Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge remote-tracking branch 'origin/master' into asim/fixing-qaws-errors

This commit is contained in:
github-actions[bot] 2022-06-16 10:50:47 +00:00
Родитель ce97aafd07 4f5b3bd3e4
Коммит c9f02c4152
50 изменённых файлов: 7901 добавлений и 20 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

49
.script/tests/KqlvalidationsTests/CustomTables/ZNAccessOrchestratorAuditNativePoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"name": "ZNAccessOrchestratorAuditNativePoller_CL",
"Properties": [
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "auditType_d",
"Type": "real"
},
{
"Name": "enforcementSource_d",
"Type": "real"
},
{
"Name": "userRole_d",
"Type": "real"
},
{
"Name": "destinationEntitiesList_s",
"Type": "string"
},
{
"Name": "details_s",
"Type": "string"
},
{
"Name": "reportedObjectId_g",
"Type": "string"
},
{
"Name": "performedBy_id_s",
"Type": "string"
},
{
"Name": "performedBy_name_s",
"Type": "string"
},
{
"Name": "performedBy_id_g",
"Type": "string"
},
{
"Name": "reportedObjectId_s",
"Type": "string"
}
]
}

49
.script/tests/KqlvalidationsTests/CustomTables/ZNAccessOrchestratorAudit_CL.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"name": "ZNAccessOrchestratorAudit_CL",
"Properties": [
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "auditType_d",
"Type": "real"
},
{
"Name": "enforcementSource_d",
"Type": "real"
},
{
"Name": "userRole_d",
"Type": "real"
},
{
"Name": "destinationEntitiesList_s",
"Type": "string"
},
{
"Name": "details_s",
"Type": "string"
},
{
"Name": "reportedObjectId_g",
"Type": "string"
},
{
"Name": "performedBy_id_s",
"Type": "string"
},
{
"Name": "performedBy_name_s",
"Type": "string"
},
{
"Name": "performedBy_id_g",
"Type": "string"
},
{
"Name": "reportedObjectId_s",
"Type": "string"
}
]
}

1
Logos/ZeroNetworks.svg Normal file
Просмотреть файл

@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 180 180"><rect width="180" height="180" fill="#08084c"/><polygon points="121.01 54.78 81.46 54.78 63.86 72.89 92.28 72.89 59.02 107.11 59.02 125.22 121.01 125.22 121.01 107.11 87.76 107.11 121.01 72.89 121.01 54.78" fill="#fff"/><path d="M59,54.78H74.33L59,70.57Zm85,66.36a8,8,0,1,0-8,8,8,8,0,0,0,8-8" fill="#39ffbd"/></svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 377 B

4
Logos/oracle_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,4 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M0 51.0053H75V23.5714H0V51.0053Z" fill="#E32124"/>
<path d="M65.3392 34.5458C65.3941 34.5458 65.4505 34.5458 65.4821 34.4895C65.4903 34.4661 65.4972 34.4414 65.4972 34.418C65.4972 34.3699 65.4738 34.3301 65.434 34.3067C65.3941 34.2902 65.3543 34.2902 65.2677 34.2902H65.2279V34.5376H65.3392V34.5458ZM65.2677 34.1556C65.3859 34.1556 65.4422 34.1556 65.4903 34.1789C65.6483 34.227 65.6648 34.3699 65.6648 34.418C65.6648 34.4263 65.6648 34.4579 65.6566 34.4895C65.6483 34.5211 65.6332 34.5857 65.5453 34.6406C65.5288 34.6489 65.5288 34.6489 65.5054 34.6571L65.7047 35.0226H65.5137L65.3392 34.6887H65.2279V35.0226H65.052V34.1556H65.2677ZM65.3392 35.3798C65.7679 35.3798 66.11 35.0308 66.11 34.609C66.11 34.1789 65.7679 33.8382 65.3392 33.8382C64.9174 33.8382 64.5752 34.1789 64.5752 34.609C64.5752 35.0308 64.9174 35.3798 65.3392 35.3798ZM64.7346 34.609C64.7346 34.2751 65.0053 33.9962 65.3392 33.9962C65.6799 33.9962 65.9506 34.2751 65.9506 34.609C65.9506 34.9347 65.6731 35.2136 65.3392 35.2136C65.0122 35.2136 64.7346 34.9347 64.7346 34.609ZM59.3745 39.5157C58.3577 39.5157 57.5058 38.8314 57.2434 37.9012H62.8742L63.6532 36.692H57.2365C57.4907 35.7618 58.3577 35.0707 59.3663 35.0707H63.2479L64.0187 33.8615H59.2797C57.3794 33.8615 55.8446 35.3963 55.8446 37.2884C55.8446 39.1818 57.3794 40.7152 59.2797 40.7152H63.351L64.1218 39.5074H59.3663L59.3745 39.5157ZM43.2407 40.7234C41.3486 40.7234 39.8138 39.1886 39.8138 37.2966C39.8138 35.4046 41.3486 33.8698 43.2407 33.8698H47.9797L47.2006 35.0776H43.3204C42.0961 35.0776 41.1027 36.0724 41.1027 37.2966C41.1027 38.5209 42.0961 39.5157 43.3204 39.5157H48.0759L47.2968 40.7234H43.2256H43.2407ZM18.1935 39.5157C19.4178 39.5157 20.4194 38.5209 20.4194 37.2966C20.4194 36.0724 19.426 35.0776 18.1935 35.0776H14.3847C13.1604 35.0776 12.1656 36.0724 12.1656 37.2966C12.1656 38.5209 13.1604 39.5157 14.3847 39.5157H18.1935ZM14.2968 40.7234C12.3965 40.7234 10.8617 39.1886 10.8617 37.2966C10.8617 35.4046 12.3965 33.8698 14.2968 33.8698H18.2814C20.1735 33.8698 21.7083 35.4046 21.7083 37.2966C21.7083 39.1886 20.1735 40.7234 18.2814 40.7234H14.2968ZM28.1799 38.5058C29.4688 38.5058 30.502 37.4642 30.502 36.1836C30.502 34.9031 29.4688 33.8615 28.1799 33.8615H22.4076V40.7234H23.7281V35.0707H28.0934C28.6979 35.0707 29.1981 35.5708 29.1981 36.1836C29.1981 36.7951 28.6979 37.2884 28.0934 37.2884H24.3711L28.2995 40.7234H30.2162L27.5685 38.5058H28.1799ZM49.9995 39.5157V33.8698H48.6873V40.0721C48.6873 40.2466 48.7519 40.406 48.8783 40.5324C49.0061 40.652 49.1806 40.7317 49.3633 40.7317H55.383L56.162 39.5225H50.0078L49.9995 39.5157ZM33.8574 38.3065H37.3804L35.52 35.3084L32.1014 40.7317H30.5501L34.7011 34.227C34.8838 33.9646 35.1861 33.8052 35.52 33.8052C35.8374 33.8052 36.1397 33.9563 36.3224 34.2119L40.4899 40.7317H38.9317L38.1994 39.5225H34.6379L33.8574 38.3148V38.3065Z" fill="#FEFEFE"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.9 KiB

35
Playbooks/SNOW-CreateAndUpdateIncident/readme.md
Просмотреть файл

@ -1,25 +1,23 @@
# Jira-CreateAndUpdateIssue
# SNOW-CreateAndUpdateIncident
author: Benjamin Kovacevic
This playbook will create or update incident in Jira. When incident is created, playbook will run and create issue in Jira. When incident is updated, playbook will run and add update to comment section.
This playbook will create or update incident in SNOW. When incident is created, playbook will run and create incident in SNOW. When incident is updated, playbook will run and add update to comment section. When incident is closed, playbook will run and close incident in SNOW.
# Prerequisites
We will need following data to make Jira connector:<br>
1. Jira instance (ex. xyz.atlassian.net)<br>
2. Jira API (create API token on https://id.atlassian.com/manage-profile/security/api-tokens)<br>
3. User email<br>
![Jira connector requirements](./images/jira-connector-requirementsDark.png)<br>
1. SNOW instance (ex. xyz.service-now.com)
2. Username
3. Password
![SNOW connector requirements](./images/SNOW-connector-requirementsDark.png)<br>
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FJira-CreateAndUpdateIssue%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FJira-CreateAndUpdateIssue%2Fazuredeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSNOW-CreateAndUpdateIssue%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSNOW-CreateAndUpdateIssue%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Authorize Jira connector and choose:
- Jira Project (where you want to sync Microsoft Sentinel incidents to) and
- Issue Type Id (Microsoft Sentinel incident issue type in Jira - Task, Story, Bug,...).<br>
1. Authorize SNOW connector
2. Assign Microsoft Sentinel Responder role to playbook's managed identity. To do so, choose Identity blade under Settings of the Logic App.
3. Add playbook as an action to the automation rule, ex.:
- Trigger = When incident is updated;
@ -30,11 +28,14 @@ We will need following data to make Jira connector:<br>
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/JiraPlaybookDark.jpg)<br>
![playbook screenshot](./images/JiraPlaybookLight.jpg)<br><br>
![playbook screenshot](./images/SnowPlaybookDark.jpg)<br>
![playbook screenshot](./images/SnowPlaybookLight.jpg)<br><br>
**Jira New Issue** <br>
![jira screenshot new](./images/JiraNewIssue.jpg)<br><br>
**SNOW New Incident** <br>
![snow screenshot new](./images/SNOWNewIncident.jpg)<br><br>
**Jira Update Issue** <br>
![jira screenshot update](./images/JiraUpdateIssue.jpg)<br>
**SNOW Update Incident** <br>
![snow screenshot update](./images/SNOWTagAdded.jpg)<br>
**SNOW Incident closed** <br>
![snow screenshot closed](./images/SNOWIncidentClosed.jpg)<br><br>

3334
Sample Data/Custom/ZNAccessOrchestratorAudit_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

4
Solutions/HoneyTokens/azCliScript.sh
Просмотреть файл

@ -15,9 +15,9 @@ funcUrl=https://$funcName.azurewebsites.net
#az login --tenant $tenantId
# register a new AAD app, and configure it
appId=$(az ad app create --display-name $appName --available-to-other-tenants false --homepage $funcUrl --query appId | sed 's/.\(.*\)/\1/' | sed 's/\(.*\)./\1/')
appId=$(az ad app create --display-name $appName --web-home-page-url $funcUrl --sign-in-audience AzureADMyOrg --query appId | sed 's/.\(.*\)/\1/' | sed 's/\(.*\)./\1/')
secret=$(az ad app credential reset --id $appId --append --query password | sed 's/.\(.*\)/\1/' | sed 's/\(.*\)./\1/')
objId=$(az ad app show --id $appId --query objectId | sed 's/.\(.*\)/\1/' | sed 's/\(.*\)./\1/')
objId=$(az ad app show --id $appId --query id | sed 's/.\(.*\)/\1/' | sed 's/\(.*\)./\1/')
az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$objId" --headers 'Content-Type=application/json' --body "{\"web\":{\"redirectUris\":[\"$funcUrl/.auth/login/aad/callback\"]}}"
az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$objId" --headers 'Content-Type=application/json' --body '{ "requiredResourceAccess": [ { "resourceAppId":"cfa8b339-82a2-471a-a3c9-0fc0be7a4093", "resourceAccess": [ { "id": "f53da476-18e3-4152-8e01-aec403e6edc0", "type": "Scope" } ] }, { "resourceAppId":"00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] } ]}'

