Package Creation- AlsidforAD
This commit is contained in:
v-spadarthi
Родитель
b4963feacc
Коммит
c61dcce3c2
|
|
@ -57,7 +57,7 @@
|
|||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": true
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
Двоичный файл не отображается.
|
|
@ -0,0 +1,319 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
|
||||
"handler": "Microsoft.Azure.CreateUIDef",
|
||||
"version": "0.1.2-preview",
|
||||
"parameters": {
|
||||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Alsid.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Alsid for AD solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/en-us/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog)\r\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2, **Analytic Rules:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"Microsoft.Insights/workbooks",
|
||||
"Microsoft.Logic/workflows"
|
||||
]
|
||||
},
|
||||
"location": {
|
||||
"metadata": {
|
||||
"hidden": "Hiding location, we get it from the log analytics workspace"
|
||||
},
|
||||
"visible": false
|
||||
},
|
||||
"resourceGroup": {
|
||||
"allowExisting": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"basics": [
|
||||
{
|
||||
"name": "getLAWorkspace",
|
||||
"type": "Microsoft.Solutions.ArmApiControl",
|
||||
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
|
||||
"condition": "[greater(length(resourceGroup().name),0)]",
|
||||
"request": {
|
||||
"method": "GET",
|
||||
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspace",
|
||||
"type": "Microsoft.Common.DropDown",
|
||||
"label": "Workspace",
|
||||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "dataconnectors",
|
||||
"label": "Data Connectors",
|
||||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, TrailFlow, and Indicators of Attacks logs to Microsoft Sentinel in real time. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more about connecting data sources",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "workbooks",
|
||||
"label": "Workbooks",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the workbooks",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Workbooks",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytics",
|
||||
"label": "Analytics",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the analytics",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Analytics",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytics-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytics-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytic1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Active Directory attacks pathways",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid DCShadow",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for DCShadow attacks"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid DCSync",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for DCSync attacks"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Golden Ticket",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for Golden Ticket attacks"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic5",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Indicators of Attack",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for triggered Indicators of Attack"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic6",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Indicators of Exposures",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for triggered Indicators of Exposures"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic7",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid LSASS Memory",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for OS Credentials dumping attacks"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic8",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Password Guessing",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for bruteforce Password Guessing attacks"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic9",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Password issues",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for triggered Indicators of Exposures related to password issues"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic10",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid Password Spraying",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic10-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for Password spraying attacks"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic11",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid privileged accounts issues",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic11-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for triggered Indicators of Exposures related to privileged accounts issues"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic12",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Alsid user accounts issues",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic12-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Searches for triggered Indicators of Exposures related to user accounts issues"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]",
|
||||
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
|
||||
"workbook2-name": "[steps('workbooks').workbook2.workbook2-name]"
|
||||
}
|
||||
}
|
||||
}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,19 @@
|
|||
{
|
||||
"publisherId": "azuresentinel",
|
||||
"offerId": "azure-sentinel-solution-isvtesting1",
|
||||
"firstPublishDate": "2022-05-02",
|
||||
"providers": ["Alsid"],
|
||||
"categories": {
|
||||
"domains" : ["Security - Threat Protection","Identity"],
|
||||
"verticals": []
|
||||
},
|
||||
"support": {
|
||||
"name": "Alsid",
|
||||
"tier": "Partner",
|
||||
"link": "https://www.alsid.com/contact-us/"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
{
|
||||
"Name": "Alsid For AD",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Alsid.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Microsoft Sentinel in real time.",
|
||||
"Data Connectors": [
|
||||
"Data Connectors/AlsidForAD.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/afad_parser.kql"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Workbooks/AlsidIoA.json",
|
||||
"Workbooks/AlsidIoE.json"
|
||||
],
|
||||
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ADAttacksPathways.yaml",
|
||||
"Analytic Rules/DCShadow.yaml",
|
||||
"Analytic Rules/DCSync.yaml",
|
||||
"Analytic Rules/GoldenTicket.yaml",
|
||||
"Analytic Rules/IndicatorsOfAttack.yaml",
|
||||
"Analytic Rules/IndicatorsOfExposures.yaml",
|
||||
"Analytic Rules/LSASSMemory.yaml",
|
||||
"Analytic Rules/PasswordGuessing.yaml",
|
||||
"Analytic Rules/PasswordIssues.yaml",
|
||||
"Analytic Rules/PasswordSpraying.yaml",
|
||||
"Analytic Rules/PrivilegedAccountIssues.yaml",
|
||||
"Analytic Rules/UserAccountIssues.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Alsid For AD",
|
||||
"Version": "2.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче