedForPolicies", assessed_for_policies_b,
"AssessedForVulnerabilities", assessed_for_vulnerabilities_b,
"CredentialAssessments", credential_assessments_s,
"CriticalVulnerabilities", critical_vulnerabilities_d,
"Exploits", exploits_d,
"DvcHostname", host_name_s,
"AssetId", id_s,
"DvcIpAddr", ip_s,
"LastAssessedForVulnerabilities", last_assessed_for_vulnerabilities_t,
"LastScanEnd", last_scan_end_t,
"LastScanStart", last_scan_start_t,
"MalwareKits", malware_kits_d,
"ModerateVulnerabilities", moderate_vulnerabilities_d,
"DvcOsArch", os_architecture_s,
"DvcOsDesc", os_description_s,
"DvcOsFamily", os_family_s,
"DvcOs", os_name_s,
"DvcOsSysName", os_system_name_s,
"DvcOsType", os_type_s,
"DvcOsVendor", os_vendor_s,
"DvcModelNumber", os_version_s,
"RiskScore", risk_score_d,
"SevereVulnerabilitiesCount", severe_vulnerabilities_d,
"TotalVulnerabilitiesCount", total_vulnerabilities_d,
"Uid", unique_identifiers_s,
"VulnerabilitiesSolutions", same_s,
"DvcMacAddr", mac_s
)
| project TimeGenerated, packed
| evaluate bag_unpack(packed)
| extend
EventVendor="Rapid7",
EventProduct="Insight VM",
EventType="Assets"
};
Insight_VM_assets_view

62
Solutions/Rapid7InsightVM/Parsers/InsightVMVulnerabilities.txt Normal file
Просмотреть файл

@ -0,0 +1,62 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as InsightVMVulnerabilities.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. InsightVMVulnerabilities| take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let Insight_VM_vulnerabilities_view = view () {
NexposeInsightVMCloud_vulnerabilities_CL
| extend packed = pack(
"AssetId", asset_id_s,
"DvcHostname", host_name_s,
"DvcIpAddr", ip_s,
"VulnDetailsAdded", vuln_details_added_t,
"VulnDetailsCategories", vuln_details_categories_s,
"VulnDetailsCves", vuln_details_cves_s,
"VulnDetailsCvssV2AccessComplexity", vuln_details_cvss_v2_access_complexity_s,
"VulnDetailsCvssV2AccessVector", vuln_details_cvss_v2_access_vector_s,
"VulnDetailsCvssV2Authentication", vuln_details_cvss_v2_authentication_s,
"VulnDetailsCvssV2AvailabilityImpact", vuln_details_cvss_v2_availability_impact_s,
"VulnDetailsCvssV2ConfidentialityImpact", vuln_details_cvss_v2_confidentiality_impact_s,
"VulnDetailsCvssV2ExploitScore", vuln_details_cvss_v2_exploit_score_d,
"VulnDetailsCvssV2ImpactScore", vuln_details_cvss_v2_impact_score_d,
"VulnDetailsCvssV2IntegrityImpact", vuln_details_cvss_v2_integrity_impact_s,
"VulnDetailsCvssV2Score", vuln_details_cvss_v2_score_d,
"VulnDetailsCvssV2Vector", vuln_details_cvss_v2_vector_s,
"VulnDetailsCvssV2AttackComplexity", vuln_details_cvss_v3_attack_complexity_s,
"VulnDetailsCvssV3AttackVector", vuln_details_cvss_v3_attack_vector_s,
"VulnDetailsCvssV3AvailabilityImpact", vuln_details_cvss_v3_availability_impact_s,
"VulnDetailsCvssV3ConfidentialityImpact", vuln_details_cvss_v3_confidentiality_impact_s,
"VulnDetailsCvssV3ExploitScore", vuln_details_cvss_v3_exploit_score_d,
"VulnDetailsCvssV3ImpactScore", vuln_details_cvss_v3_impact_score_d,
"VulnDetailsCvssV3IntegrityImpact", vuln_details_cvss_v3_integrity_impact_s,
"VulnDetailsCvssV3PrivilegesRequired", vuln_details_cvss_v3_privileges_required_s,
"VulnDetailsCvssV3Scope", vuln_details_cvss_v3_scope_s,
"VulnDetailsCvssV3Score", vuln_details_cvss_v3_score_d,
"VulnDetailsCvssV3UserInteraction", vuln_details_cvss_v3_user_interaction_s,
"VulnDetailsCvssV3Vector", vuln_details_cvss_v3_vector_s,
"VulnDetailsDenialOfService", vuln_details_denial_of_service_b,
"VulnDetailsDescription", vuln_details_description_s,
"VulnDetailsExploits", vuln_details_exploits_s,
"VulnDetailsId", vuln_details_id_s,
"VulnDetailsLinks", vuln_details_links_s,
"VulnDetailsMalwareKits", vuln_details_malware_kits_s,
"VulnDetailsModified", vuln_details_modified_t,
"VulnDetailsPciCvssScore", vuln_details_pci_cvss_score_d,
"VulnDetailsPciFail", vuln_details_pci_fail_b,
"VulnDetailsPciSeverityScore", vuln_details_pci_severity_score_d,
"VulnDetailsPciSpecialNotes", vuln_details_pci_special_notes_s,
"VulnDetailsPciStatus", vuln_details_pci_status_s,
"VulnDetailsPublished", vuln_details_published_t,
"VulnDetailsReferences", vuln_details_references_s,
"VulnDetailsRiskScore", vuln_details_risk_score_d,
"VulnDetailsSeverity", vuln_details_severity_s,
"VulnDetailsSeverityScore", vuln_details_severity_score_d,
"VulnDetailsTitle", vuln_details_title_s
)
| project TimeGenerated, packed
| evaluate bag_unpack(packed)
| extend
EventVendor="Rapid7",
EventProduct="Insight VM",
EventType="Vulnerabilities"
};
Insight_VM_vulnerabilities_view