2
Solutions/OracleDatabaseAudit/Hunting Queries/OracleDBAuditUsersNewPrivilegesAdded.yaml
Просмотреть файл

@ -17,7 +17,7 @@ query: |
OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_30d) .. ago(lbtime_1d))
| where isnotempty(Privilege) and isnotempty(DstUserName)
| summarize Privileges = makeset(Privilege) by DstUserName;
| summarize Privileges = makeset(Privilege) by DstUserName
| join (OracleDatabaseAuditEvent
| where TimeGenerated > ago(lbtime_1d)
| where isnotempty(DstUserName) and isnotempty(Privilege)

115
Solutions/SAP/Sample Authorizations Role File/MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.26.SAP Normal file
Просмотреть файл

@ -0,0 +1,115 @@
DATE 20220425 094040
RELEASE 752
LOADED_AGRS /MSFTSEN/SENTINEL_CONNECTOR
AGR_DEFINE 001/MSFTSEN/SENTINEL_CONNECTOR SENTINEL 20210419114207000000000000000SENTINEL 20220222102001000000000000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000001S_ADMI_FCDT-NL31000500 U O000010
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000002S_APPL_LOGT-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000003S_RFC T-NL31000500 U O000004
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000004S_SAL T-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000005S_SCD0_OBJT-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000006S_TABU_NAMT-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000007S_TCODE T-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000008S_TRANSPRTT-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000009S_USER_GRPT-NL31000500 U O000013
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000010S_USER_GRPT-NL31000501 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000011S_WF_WI T-NL31000500 U O000000
AGR_1250 001/MSFTSEN/SENTINEL_CONNECTOR 000012S_XMI_PRODT-NL31000500 U O000017
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000001S_ADMI_FCDT-NL31000500 S_ADMI_FCDAUDD U O000011
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000002S_RFC T-NL31000500 ACTVT 16 U O000005
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000003S_RFC T-NL31000500 RFC_NAME ARFC U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000004S_RFC T-NL31000500 RFC_NAME SYST U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000005S_RFC T-NL31000500 RFC_NAME RFC1 U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000006S_RFC T-NL31000500 RFC_NAME SALX U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000007S_RFC T-NL31000500 RFC_NAME SDIFRUNTIME U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000008S_RFC T-NL31000500 RFC_NAME SMOI U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000009S_RFC T-NL31000500 RFC_NAME SU_USER U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000010S_RFC T-NL31000500 RFC_NAME SXMI U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000011S_RFC T-NL31000500 RFC_TYPE FUGR U O000007
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000012S_USER_GRPT-NL31000500 ACTVT 03 U O000014
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000013S_USER_GRPT-NL31000500 CLASS * U O000015
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000014S_XMI_PRODT-NL31000500 EXTCOMPANYMicrosoft U O000018
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000015S_XMI_PRODT-NL31000500 EXTPRODUCTAzure Sentinel U O000019
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000016S_XMI_PRODT-NL31000500 INTERFACE XAL U O000020
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000017S_XMI_PRODT-NL31000500 INTERFACE XBP U O000020
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000018S_RFC T-NL31000500 RFC_NAME SXBP U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000019S_RFC T-NL31000500 RFC_NAME ZSENTINEL* U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000020S_RFC T-NL31000500 RFC_NAME SXBP_EXT U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000021S_APPL_LOGT-NL31000500 ACTVT 03 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000022S_APPL_LOGT-NL31000500 ALG_OBJECT* U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000023S_APPL_LOGT-NL31000500 ALG_SUBOBJ* U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000024S_RFC T-NL31000500 RFC_NAME /OSP/SYSTEM_TIMEZONE U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000025S_RFC T-NL31000500 RFC_NAME SWRR U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000026S_RFC T-NL31000500 RFC_NAME CTS_API U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000027S_TRANSPRTT-NL31000500 TTYPE * U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000028S_TRANSPRTT-NL31000500 ACTVT 03 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000029S_TABU_NAMT-NL31000500 ACTVT 03 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000030S_TABU_NAMT-NL31000500 TABLE BALHDR U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000031S_TABU_NAMT-NL31000500 TABLE CDHDR U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000032S_RFC T-NL31000500 RFC_NAME RFC_SYSTEM_INFO U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000033S_TABU_NAMT-NL31000500 TABLE ADR6 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000034S_RFC T-NL31000500 RFC_TYPE FUNC U O000007
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000035S_RFC T-NL31000500 RFC_NAME STFC U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000036S_RFC T-NL31000500 RFC_NAME TH_SERVER_LIST U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000037S_TCODE T-NL31000500 TCD SM51 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000038S_RFC T-NL31000500 RFC_NAME /MSFTSEN/* U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000039S_ADMI_FCDT-NL31000500 S_ADMI_FCDSPOS U O000011
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000040S_WF_WI T-NL31000500 WI_TYPE * U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000041S_WF_WI T-NL31000500 WFACTVT 44 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000042S_WF_WI T-NL31000500 TASK_CLASS* U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000043S_SCD0_OBJT-NL31000500 OBJECTCLAS* U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000044S_SCD0_OBJT-NL31000500 ACTVT 08 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000045S_RFC T-NL31000500 RFC_NAME RFC_READ_TABLE U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000046S_TABU_NAMT-NL31000500 TABLE UST04 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000047S_TABU_NAMT-NL31000500 TABLE USR41 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000048S_TABU_NAMT-NL31000500 TABLE USR21 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000049S_TABU_NAMT-NL31000500 TABLE USR02 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000050S_TABU_NAMT-NL31000500 TABLE USR01 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000051S_TABU_NAMT-NL31000500 TABLE AGR_1251 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000052S_TABU_NAMT-NL31000500 TABLE AGR_DEFINE U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000053S_TABU_NAMT-NL31000500 TABLE AGR_PROF U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000054S_TABU_NAMT-NL31000500 TABLE AGR_TCODES U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000055S_TABU_NAMT-NL31000500 TABLE AGR_USERS U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000056S_TABU_NAMT-NL31000500 TABLE DBTABLOG U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000057S_TABU_NAMT-NL31000500 TABLE DEVACCESS U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000058S_TABU_NAMT-NL31000500 TABLE PAHI U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000059S_TABU_NAMT-NL31000500 TABLE RSAUFILES U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000060S_TABU_NAMT-NL31000500 TABLE SACF_ALERT U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000061S_TABU_NAMT-NL31000500 TABLE SOUD U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000062S_TABU_NAMT-NL31000500 TABLE USER_ADDR U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000063S_TABU_NAMT-NL31000500 TABLE USGRP_USER U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000064S_RFC T-NL31000500 RFC_NAME SAP_WAPI_READ_CONTAINER U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000065S_RFC T-NL31000500 RFC_NAME RFC_GET_FUNCTION_INTERFACE U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000066S_RFC T-NL31000500 RFC_NAME RFCPING U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000067S_RFC T-NL31000500 RFC_NAME DDIF_FIELDINFO_GET U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000068S_RFC T-NL31000500 RFC_NAME CTS_API_READ_CHANGE_REQUEST U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000069S_RFC T-NL31000500 RFC_NAME BAPI_XMI_LOGON U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000070S_RFC T-NL31000500 RFC_NAME BAPI_XMI_LOGOFF U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000071S_RFC T-NL31000500 RFC_NAME BAPI_XBP_JOB_JOBLOG_READ U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000072S_RFC T-NL31000500 RFC_NAME BAPI_XBP_APPL_LOG_CONTENT_GET U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000073S_RFC T-NL31000500 RFC_NAME BAPI_USER_GET_DETAIL U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000074S_SAL T-NL31000500 SAL_ACTVT SHOW_LOG U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000075S_USER_GRPT-NL31000501 CLASS SUPER U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000076S_USER_GRPT-NL31000501 ACTVT 05 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000077S_TABU_NAMT-NL31000500 TABLE CDPOS U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000078S_TABU_NAMT-NL31000500 TABLE E070 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000079S_TABU_NAMT-NL31000500 TABLE SWWLOGHIST U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000080S_TABU_NAMT-NL31000500 TABLE SWWWIHEAD U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000081S_TABU_NAMT-NL31000500 TABLE TBTCO U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000082S_TABU_NAMT-NL31000500 TABLE TSP01 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000083S_RFC T-NL31000500 RFC_NAME BAPI_XMI_SET_AUDITLEVEL U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000084S_TABU_NAMT-NL31000500 TABLE ADCP U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000085S_TABU_NAMT-NL31000500 TABLE AGR_AGRS U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000086S_TABU_NAMT-NL31000500 TABLE USR05 U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000087S_TABU_NAMT-NL31000500 TABLE USRSTAMP U O000000
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000088S_RFC T-NL31000500 RFC_NAME SUSR_USER_AUTH_FOR_OBJ_GET U O000006
AGR_1251 001/MSFTSEN/SENTINEL_CONNECTOR 000089S_TABU_NAMT-NL31000500 TABLE AGR_FLAGS U O000000
AGR_TEXTS 001/MSFTSEN/SENTINEL_CONNECTOR E00000Required Authorizations for Sentinel
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR COLL_AGR SENTINEL 20210419114207SENTINEL 20210419114207
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR DEVCLASS SENTINEL 20210419114207SENTINEL 20210419114207
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR FORCE_MIX SENTINEL 20210419114207SENTINEL 20220222102000
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR FORCE_YEL SENTINEL 20210419114617SENTINEL 20220222102001
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR MASTER_LANSENTINEL 20210419114207SENTINEL 20210419114207E
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR RESP_USER SENTINEL 20210419114207SENTINEL 20210419114207
AGR_FLAGS 001/MSFTSEN/SENTINEL_CONNECTOR SAP_SOURCESENTINEL 20210419114207SENTINEL 20210419114207ZSENTINEL_CONNECTOR
AGR_TIME 001/MSFTSEN/SENTINEL_CONNECTOR PROFILE SENTINEL 20210419114207000000000000000SENTINEL 20220222102000000000000000000
AGR_LSD 001/MSFTSEN/SENTINEL_CONNECTOR E

34
Solutions/ZeroNetworks/Analytics Rules/ZNAccessOrchestratorMachineRemovedfromProtection.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: a4ce12ca-d01d-460a-b15e-6c74ef328b82
name: ZN Access Orchestrator - Machine Removed from protection
description: |
'Detects when a machine is removed from protection.'
severity: High
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
ZNAccessOrchestratorAudit
| where AuditTypeId == 4
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DestinationEntityName
version: 1.0.0
kind: Scheduled

30
Solutions/ZeroNetworks/Analytics Rules/ZNAccessOrchestratorNewAPIToken.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 603a6b18-b54a-43b7-bb61-d2b0b47d224a
name: ZN Access Orchestrator - New API Token created
description: |
'Detects when a api token has been created.'
severity: Low
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1528
query: |
ZNAccessOrchestratorAudit
| where AuditTypeId == 25
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
version: 1.0.0
kind: Scheduled

51
Solutions/ZeroNetworks/Analytics Rules/ZNAccessOrchestratorRareJITRuleCreation.yaml Normal file
Просмотреть файл

@ -0,0 +1,51 @@
id: 58688058-68b2-4b39-8009-ac6dc4d81ea1
name: ZN Access Orchestrator - Rare JIT Rule Creation
description: |
'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.
JIT Rule creations are indicated by the Activity Type Id 20'
severity: Medium
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
relevantTechniques:
- T1021
query: |
let starttime = 14d;
let endtime = 1d;
ZNAccessOrchestratorAudit
| where TimeGenerated >= ago(endtime)
| where AuditTypeId == 20
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
by PerformedByName, tostring(DestinationEntityName)
// use left anti to exclude anything from the previous 14 days that is not rare
| join kind=leftanti (
ZNAccessOrchestratorAudit
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where AuditTypeId == 20
| summarize by tostring(DestinationEntityName)
) on DestinationEntityName
| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
by PerformedByName, DestinationEntityName
| extend TimeGenerated = StartTime
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DestinationEntityName
version: 1.0.0
kind: Scheduled

Двоичные данные
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

11
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit/ZeroNetworks_AccessOrchestrator_Audit_TimeTrigger/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"bindings": [
{
"type": "timerTrigger",
"name": "Timer",
"schedule": "0 */5 * * * *",
"direction": "in"
}
],
"disabled": false
}

151
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit/ZeroNetworks_AccessOrchestrator_Audit_TimeTrigger/run.ps1 Normal file
Просмотреть файл

@ -0,0 +1,151 @@
<#
Title: Azure Function App Zero Networks Access Orchestrator Audit API Ingestion to Azure Sentinel
Language: PowerShell
Version: 1.0
Last Modified: 3/8/2022
Comment: Inital Release
DESCRIPTION: The following PowerShell Function App code is a generic data connector to pull logs from your Zero Networks Access Orchestrator Audit API, transform the data logs into a Azure Sentinel acceptable format (JSON) and POST the logs to the
Azure Sentinel workspace using the Azure Log Analytics Data Collector API. Use this generic template and replace with specific code needed to authenticate to the Zero Networks Access Orchestrator Audit API and format the data received into JSON format.
#>
# Azure Function App Defaults:
# Input bindings are passed in via param block.
param($Timer)
# Get the current universal time in the default string format
$currentUTCtime = (Get-Date).ToUniversalTime()
# The 'IsPastDue' property is 'true' when the current function invocation is later than scheduled.
if ($Timer.IsPastDue) {
Write-Host "PowerShell timer is running late! $($Timer.ScheduledStatus.Last)"
}
# Define the application settings (environmental variables) for the Workspace ID, Workspace Key, Zero Networks Access Orchestrator Audit API Key(s) or Token, URI, and/or Other variables. Reference (https://docs.microsoft.com/azure/azure-functions/functions-reference-powershell#environment-variables)for more information
$apiToken = $env:apiToken
$uri = $env:uri
# The following variables are required by the Log Analytics Data Collector API functions below
$CustomerId = $env:workspaceId
$SharedKey = $env:workspaceKey
$TimeStampField = $env:TimeStampField
$LogType = $env:tableName
$logAnalyticsUri = $env:logAnalyticsUri
if ([string]::IsNullOrEmpty($logAnalyticsUri))
{
$logAnalyticsUri = "https://" + $customerId + ".ods.opinsights.azure.com"
}
# Returning if the Log Analytics Uri is in incorrect format.
# Sample format supported: https://" + $customerId + ".ods.opinsights.azure.com
if($logAnalyticsUri -notmatch 'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$')
{
throw "Invalid Log Analytics Uri."
}
#Build Headers
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $apiToken)
#Get the data
$now = (Get-Date).ToUniversalTime()
$nowCursor = ([DateTimeOffset]$now).ToUnixTimeMilliseconds()
$ago = (Get-Date).AddMinutes(-5).ToUniversalTime()
$agoCursor = ([DateTimeOffset]$ago).ToUnixTimeMilliseconds()
$url = $uri + "?_limit=400&order=desc&from=$agoCursor&to=$nowCursor"
$response = $null
$response = Invoke-RestMethod $url -Method 'GET' -Headers $headers
If($response.items.Count -ne 0){
$allItems += $response.items
[int64]$cursor = $response.scrollCursor
$Logging = "Count: "+($response.Count)+" Items:"+$allItems.Count+" Cursor:"+$cursor+" AgoCursor:"+$agoCursor+" Delta:"+($agoCursor-$cursor)
Write-Host $Logging
do {
$url = $uri + "?_limit=400&order=desc&from=$agoCursor&to=$nowCursor&_cursor=$cursor"
$response = Invoke-RestMethod $url -Method 'GET' -Headers $headers
$allItems += $response.items
[int64]$cursor = $response.scrollCursor
$Logging = "Count: "+($response.Count)+" Items:"+$allItems.Count+" Cursor:"+$cursor+" AgoCursor:"+$agoCursor+" Delta:"+($agoCursor-$cursor)
Write-Host $Logging
} until ($response.scrollCursor -eq "")
$json = $allItems | ConvertTo-Json -Compress -Depth 10
}
else {
Write-host "No new Audit logs"
}
# Required Function to build the Authorization signature for the Azure Log Analytics Data Collector API. Reference: https://docs.microsoft.com/azure/azure-monitor/platform/data-collector-api
Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
{
$xHeaders = "x-ms-date:" + $date
$stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
$keyBytes = [Convert]::FromBase64String($sharedKey)
$sha256 = New-Object System.Security.Cryptography.HMACSHA256
$sha256.Key = $keyBytes
$calculatedHash = $sha256.ComputeHash($bytesToHash)
$encodedHash = [Convert]::ToBase64String($calculatedHash)
$authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
# Dispose SHA256 from heap before return.
$sha256.Dispose()
return $authorization
}
# Required Function to create and invoke an API POST request to the Azure Log Analytics Data Collector API. References: https://docs.microsoft.com/azure/azure-monitor/platform/data-collector-api and https://docs.microsoft.com/azure/azure-functions/functions-reference-powershell#environment-variables
Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
{
$method = "POST"
$contentType = "application/json"
$resource = "/api/logs"
$rfc1123date = [DateTime]::UtcNow.ToString("r")
$contentLength = $body.Length
$signature = Build-Signature `
-customerId $customerId `
-sharedKey $sharedKey `
-date $rfc1123date `
-contentLength $contentLength `
-method $method `
-contentType $contentType `
-resource $resource
$logAnalyticsUri = $logAnalyticsUri + $resource + "?api-version=2016-04-01"
$headers = @{
"Authorization" = $signature;
"Log-Type" = $logType;
"x-ms-date" = $rfc1123date;
"time-generated-field" = $TimeStampField;
}
try {
$response = Invoke-WebRequest -Uri $logAnalyticsUri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
}
catch {
Write-Error "Error during sending logs to Azure Sentinel: $_.Exception.Message"
# Exit out of context
Exit
}
if ($response.StatusCode -eq 200) {
Write-Host "Logs have been successfully sent to Azure Sentinel."
}
else {
Write-Host "Error during sending logs to Azure Sentinel. Response code : $response.StatusCode"
}
return $response.StatusCode
}
if($json.Length -gt 0) {
Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $LogType
}
else {
Write-Output "No records were found."
}
# Write an information log with the current time.
Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"

10
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit/host.json Normal file
Просмотреть файл

@ -0,0 +1,10 @@
{
"version": "2.0",
"managedDependency": {
"Enabled": true
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

20
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit/profile.ps1 Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Azure Functions profile.ps1
#
# This profile.ps1 will get executed every "cold start" of your Function App.
# "cold start" occurs when:
#
# * A Function App starts up for the very first time
# * A Function App starts up after being de-allocated due to inactivity
#
# You can define helper functions, run commands, or specify environment variables
# NOTE: any variables defined that are not environment variables will get reset after the first execution
# Authenticate with Azure PowerShell using MSI.
# Remove this if you are not planning on using MSI or Azure PowerShell.
if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) {
    Connect-AzAccount -Identity
}
# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell.
# Enable-AzureRmAlias
# You can also define functions or aliases that can be referenced in any of your PowerShell functions.

7
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit/requirements.psd1 Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# This file enables modules to be automatically managed by the Functions service.
# See https://aka.ms/functionsmanageddependency for additional information.
#
@{
# For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'.
'Az' = '4.*'
}

2
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/CHANGELOG.MD Normal file
Просмотреть файл

@ -0,0 +1,2 @@
## 1.0
- Initial release

141
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/DataConnector_API_AzureFunctionApp_ZeroNetworks_AccessOrchestrator_Audit.json Normal file
Просмотреть файл

@ -0,0 +1,141 @@
{
"id": "ZeroNetworksAccessOrchestratorAuditFunction",
"title": "Zero Networks Access Orchestrator Audit (Function)",
"publisher": "Zero Networks",
"descriptionMarkdown": "The [Zero Networks Access Orchestrator](https://zeronetworks.com/product/) Audit data connector provides the capability to ingest Audit events into Microsoft Sentinel through the REST API. Refer to API guide for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ZNAccessOrchestratorAudit_CL",
"baseQuery": "ZNAccessOrchestratorAudit_CL"
}
],
"sampleQueries": [
{
"description": "Zero Networks Access Orchestrator Audit - All Activities",
"query": "ZNAccessOrchestratorAudit_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "ZNAccessOrchestratorAudit_CL",
"lastDataReceivedQuery": "ZNAccessOrchestratorAudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ZNAccessOrchestratorAudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials",
"description": "**Zero Networks Access Orchestrator** **API Token** is required for REST API. See the API Guide."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Zero Networks REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - Configuration steps for the Zero Networks API**\n\n See the API Guide to obtain the credentials. \n"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Zero Networks Access Orchestrator Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ZeroNetworks-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **APIToken** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Zero Networks Access Orchestrator Audit data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-powershell#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/ZeroNetworks/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit.zip) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ZNAccessOrchestratorAuditXXXXX).\n\n\te. **Select a runtime:** Choose PowerShell.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAPIToken\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n\t\turi\n\t\ttableName\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
}
],
"metadata": {
"id": "254aeaae-6001-49d6-ae43-17898ce6f0e4",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community",
"name": "Microsoft Sentinel"
},
"author": {
"name": "Zero Networks"
},
"support": {
"tier": "community",
"name": "Zero Networks",
"email": "support@zeronetworks.com"
}
}
}

36
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/Doc_Template_REST_API_connector.md Normal file
Просмотреть файл

@ -0,0 +1,36 @@
# Connect your Zero Networks Access Orchestrator to Microsoft Sentinel
Zero Networks Access Orchestrator connector allows you to easily connect all your Zero Networks Access Orchestrator security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This connecor will collect Zero Networks Access Orchestrator Audit logs. Integration between Zero Networks Access Orchestrator and Microsoft Sentinel makes use of REST API.
> [!NOTE]
> Data will be stored in the geographic location of the workspace on which you are running Microsoft Sentinel.
## Configure and connect Zero Networks Access Orchestrator
Zero Networks Access Orchestrator can integrate and export logs directly to Microsoft Sentinel.
1. In the Microsoft Sentinel portal, click Data connectors and select Zero Networks Access Orchestrator and then Open connector page and follow the documented instructions.
## Find your data
After a successful connection is established, the data appears in Log Analytics under CustomLogs ZNAccessOrchestratorAudit.
To use the relevant schema in Log Analytics for the Zero Networks Access Orchestrator, search for ZNAccessOrchestratorAudit.
## Validate connectivity
It may take up to 20 minutes until your logs start to appear in Log Analytics.
## Next steps
In this document, you learned how to connect Zero Networks Access Orchestrator to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to [get visibility into your data, and potential threats](https://docs.microsoft.com/azure/sentinel/get-visibility).
- Get started [detecting threats with Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in).
- [Use workbooks](https://docs.microsoft.com/azure/sentinel/monitor-your-data) to monitor your data.
### Install as a solution (Preview)
1. In the Microsoft Sentinel portal, click Content Hub and search Zero Networks.
2. Click Install.
For more information, see the [Microsoft Sentinel solution overview](https://docs.microsoft.com/azure/sentinel/sentinel-solutions) and our [Guide to Building Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#readme).>

49
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/README.md Normal file
Просмотреть файл

@ -0,0 +1,49 @@
# Zero Networks Access Orchestrator Integration for Microsoft Sentinel
## Introduction
This folder contains the Azure function time trigger code for Zero Networks Access Orchestrator-Microsoft Sentinel connector. The connector will run periodically and ingest the Zero Networks Access Orchestrator Audit data into the Microsoft Sentinel logs custom table `ZNAccessOrchestratorAudit_CL`.
## Folders
1. `Solutions/ZeroNetworks/` - This contains the package, requirements, ARM JSON file, connector page template JSON, and other dependencies.
2. `Solutions/ZeroNetworks/AccessOrchestratorFunctionConnector/` - This contains the Azure function source code.
## Installing for the users
After the solution is published, we can find the connector in the connector gallery of Microsoft Sentinel among other connectors in Data connectors section of Sentinel.
i. Go to Microsoft Sentinel -> Data Connectors
ii. Click on the `Zero Networks Access Orchestrator Audit (Function)` connector, connector page will open.
iii. Click on the blue `Deploy to Azure` button.
It will lead to a custom deployment page where after entering accurate credentials and other information, the resources will get created.
The connector should start ingesting the data into the logs in next 10-15 minutes.
## Installing for testing
i. Log in to Azure portal using the URL - [https://portal.azure.com/?feature.BringYourOwnConnector=true](https://portal.azure.com/?feature.BringYourOwnConnector=true).
ii. Go to Microsoft Sentinel -> Data Connectors
iii. Click the “import” button at the top and select the json file `DataConnector_API_AzureFunctionApp_ZeroNetworks_AccessOrchestrator_Audit` downloaded on your local machine from Github.
iv. This will load the connector page and rest of the process will be same as the Installing for users guideline above.
Each invocation and its logs of the function can be seen in Function App service of Azure, available in the Azure Portal outside the Microsoft Sentinel.
i. Go to Function App and click on the function which you have deployed, identified with the given name at the deployment stage.
ii. Go to Functions -> `ZNAccessOrchestratorAudit` -> Monitor
iii. By clicking on invocation time, you can see all the logs for that run.
**Note: Furthermore we can check logs in Application Insights of the given function in detail if needed. We can search the logs by operation ID in Transaction search section.**

226
Solutions/ZeroNetworks/Data Connectors/AccessOrchestratorFunctionConnector/azuredeploy_Connector_ZeroNetworks_AccessOrchestrator_Audit_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,226 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "ZNAccessOrchestratorAudit",
"minLength": 1,
"maxLength": 60,
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "string",
"defaultValue": "<workspaceKey>"
},
"APIToken": {
"type": "string",
"defaultValue": "<apiToken>"
},
"uri": {
"type": "string",
"defaultValue": "portal.zeronetworks.com/api/v1/audit"
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageName": "[concat('znaoafa', uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]",
"timeStampField": "timestamp"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('StorageName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
],
"ipRules": [
],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"kind": "functionapp",
"properties": {
"name": "[variables('FunctionName')]",
"workerSize": "0",
"workerSizeId": "0",
"numberOfWorkers": "1"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('StorageName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('StorageName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('StorageName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('StorageName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('StorageName')))]",
"[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('StorageName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WEBSITE_CONTENTSHARE": "[toLower(variables('StorageName'))]",
"workspaceID": "[parameters('WorkspaceID')]",
"workspaceKey": "[parameters('WorkspaceKey')]",
"apiToken": "[parameters('APIToken')]",
"uri": "[parameters('uri')]",
"tableName": "ZNAccessOrchestratorAudit",
"TimeStampField": "[variables('timeStampField')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroNetworks/Data%20Connectors/AccessOrchestratorFunctionConnector/AzureFunction_ZeroNetworks_AccessOrchestrator_Audit.zip"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('StorageName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('StorageName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('StorageName'), '/default/', tolower(variables('StorageName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('StorageName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

147
Solutions/ZeroNetworks/Data Connectors/ZeroNetworksNativePollerConnector/azuredeploy_ZeroNetworks_AccessOrchestrator_native_poller_connector.json Normal file
Просмотреть файл

@ -0,0 +1,147 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logAnalyticsWorkspaceName": {
"defaultValue": "<Enter Log Analytics Workspace name>",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"connectorResourceName": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "Resource name for connector"
}
},
"uri": {
"type": "string",
"defaultValue": "portal.zeronetworks.com/api/v1/audit"
}
},
"functions": [],
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"name": "[concat(parameters('logAnalyticsWorkspaceName'),'/Microsoft.SecurityInsights/', parameters('connectorResourceName'))]",
"apiVersion": "2021-03-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [],
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
"id": "ZeroNetworksAccessOrchestratorAuditNativePoller",
"title": "Zero Networks Access Orchestrator Audit",
"publisher": "Zero Networks",
"descriptionMarkdown": "The [Zero Networks Access Orchestrator](https://zeronetworks.com/) Audit data connector provides the capability to ingest Zero Networks Audit events into Microsoft Sentinel through the REST API. This data connector uses Microsoft Sentinel native polling capability.",
"graphQueriesTableName": "ZNAccessOrchestratorAuditNativePoller_CL",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Zero Networks Access Orchestrator Audit",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "All Zero Networks Access Orchestrator Audit events",
"query": "{{graphQueriesTableName}}\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "SentinelKindsV2",
"value": []
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Zero Networks API Token",
"description": "**ZeroNetworksAPIToken** is required for REST API. See the API Guide and follow the instructions for obtaining credentials."
}
]
},
"instructionSteps": [
{
"title": "Connect Zero Networks to Microsoft Sentinel",
"description": "Enable Zero Networks audit Logs.",
"instructions": [
{
"parameters": {
"enable": "true"
},
"type": "APIKey"
}
]
}
]
},
"pollingConfig": {
"auth": {
"authType": "APIKey"
},
"request": {
"apiEndpoint": "[parameters('uri')]",
"httpMethod": "GET",
"queryTimeFormat": "UnixTimestampInMills",
"queryWindowInMin": 5,
"startTimeAttributeName": "from",
"endTimeAttributeName": "to",
"queryParameters": {
"order": "desc"
}
},
"paging": {
"pagingType": "PageToken",
"nextPageParaName": "_cursor",
"nextPageTokenJsonPath": "..scrollCursor",
"pageSize": 400,
"pageSizeParaName": "_limit"
},
"response": {
"eventsJsonPaths": [
"$..items"
]
}
}
}
}
],
"outputs": {}
}

39
Solutions/ZeroNetworks/Hunting Queries/ZNAccessOrchestratorExcessiveAccessbyUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 3dd14edf-788d-4f42-868f-28f3208b92a9
name: ZN Access Orchestrator - Excessive access by user
description: |
'Find users who gained access to the largest number of target assets in the selected time range'
severity: Medium
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
tactics:
- LateralMovement
relevantTechniques:
- T1210
- T1570
- T0866
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
ZNAccessOrchestratorAudit
| where TimeGenerated > ago(endtime-starttime)
| where AuditTypeId in (9,12,20,22,23,24)
| where DestinationEntityId !startswith "b:"
| summarize AffectedEntities=make_set(DestinationEntityName) by PerformedByName
| extend numOfTargetEntities=array_length(AffectedEntities)
| order by numOfTargetEntities desc
| extend Account_0_FullName = PerformedByName
| extend Host_0_NetBiosName = AffectedEntities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
- entityType: Host
fieldMappings:
- identifier: NetBiosName
columnName: AffectedEntities

39
Solutions/ZeroNetworks/Hunting Queries/ZNAccessOrchestratorExcessiveAccesstoBuiltinGroupbyUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 0e68d210-a8ec-4e13-9f46-61011c020b87
name: ZN Access Orchestrator - Excessive access to a built-in group by user
description: |
'A rule was created which granted a user access to a large, built-in, group of assets.'
severity: Medium
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
tactics:
- LateralMovement
relevantTechniques:
- T1210
- T1570
- T0866
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
ZNAccessOrchestratorAudit
| where TimeGenerated > ago(endtime-starttime)
| where AuditTypeId in (9,12,20,22,23,24)
| where DestinationEntityId startswith "b:"
| summarize affectedEntities=make_set(DestinationEntityId) by PerformedByName
| extend numOfTargetEntities=array_length(affectedEntities)
| order by numOfTargetEntities desc
| extend Account_0_Name = PerformedByName
| extend Host_0_NetBiosName = affectedEntities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
- entityType: Host
fieldMappings:
- identifier: NetBiosName
columnName: AffectedEntities

34
Solutions/ZeroNetworks/Hunting Queries/ZNAccessOrchestratorInboundBlockRulesDeleted.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: fcbbd670-d4e6-4f3a-9008-d8905e84cf79
name: ZN Access Orchestrator - Inbound Block Rules Deleted
description: |
'Query searches for inbound block rules deleted by non AI.'
severity: Medium
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
ZNAccessOrchestratorAudit
| where TimeGenerated > ago(endtime-starttime)
| where AuditTypeId == 34
| where EnforcementSource != "AI"
| extend Account_0_FullName = PerformedByName
| extend Host_0_NetBiosName = DestinationEntityName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
- entityType: Host
fieldMappings:
- identifier: NetBiosName
columnName: DestinationEntityName

34
Solutions/ZeroNetworks/Hunting Queries/ZNAccessOrchestratorOutboundBlockRulesDeleted.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: d8945c8f-bba4-4e02-ad09-228b067ebcf2
name: ZN Access Orchestrator - Outbound Block Rules Deleted
description: |
'Query searches for outbound block rules deleted by non AI.'
severity: Medium
requiredDataConnectors:
- connectorId: ZeroNetworksAccessOrchestratorAuditFunction
dataTypes:
- ZNAccessOrchestratorAudit_CL
- connectorId: ZeroNetworksAccessOrchestratorAuditNativePoller
dataTypes:
- ZNAccessOrchestratorAuditNativePoller_CL
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
ZNAccessOrchestratorAudit
| where TimeGenerated > ago(endtime-starttime)
| where AuditTypeId == 30
| where EnforcementSource != "AI"
| extend Account_0_FullName = PerformedByName
| extend Host_0_NetBiosName = DestinationEntityName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PerformedByName
- entityType: Host
fieldMappings:
- identifier: NetBiosName
columnName: DestinationEntityName

98
Solutions/ZeroNetworks/Parsers/ZNAccessOrchestratorAudit.txt Normal file
Просмотреть файл

@ -0,0 +1,98 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ZNAccessOrchestratorAudit.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ZNAccessOrchestratorAudit | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [
0, "Unspecified",
1, "Asset is being added to protection",
2, "Asset added to protection",
3, "Asset failed adding to protection",
4, "Asset is being removed from protection",
5, "Removed asset from protection",
6, "Failed removing asset from protection",
7, "Asset added to learning",
8, "Asset removed from learning",
9, "Access rule created",
10, "Access rule deleted",
11, "Access rule expired",
12, "Access rule edited",
17, "MFA access policy created",
18, "MFA access policy deleted",
19, "MFA access policy edited",
20, "JIT rule created",
21, "JIT rule deleted",
22, "JIT rule expired",
23, "JIT rule revived",
24, "JIT rule edited",
25, "API Token created",
26, "API Token deleted",
27, "API Token regenerated",
28, "Asset learning is extended",
29, "Outbound block rule created",
30, "Outbound block rule deleted",
31, "Outbound block rule expired",
32, "Outbound block rule edited",
33, "Inbound block rule created",
34, "Inbound block rule deleted",
35, "Inbound block rule expired",
36, "Inbound block rule edited",
37, "Inbound rule pseudo edited",
38, "Outbound rule pseudo edited"
];
let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [
1, "Reactive Policy",
2, "Automated",
3, "Access Portal",
4, "Admin Portal",
5, "AI",
6, "API"
];
let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [
1, "Admin",
2, "Viewer",
3, "Regular",
4, "API - Full Access",
5, "API - Read Only",
6, "Self Service"
];
union isfuzzy=true ZeroNetworksAuditNativePoller_CL, ZNAccessOrchestratorAudit_CL
| project-away TimeGenerated
| lookup kind=leftouter AuditTypesTable on auditType_d
| lookup kind=leftouter EnforcementSourceTypeTable on enforcementSource_d
| lookup kind=leftouter UserRoleTypeTable on userRole_d
| extend entity=parse_json(destinationEntitiesList_s)
| extend EventVendor="Zero Networks",
EventProduct="Access Orchestrator Audit",
AuditTypeId=column_ifexists('auditType_d', ''),
TimeGenerated=unixtime_milliseconds_todatetime(timestamp_d),
EnforcementSourceId=column_ifexists('enforcementSource_d', ''),
UserRoleId=column_ifexists('userRole_d', ''),
DestinationEntityName = ['entity'][0].name,
DestinationEntityId = ['entity'][0].id,
Details=column_ifexists('details_s', ''),
PerformedById=column_ifexists('performedBy_id_s', ''),
PerformedByName=column_ifexists('performedBy_name_s', ''),
PerformedByGuid=column_ifexists('performedBy_id_g', ''),
ReportedObjectGuid=column_ifexists('reportedObjectId_g', ''),
ReportedObjectId=column_ifexists('reportedObjectId_s', '')
| extend Rule=parse_json(Details).rule,
ReactivePolicy=parse_json(Details).rp
| project
TimeGenerated,
EventVendor,
EventProduct,
AuditTypeId,
AuditType,
DestinationEntityId,
DestinationEntityName,
EnforcementSourceId,
EnforcementSource,
PerformedByGuid,
PerformedById,
PerformedByName,
ReportedObjectGuid,
ReportedObjectId,
UserRoleId,
UserRole,
Rule,
ReactivePolicy

560
Solutions/ZeroNetworks/Playbooks/CustomConnector/ZeroNetworks-swagger.json Normal file
Просмотреть файл

@ -0,0 +1,560 @@
{
"swagger": "2.0",
"info": {
"title": "Zero Networks",
"description": "Zero Networks Rest API",
"version": "1.0"
},
"host": "portal.zeronetworks.com",
"basePath": "/api/v1",
"schemes": [
"https"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"paths": {
"/assets": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"$ref": "#/definitions/assetList"
}
}
},
"operationId": "Search for an Asset",
"parameters": [
{
"name": "_limit",
"in": "query",
"required": true,
"type": "integer",
"default": 400,
"format": "int32",
"x-ms-visibility": "internal"
},
{
"name": "_search",
"in": "query",
"required": true,
"type": "string",
"format": ""
}
]
}
},
"/entities/encode-ip": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"id": {
"type": "string"
}
}
}
}
},
"operationId": "Encode IP Address to AssetId",
"parameters": [
{
"name": "ip",
"in": "query",
"required": true,
"type": "string",
"description": "IP Address to encode"
}
]
}
},
"/assets/searchId": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"assetId": {
"type": "string",
"description": "assetId"
}
}
}
}
},
"operationId": "Get AssetId by FQDN",
"parameters": [
{
"name": "fqdn",
"in": "query",
"required": true,
"type": "string",
"format": ""
}
]
}
},
"/assets/protect": {
"post": {
"responses": {
"default": {
"description": "default",
"schema": {}
}
},
"operationId": "Add asset to protection",
"parameters": [
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"items": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of AssetIDs"
},
"protectAt": {
"type": "integer",
"format": "int64",
"description": "epoch(ms) when to move from learning to protection, 0 means protectNow"
}
}
}
}
]
}
},
"/assets/unprotect": {
"post": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {}
}
}
},
"operationId": "Remove asset from protection",
"parameters": [
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"items": {
"type": "array",
"items": {
"type": "string"
},
"description": "List of AssetIDs"
}
}
}
}
]
}
},
"/protection/rules/inbound-block": {
"post": {
"responses": {
"default": {
"description": "default",
"schema": {
"$ref": "#/definitions/ruleResponse"
}
}
},
"operationId": "Create Inbound Block rule",
"parameters": [
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/ruleBody"
}
}
]
}
},
"/protection/rules/outbound-block": {
"post": {
"responses": {
"default": {
"description": "default",
"schema": {
"$ref": "#/definitions/ruleResponse"
}
}
},
"operationId": "Create Outbound Block rule",
"parameters": [
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/ruleBody"
}
}
]
}
}
},
"definitions": {
"assetList": {
"properties": {
"items": {
"items": {
"$ref": "#/definitions/asset"
},
"type": "array"
}
},
"type": "object"
},
"asset": {
"properties": {
"assetType": {
"enum": [
0,
1,
2
],
"format": "int32",
"type": "integer"
},
"domain": {
"example": "domain.local",
"type": "string"
},
"fqdn": {
"example": "laptoppc.domain.local",
"type": "string"
},
"id": {
"example": "a:a:6d020055",
"type": "string"
},
"ipAddresses": {
"items": {
"example": "1.1.1.1",
"type": "string"
},
"type": "array"
},
"isAccessible": {
"type": "boolean"
},
"managers": {
"items": {
"$ref": "#/definitions/manager"
},
"type": "array"
},
"name": {
"example": "laptoppc",
"type": "string"
},
"operatingSystem": {
"example": "Windows 10 Pro",
"type": "string"
},
"protectionState": {
"enum": [
0,
1,
2,
3,
4
],
"format": "int32",
"type": "integer"
},
"source": {
"enum": [
0,
1,
2,
3
],
"format": "int32",
"type": "integer"
},
"state": {
"$ref": "#/definitions/state"
}
},
"type": "object"
},
"manager": {
"properties": {
"entityType": {
"enum": [
"user"
],
"type": "string"
},
"id": {
"type": "string"
},
"name": {
"example": "User Name",
"type": "string"
},
"permission": {
"format": "int32",
"type": "integer"
}
},
"type": "object"
},
"rule": {
"properties": {
"action": {
"format": "int32",
"type": "integer"
},
"createdAt": {
"description": "epoch timestamp",
"format": "int32",
"type": "integer"
},
"createdBy": {
"properties": {
"createdBy": {
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"enforcementSource": {
"format": "int32",
"type": "integer"
},
"userRole": {
"format": "int32",
"type": "integer"
}
},
"type": "object"
},
"description": {
"type": "string"
},
"direction": {
"format": "int32",
"type": "integer"
},
"expiresAt": {
"format": "int32",
"type": "integer"
},
"id": {
"type": "string"
},
"localEntityId": {
"type": "string"
},
"localEntityInfo": {
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"localProcessesList": {
"items": {
"type": "string"
},
"type": "array"
},
"parentId": {
"type": "string"
},
"parentType": {
"format": "int32",
"type": "integer"
},
"portsList": {
"items": {
"properties": {
"ports": {
"type": "string"
},
"protocolType": {
"type": "string"
}
},
"type": "object"
},
"type": "array"
},
"remoteEntityIdsList": {
"items": {
"type": "string"
},
"type": "array"
},
"remoteEntityInfos": {
"items": {
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"type": "array"
},
"state": {
"format": "int32",
"type": "integer"
},
"updatedAt": {
"description": "epoch timestamp",
"format": "int32",
"type": "integer"
}
},
"type": "object"
},
"ruleBody": {
"properties": {
"description": {
"type": "string"
},
"expiresAt": {
"example": 0,
"format": "int32",
"type": "integer"
},
"localEntityId": {
"type": "string"
},
"localProcessesList": {
"items": {
"type": "string"
},
"type": "array"
},
"portsList": {
"items": {
"properties": {
"ports": {
"type": "string"
},
"protocolType": {
"format": "int32",
"type": "integer"
}
},
"type": "object"
},
"type": "array"
},
"remoteEntityIdsList": {
"items": {
"type": "string"
},
"type": "array"
},
"state": {
"example": 1,
"format": "int32",
"type": "integer"
}
},
"required": [
"expiresAt",
"localEntityId",
"localProcessesList",
"portsList",
"remoteEntityIdsList",
"state"
],
"type": "object"
},
"ruleResponse": {
"properties": {
"item": {
"$ref": "#/definitions/rule"
}
},
"type": "object"
},
"state": {
"properties": {
"assetId": {
"type": "string"
},
"isAssetConnected": {
"type": "boolean"
},
"lasDisconnectedAt": {
"description": "epoch timestamp",
"type": "integer"
},
"protectAt": {
"description": "epoch timestamp",
"format": "int64",
"type": "integer"
},
"protectionState": {
"enum": [
1,
3,
5
],
"format": "int32",
"type": "integer"
}
},
"type": "object"
}
},
"parameters": {},
"responses": {},
"securityDefinitions": {
"API Key": {
"type": "apiKey",
"in": "header",
"name": "Authorization"
}
},
"security": [
{
"API Key": []
}
],
"tags": []
}

379
Solutions/ZeroNetworks/Playbooks/CustomConnector/ZeroNetworks-swagger.yaml Normal file
Просмотреть файл

@ -0,0 +1,379 @@
swagger: '2.0'
info:
title: Zero Networks
description: Zero Networks Rest API
version: '1.0'
host: portal.zeronetworks.com
basePath: /api/v1
schemes:
- https
consumes:
- application/json
produces:
- application/json
paths:
/assets:
get:
responses:
default:
description: default
schema:
$ref: '#/definitions/assetList'
operationId: Search for an Asset
parameters:
- name: _limit
in: query
required: true
type: integer
default: 400
format: int32
x-ms-visibility: internal
- name: _search
in: query
required: true
type: string
format: ''
/entities/encode-ip:
get:
responses:
default:
description: default
schema:
type: object
properties:
id:
type: string
operationId: Encode IP Address to AssetId
parameters:
- name: ip
in: query
required: true
type: string
description: IP Address to encode
/assets/searchId:
get:
responses:
default:
description: default
schema:
type: object
properties:
assetId:
type: string
description: assetId
operationId: Get AssetId by FQDN
parameters:
- name: fqdn
in: query
required: true
type: string
format: ''
/assets/protect:
post:
responses:
default:
description: default
schema: {}
operationId: Add asset to protection
parameters:
- name: body
in: body
required: true
schema:
type: object
properties:
items:
type: array
items:
type: string
description: List of AssetIDs
protectAt:
type: integer
format: int64
description: epoch(ms) when to move from learning to protection, 0 means protectNow
/assets/unprotect:
post:
responses:
default:
description: default
schema:
type: object
properties: {}
operationId: Remove asset from protection
parameters:
- name: body
in: body
required: true
schema:
type: object
properties:
items:
type: array
items:
type: string
description: List of AssetIDs
/protection/rules/inbound-block:
post:
responses:
default:
description: default
schema:
$ref: '#/definitions/ruleResponse'
operationId: Create Inbound Block rule
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/ruleBody'
/protection/rules/outbound-block:
post:
responses:
default:
description: default
schema:
$ref: '#/definitions/ruleResponse'
operationId: Create Outbound Block rule
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/ruleBody'
definitions:
assetList:
properties:
items:
items:
$ref: '#/definitions/asset'
type: array
type: object
asset:
properties:
assetType:
enum:
- 0
- 1
- 2
format: int32
type: integer
domain:
example: domain.local
type: string
fqdn:
example: laptoppc.domain.local
type: string
id:
example: a:a:6d020055
type: string
ipAddresses:
items:
example: 1.1.1.1
type: string
type: array
isAccessible:
type: boolean
managers:
items:
$ref: '#/definitions/manager'
type: array
name:
example: laptoppc
type: string
operatingSystem:
example: Windows 10 Pro
type: string
protectionState:
enum:
- 0
- 1
- 2
- 3
- 4
format: int32
type: integer
source:
enum:
- 0
- 1
- 2
- 3
format: int32
type: integer
state:
$ref: '#/definitions/state'
type: object
manager:
properties:
entityType:
enum:
- user
type: string
id:
type: string
name:
example: User Name
type: string
permission:
format: int32
type: integer
type: object
rule:
properties:
action:
format: int32
type: integer
createdAt:
description: epoch timestamp
format: int32
type: integer
createdBy:
properties:
createdBy:
properties:
id:
type: string
name:
type: string
type: object
enforcementSource:
format: int32
type: integer
userRole:
format: int32
type: integer
type: object
description:
type: string
direction:
format: int32
type: integer
expiresAt:
format: int32
type: integer
id:
type: string
localEntityId:
type: string
localEntityInfo:
properties:
id:
type: string
name:
type: string
type: object
localProcessesList:
items:
type: string
type: array
parentId:
type: string
parentType:
format: int32
type: integer
portsList:
items:
properties:
ports:
type: string
protocolType:
type: string
type: object
type: array
remoteEntityIdsList:
items:
type: string
type: array
remoteEntityInfos:
items:
properties:
id:
type: string
name:
type: string
type: object
type: array
state:
format: int32
type: integer
updatedAt:
description: epoch timestamp
format: int32
type: integer
type: object
ruleBody:
properties:
description:
type: string
expiresAt:
example: 0
format: int32
type: integer
localEntityId:
type: string
localProcessesList:
items:
type: string
type: array
portsList:
items:
properties:
ports:
type: string
protocolType:
format: int32
type: integer
type: object
type: array
remoteEntityIdsList:
items:
type: string
type: array
state:
example: 1
format: int32
type: integer
required:
- expiresAt
- localEntityId
- localProcessesList
- portsList
- remoteEntityIdsList
- state
type: object
ruleResponse:
properties:
item:
$ref: '#/definitions/rule'
type: object
state:
properties:
assetId:
type: string
isAssetConnected:
type: boolean
lasDisconnectedAt:
description: epoch timestamp
type: integer
protectAt:
description: epoch timestamp
format: int64
type: integer
protectionState:
enum:
- 1
- 3
- 5
format: int32
type: integer
type: object
parameters: {}
responses: {}
securityDefinitions:
API Key:
type: apiKey
in: header
name: Authorization
security:
- API Key: []
tags: []

616
Solutions/ZeroNetworks/Playbooks/CustomConnector/azuredeploy.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

50
Solutions/ZeroNetworks/Playbooks/CustomConnector/readme.md Normal file
Просмотреть файл

@ -0,0 +1,50 @@
# Zero Networks Logic Apps connector
![Zero Networks](./Images/ZeroNetworks.png)<br>
## Table of Contents
1. [Overview](#overview)
1. [Actions supported by Zero Networks custom connector](#actions)
1. [Deployment](#deployment)
1. [Authentication](#Authentication)
<a name="overview"></a>
## Overview
General info about this product and the core values of this integration. <br>
<a name="actions"></a>
## Actions supported by Cisco ASA custom connector
| Component | Description |
| --------- | -------------- |
| **Search for an Asset** | Action used to get an asset by name |
| **Get AssetId by FQDN** | Action used to get the assetId for a machine using the FQDN |
| **Add asset to protection** | Action used to add an asset to learning or protection |
| **Remove asset from protection** | Action used to remove an asset from learning or protection |
| **Create Inbound Block rule** | Action used to create an inbound blocking rule |
| **Create Outbound Block rule** | Action used to create an outbound blocking rule |
<a name="deployment"></a>
## Deployment instructions
Prior using this custom connector, it should be deployed in the Resource Group where the playbooks that will include it are located.
<br>
### Connector
1. Deploy the Custom Connector by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
2. Fill in the required paramteres:
* Connector name: Please enter the custom connector(ex:Cisco ASA connector)
* Service Endpoint: The URL to the Zero Networks REST API
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FCustomConnector%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPSolutions%2FZeroNetworks%2FPlaybooks%2FCustomConnector%2Fazuredeploy.json)
<a name="authentication"></a>
## Authentication
In Zero Networks prtal, create an API token to use the REST API. Depending on the playbook the API token may need admin priviledges.

Двоичные данные
Solutions/ZeroNetworks/Playbooks/Images/ZeroNetworks.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 8.7 KiB

137
Solutions/ZeroNetworks/Playbooks/ZNSolutionPlaybooks.json Normal file
Просмотреть файл

@ -0,0 +1,137 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Custom Connector Name": {
"defaultValue": "ZeroNetworksConnector",
"type": "string",
"metadata": {
"description": "Name of the Connector"
}
},
"Service Endpoint": {
"defaultValue": "https://portal.zeronetworks.com/api/v1",
"type": "string",
"metadata": {
"description": "URL of the Rest API"
}
},
"Playbook1Name": {
"defaultValue": "ZNAcccessOrchestrator-AddAssettoProtection",
"type": "String",
"metadata": {
"description": "Name of the Logic App/Playbook"
}
},
"Playbook2Name": {
"defaultValue": "ZNAcccessOrchestrator-AddBlockOutboundRule",
"type": "String",
"metadata": {
"description": "Name of the Logic App/Playbook"
}
},
"Playbook3Name": {
"defaultValue": "ZeroNetworksAcccessOrchestrator-EnrichIncident",
"type": "String",
"metadata": {
"description": "Name of the Logic Apps resource to be created"
}
}
},
"variables": {
"templateUrl": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroNetworks/Playbooks"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "linkedTemplate1",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(variables('templateUrl'), '/CustomConnector/azuredeploy.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Custom Connector Name": {
"value": "[parameters('Custom Connector Name')]"
},
"Service Endpoint": {
"value": "[parameters('Service Endpoint')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "linkedTemplate2",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate1')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(variables('templateUrl'), '/ZeroNetworksAcccessOrchestrator-AddAssettoProtection/azuredeploy.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Playbook Name": {
"value": "[parameters('Playbook1Name')]"
},
"ConnectorName": {
"value": "[parameters('Custom Connector Name')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "linkedTemplate3",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate1')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(variables('templateUrl'), '/ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule/azuredeploy.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Playbook Name": {
"value": "[parameters('Playbook2Name')]"
},
"ConnectorName": {
"value": "[parameters('Custom Connector Name')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "linkedTemplate4",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate1')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(variables('templateUrl'), '/ZeroNetworksAcccessOrchestrator-EnrichIncident/azuredeploy.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Playbook Name": {
"value": "[parameters('Playbook3Name')]"
},
"ConnectorName": {
"value": "[parameters('Custom Connector Name')]"
}
}
}
}
],
"outputs": {
}
}

277
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddAssettoProtection/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,277 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Add Asset to Protection - Zero Networks Acccess Orchestrator",
"description": "This playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playbook is configured to add the machine to protection(learning). If you want to have it go straight to protection, remove the protectAt property in the action.",
"mainSteps": [
"1. For the hosts in the incident, each host is added to protection (learning).",
"2. A comment is added to Microsoft Sentinel incident."
],
"prerequisites": [
"1. Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page."
],
"prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
"lastUpdateTime": "2022-03-16T00:00:00.000Z",
"entities": [ "Host" ],
"tags": [ "Mitigation" ],
"support": {
"tier": "community"
},
"author": {
"name": "Zero Networks"
}
},
"parameters": {
"Playbook Name": {
"defaultValue": "ZNAcccessOrchestrator-AddAssettoProtection",
"type": "String",
"metadata": {
"description": "Name of the Logic App/Playbook"
}
},
"ConnectorName": {
"defaultValue": "ZeroNetworksConnector",
"type": "String",
"metadata": {
"description": "Custom Connector name"
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
"ZeroNetworksConnectionName": "[concat('ZeroNetworksConnector-', parameters('Playbook Name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('ZeroNetworksConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('ConnectorName'))]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('Playbook Name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('ZeroNetworksConnectionName'))]"
],
"tags": {
"hidden-SentinelTemplateName": "ZeroNetworksAcccessOrchestrator-AddAssettoProtection",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Zero Networks:</strong><br>\nThe following assets were added to protection:<br>\n@{body('Create_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_HTML_table": {
"inputs": {
"format": "HTML",
"from": "@variables('AssetstoAddtoProtection')"
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "Table"
},
"Entities_-_Get_Hosts": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"Add_asset_to_protection": {
"inputs": {
"body": {
"items": [
"@items('For_each_2')?['state']?['assetId']"
],
"protectAt": "@div(sub(ticks(utcNow()),ticks('1970-01-01')),10000000)"
},
"host": {
"connection": {
"name": "@parameters('$connections')['ZeroNetworksConnector']['connectionId']"
}
},
"method": "post",
"path": "/assets/protect"
},
"runAfter": {
"Append_to_array_variable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Append_to_array_variable": {
"inputs": {
"name": "AssetstoAddtoProtection",
"value": {
"AssetId": "@{items('For_each_2')?['state']?['assetId']}",
"FQDN": "@{items('For_each_2')?['fqdn']}"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@body('Search_for_an_Asset')?['items']",
"runAfter": {
"Search_for_an_Asset": [
"Succeeded"
]
},
"type": "Foreach"
},
"Search_for_an_Asset": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['ZeroNetworksConnector']['connectionId']"
}
},
"method": "get",
"path": "/assets",
"queries": {
"_limit": 400,
"_search": "@items('For_each')?['HostName']"
}
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "AssetstoAddtoProtection",
"type": "array"
}
]
},
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "InitializeVariable"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident_2": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"ZeroNetworksConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ZeroNetworksConnectionName'))]",
"connectionName": "[variables('ZeroNetworksConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('ConnectorName'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddAssettoProtection/images/designerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 41 KiB

Двоичные данные
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddAssettoProtection/images/designerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 41 KiB

41
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddAssettoProtection/readme.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
# Zero Network sAcccess Orchestrator-Add Asset to Protection
## Summary
This playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playbook is configured to add the machine to protection(learning). If you want to have it go straight to protection, remove the **protectAt** property in the action.
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions
1. For the hosts in the incident, each host is added to protection (learning).
2. A comment is added to Microsoft Sentinel incident.
**Playbook overview:**
![playbook overview](./images/designerLight.png)
### Prerequisites
1. Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
### Deployment instructions
1. Deploy the playbook by clicking on "Depoly to Azure" button. This will take you to deplyoing an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FZeroNetworksAcccessOrchestrator-AddAssettoProtection%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FZeroNetworksAcccessOrchestrator-AddAssettoProtection%2Fazuredeploy.json)
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here (ex:ZNAcccessOrchestrator-AddAssettoProtection)
* Zero Networks Connector name : Enter the name of the Zero Networks custom connector (default value:ZeroNetworksConnector)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
1. Click the Microsoft Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections such as Zero Networks
#### c. Configurations in Sentinel
1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident with Host Entity.
2. Configure the automation rules to trigger this playbook

256
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,256 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Add Block Outbound Rule - Zero Networks Acccess Orchestrator",
"description": "This playbook allows blocking an IP outbound from protected assets in Zero Networks Access Orchestrator.",
"mainSteps": [
"1. For the IPs, we add them to a new outbound block rule in Access Orchestrator.",
"2. A comment is added to Microsoft Sentinel incident."
],
"prerequisites": [
"1. Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page."
],
"prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
"lastUpdateTime": "2022-03-16T00:00:00.000Z",
"entities": [ "Ip" ],
"tags": [ "Remediation" ],
"support": {
"tier": "community"
},
"author": {
"name": "Zero Networks"
}
},
"parameters": {
"Playbook Name": {
"defaultValue": "ZNAcccessOrchestrator-AddBlockOutboundRule",
"type": "String",
"metadata": {
"description": "Name of the Logic App/Playbook"
}
},
"ConnectorName": {
"defaultValue": "ZeroNetworksConnector",
"type": "String",
"metadata": {
"description": "Custom Connector name"
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
"ZeroNetworksConnectionName": "[concat('ZeroNetworksConnector-', parameters('Playbook Name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('ZeroNetworksConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('ConnectorName'))]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('Playbook Name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('ZeroNetworksConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Zero Networks:<br>\nOutbound block rule was created for:<br>\n<br>\n@{variables('IPstoAdd')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_Outbound_Block_rule": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_Outbound_Block_rule": {
"inputs": {
"body": {
"description": "Microsoft Sentinel: @{triggerBody()?['object']?['properties']?['incidentNumber']}-@{triggerBody()?['object']?['properties']?['title']}",
"expiresAt": 0,
"localEntityId": "b:110002",
"localProcessesList": [
"*"
],
"portsList": [
{
"protocolType": 256
}
],
"remoteEntityIdsList": "@variables('IPstoAdd')",
"state": 1
},
"host": {
"connection": {
"name": "@parameters('$connections')['ZeroNetworksConnector']['connectionId']"
}
},
"method": "post",
"path": "/protection/rules/outbound-block"
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Entities_-_Get_IPs": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "IPstoAdd",
"value": "@body('Encode_IP_Address_to_AssetId')?['id']"
},
"runAfter": {
"Encode_IP_Address_to_AssetId": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Encode_IP_Address_to_AssetId": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['ZeroNetworksConnector']['connectionId']"
}
},
"method": "get",
"path": "/entities/encode-ip",
"queries": {
"ip": "@items('For_each')?['Address']"
}
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IPstoAdd",
"type": "array"
}
]
},
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"ZeroNetworksConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ZeroNetworksConnectionName'))]",
"connectionName": "[variables('ZeroNetworksConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('ConnectorName'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule/images/designerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 31 KiB

Двоичные данные
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule/images/designerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 34 KiB

40
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule/readme.md Normal file
Просмотреть файл

@ -0,0 +1,40 @@
# Zero Networks Acccess Orchestrator - Add Block Outbound Rule
## Summary
This playbook allows blocking an IP outbound from protected assets in Zero Networks Access Orchestrator.
When a new Sentinel incident is created, this playbook gets triggered and performs below actions
1. For the IPs, we add them to a new outbound block rule in Access Orchestrator.
2. A comment is added to Microsoft Sentinel incident.
**Playbook overview:**
![playbook overview](./images/designerDark.png)
### Prerequisites
1. Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
### Deployment instructions
1. Deploy the playbook by clicking on "Depoly to Azure" button. This will take you to deplyoing an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FZeroNetworksAcccessOrchestrator-AddBlockOutboundRule%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FZeroNetworksAcccessOrchestrator-AddBlockOutboundRule%2Fazuredeploy.json)
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here (ex:ZNAcccessOrchestrator-AddBlockOutboundRule)
* Connector name : Enter the name of the Zero Networks custom connector (default value:ZeroNetworksConnector)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
1. Click the Microsoft Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections such as Zero Networks
#### c. Configurations in Microsoft Sentinel
1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident with IP Entity.
2. Configure the automation rules to trigger this playbook

257
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-EnrichIncident/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,257 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Enrich Incident - Zero Networks Acccess Orchestrator",
"description": "This playbook will take each Host entity and get its Asset status from Zero Network Access Orchestrator. The playbook will then write a comment to the Microsoft Sentinel incident with a table of assets and protection statuses.",
"mainSteps": [
"1. For the hosts, we get their asset satus from the REST API.",
"2. A comment is added to Azure Sentinel incident."
],
"prerequisites": [
"1. Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page."
],
"prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
"lastUpdateTime": "2022-03-15T00:00:00.000Z",
"entities": [ "Host" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "community"
},
"author": {
"name": "Zero Networks"
}
},
"parameters": {
"Playbook Name": {
"defaultValue": "ZeroNetworksAcccessOrchestrator-EnrichIncident",
"type": "String",
"metadata": {
"description": "Name of the Logic Apps resource to be created"
}
},
"ConnectorName": {
"defaultValue": "ZeroNetworksConnector",
"type": "String",
"metadata": {
"description": "Custom Connector name"
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
"ZeroNetworksConnectionName": "[concat('ZeroNetworksConnector-', parameters('Playbook Name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('ZeroNetworksConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('ConnectorName'))]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('Playbook Name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('ZeroNetworksConnectionName'))]"
],
"tags": {
"hidden-SentinelTemplateName": "ZeroNetworksAcccessOrchestrator-EnrichIncident",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Zero Networks Asset Protection Status:<br>\n@{body('Create_HTML_table')}<br>\n1 = Not Protected, 2 = Learning, 3 &nbsp;= Protected</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_HTML_table": {
"inputs": {
"format": "HTML",
"from": "@variables('Assets')"
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "Table"
},
"Entities_-_Get_Hosts": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "Assets",
"value": {
"AssetId": "@{items('For_each_2')?['name']}",
"ProtectionStatus": "@{items('For_each_2')?['protectionState']}"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@body('Search_Asset')?['items']",
"runAfter": {
"Search_Asset": [
"Succeeded"
]
},
"type": "Foreach"
},
"Search_Asset": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['ZeroNetworksConnector']['connectionId']"
}
},
"method": "get",
"path": "/assets",
"queries": {
"_limit": 400,
"_search": "@items('For_each')?['HostName']"
}
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "Assets",
"type": "array"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"ZeroNetworksConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ZeroNetworksConnectionName'))]",
"connectionName": "[variables('ZeroNetworksConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('ConnectorName'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-EnrichIncident/images/designerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 35 KiB

Двоичные данные
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-EnrichIncident/images/designerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 34 KiB

42
Solutions/ZeroNetworks/Playbooks/ZeroNetworksAcccessOrchestrator-EnrichIncident/readme.md Normal file
Просмотреть файл

@ -0,0 +1,42 @@
# Zero Networks Access Orchestrator - Enrich Incident
## Summary
This playbook will take each Host entity and get its Asset status from Zero Network Access Orchestrator. The playbook will then write a comment to the Microsoft Sentinel incident with a table of assets and protection statuses.
When a new Microsoft Sentinel incident is created,this playbook gets triggered and performs below actions
1. For the hosts, we get their asset satus from the REST API.
2. A comment is added to Azure Sentinel incident.
**Playbook overview:**
![playbook overview](./images/designerLight.png)
### Prerequisites
1. Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
### Deployment instructions
1. Deploy the playbook by clicking on "Depoly to Azure" button. This will take you to deplyoing an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FZeroNetworks%2FZeroNetworksAcccessOrchestrator-EnrichIncident%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FZeroNetworks%2FZeroNetworksAcccessOrchestrator-EnrichIncident%2Fazuredeploy.json)
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here (ex:ZeroNetworksAcccessOrchestrator-EnrichIncident)
* Zero Networks Connector name : Enter the name of the Zero Networks custom connector (default value:ZeroNetworksConnector)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
1. Click the Microsoft Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections such as Zero Networks
#### c. Configurations in Microsoft Sentinel
1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident with Hosts Entity.
2. Configure the automation rules to trigger this playbook

56
Solutions/ZeroNetworks/Playbooks/readme.md Normal file
Просмотреть файл

@ -0,0 +1,56 @@
# Zero Networks Logic Apps connector and playbook templates
![Zero Networks](./Images/ZeroNetworks.png)<br>
## Table of Contents
1. [Overview](#overview)
1. [Prerequisites](#prerequisites)
1. [Deployment](#deployment)
1. [References](#references)
<a name="overview"></a>
# Overview
This integration allows automated response to Microsoft Sentinel incidents. It contains the basic connector component, with which you can create your own playbooks that interact with Zero Networks. It also contains 3 playbook templates, ready to quick use, that allow direct response.
<a name="prerequisites"></a>
# Prerequisites
### Authentication
The custom connector supports **api authentication**. In Zero Networks Access Orcheator create an api token. Depending on the playbook used the the token may need Admin privleges.
<br><br>
### Options to establish a connection with Zero Networks Access Orcheator
The connector needs to be able to reach the Zero Networks Access Orcheator REST API over the internet.
<a name="deployment"></a>
# Deployment instructions
## 1. Deploy the custom connector
Custom connector should be deployed in the Resource Group where the playbooks that will include it are located.
<br>
1. Deploy the Custom Connector by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
2. Fill in the required paramteres:
* Connector name: Please enter the custom connector(ex:ZNAccessOrchestratorConnector)
* Uri: The URL to the REST API (you should not have to change this)
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FCustomConnector%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroNetworks%2FPlaybooks%2FCustomConnector%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
<br><br>
## 2. Deploy the required playbook template (or create your own playbook from scratch)
This integration offers 3 playbook templates. Each one has it's own documentation an quick deployment button:
* [ZeroNetworksAcccessOrchestrator-EnrichIncident](./ZeroNetworksAcccessOrchestrator-EnrichIncident#deployment-instructions)
* [ZeroNetworksAcccessOrchestrator-AddAssettoProtection](./ZeroNetworksAcccessOrchestrator-AddAssettoProtection#deployment-instructions)
* [ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule](./ZeroNetworksAcccessOrchestrator-AddBlockOutboundRule#deployment-instructions)

419
Solutions/ZeroNetworks/Workbooks/ZNAccessOrchestratorAudit.json Normal file
Просмотреть файл

@ -0,0 +1,419 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "**NOTE**: This workbook depends on a parser based on Kusto Function **ZNAccessOrchestratorAudit** to work as expected. [Follow steps to get this Kusto Function](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroNetworks/Parsers/ZNAccessOrchestratorAuditAudit.txt)"
},
"name": "text - 8"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"description": "Sets the time name for analysis",
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Audit Events Over Time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"graphSettings": {
"type": 0
}
},
"customWidth": "55",
"name": "query - 12",
"styleSettings": {
"maxWidth": "55"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| where isnotempty(EnforcementSource) \r\n| summarize count() by EnforcementSource\r\n| join kind = inner (ZNAccessOrchestratorAudit \r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EnforcementSource) on EnforcementSource\r\n| project-away EnforcementSource1, TimeGenerated\r\n| project count_, EnforcementSource, Trend\r\n",
"size": 3,
"title": "Enforcement Source",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "EnforcementSource",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 21,
"formatOptions": {
"palette": "blue"
}
},
"showBorder": false
}
},
"customWidth": "30",
"name": "query - 0",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| summarize dcount(EnforcementSource)",
"size": 3,
"title": "Enforcement Sources",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "DstPortNumber",
"sizeAggregation": "Sum",
"legendMetric": "DstPortNumber",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "DstPortNumber",
"heatmapPalette": "greenRed"
}
},
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| summarize dcount(tostring(DestinationEntityName))\r\n",
"size": 3,
"title": "Destination Entities",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\n| where isnotempty(PerformedByName)\n| summarize dcount(PerformedByName)",
"size": 3,
"title": "Users",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\n| count",
"size": 3,
"title": "Operations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 3"
}
]
},
"customWidth": "15",
"name": "group - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| where isnotempty(AuditType) \r\n| summarize count() by AuditType\r\n| top 3 by count_",
"size": 3,
"title": "Top 3 Audit Types",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "EventMessage",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "27",
"name": "query - 3",
"styleSettings": {
"margin": "10",
"padding": "10"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": " ZNAccessOrchestratorAudit\r\n | where isnotempty(PerformedByName) and PerformedByName != \"Zero Networks\"\r\n | summarize count() by PerformedByName\r\n | top 3 by count_\r\n",
"size": 3,
"title": "Top 3 Users",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "27",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| where isnotempty(PerformedByName) and PerformedByName != \"Zero Networks\"\r\n| summarize count() by PerformedByName, AuditType\r\n| project PerformedByName, AuditType, EventCount=count_\r\n| sort by EventCount desc \r\n",
"size": 0,
"title": "User activity",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "46",
"name": "query - 15",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| where isnotempty(PerformedByName) and PerformedByName != \"Zero Networks\"\r\n| where isnotempty(tostring(DestinationEntityName)) \r\n| summarize DestinationEntities = makeset(DestinationEntityName) by PerformedByName\r\n",
"size": 0,
"title": "Destination Entities by User",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "35",
"name": "query - 10",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| summarize count() by EnforcementSource",
"size": 0,
"title": "Enforcement Sources",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "55",
"name": "query - 13",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| summarize count() by AuditType\r\n",
"size": 3,
"title": "Audit Types",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 100,
"filter": true
}
},
"customWidth": "30",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\n| where isnotempty(PerformedByName) and PerformedByName != \"Zero Networks\"\n| summarize count() by PerformedByName",
"size": 3,
"title": "Users' Activity",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\n| where isnotempty(PerformedByName) and PerformedByName != \"Zero Networks\"\n| summarize count() by PerformedByName\n| order by count_\n| project PerformedByName, EventCount=count_",
"size": 0,
"title": "Events by user",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "40",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| make-series Rule=countif(isnotnull(Rule)), ReactivePolicy=countif(isnotnull(ReactivePolicy))default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\r\n",
"size": 0,
"title": "Rules vs Reactive Policies over Time",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "linechart"
},
"customWidth": "50",
"name": "query - 13",
"styleSettings": {
"maxWidth": "60"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ZNAccessOrchestratorAudit\r\n| extend Type=iif(isnotnull(Rule), \"Rule\", iff(isnotnull(ReactivePolicy), \"ReactivePolicy\", \"Other\"))\r\n| summarize count() by Type",
"size": 3,
"title": "Cont of Rules vs Reactive Policies",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 14",
"styleSettings": {
"maxWidth": "40"
}
}
],
"fromTemplateId": "sentinel-ZNAccessOchestratorAudit",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

39
Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
Просмотреть файл

@ -1990,5 +1990,44 @@
"templateRelativePath": "OracleDatabaseAudit.json",
"subtitle": "",
"provider": "Oracle"
},
{
"workbookKey": "SenservaProAnalyticsWorkbook",
"logoFileName": "SenservaPro_logo.svg",
"description": "Sets the time name for analysis",
"dataTypesDependencies": [ "SenservaPro_CL" ],
"dataConnectorsDependencies": [ "SenservaPro" ],
"previewImagesFileNames": [ "SenservaProAnalyticsBlack.png", "SenservaProAnalyticsWhite.png" ],
"version": "1.0.0",
"title": "SenservaPro",
"templateRelativePath": "SenservaProAnalyticsWorkbook.json",
"subtitle": "",
"provider": "Senserva Pro"
},
{
"workbookKey": "SenservaProMultipleWorkspaceWorkbook",
"logoFileName": "SenservaPro_logo.svg",
"description": "Sets the time name for analysis",
"dataTypesDependencies": [ "SenservaPro_CL" ],
"dataConnectorsDependencies": [ "SenservaPro" ],
"previewImagesFileNames": [ "SenservaProMultipleWorkspaceWorkbookBlack.png", "SenservaProMultipleWorkspaceWorkbookWhite.png" ],
"version": "1.0.0",
"title": "SenservaPro",
"templateRelativePath": "SenservaProMultipleWorkspaceWorkbook.json",
"subtitle": "",
"provider": "Senserva Pro"
},
{
"workbookKey": "SenservaProSecureScoreMultiTenantWorkbook",
"logoFileName": "SenservaPro_logo.svg",
"description": "Sets the time name for analysis",
"dataTypesDependencies": [ "SenservaPro_CL" ],
"dataConnectorsDependencies": [ "SenservaPro" ],
"previewImagesFileNames": [ "SenservaProSecureScoreMultiTenantBlack.png", "SenservaProSecureScoreMultiTenantWhite.png" ],
"version": "1.0.0",
"title": "SenservaPro",
"templateRelativePath": "SenservaProSecureScoreMultiTenantWorkbook.json",
"subtitle": "",
"provider": "Senserva Pro"
}
]