add more content

Workbook+4 analytic rules
2022-02-28 12:02:40 +02:00 · 2022-02-28 12:02:40 +02:00 · cd94d249a2
--- a/Solutions/GitHub/Data
+++ b/Solutions/GitHub/Data
@ -0,0 +1,121 @@
+{
+	"kind": "APIPolling",
+	"properties": {
+		"connectorUiConfig": {
+			"id": "GitHubEcAuditLogPolling",
+			"title": "GitHub Enterprise Audit Log",
+			"publisher": "GitHub",
+			"descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.",
+			"graphQueriesTableName": "GitHubAuditLogPolling_CL",
+			"graphQueries": [
+				{
+					"metricName": "Total events received",
+					"legend": "GitHub audit log events",
+					"baseQuery": "{{graphQueriesTableName}}"
+				}
+			],
+			"sampleQueries": [
+				{
+					"description": "All logs",
+					"query": "{{graphQueriesTableName}}\n | take 10"
+				}
+			],
+			"dataTypes": [
+				{
+					"name": "{{graphQueriesTableName}}",
+					"lastDataReceivedQuery": "{{graphQueriesTableName}}\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+				}
+			],
+			"connectivityCriterias": [
+				{
+					"type": "SentinelKindsV2",
+					"value": []
+				}
+			],
+			"availability": {
+				"status": 1,
+				"isPreview": true
+			},
+			"permissions": {
+				"resourceProvider": [
+					{
+						"provider": "Microsoft.OperationalInsights/workspaces",
+						"permissionsDisplayText": "read and write permissions are required.",
+						"providerDisplayName": "Workspace",
+						"scope": "Workspace",
+						"requiredPermissions": {
+							"write": true,
+							"read": true,
+							"delete": true
+						}
+					}
+				],
+				"customs": [
+					{
+						"name": "GitHub API personal token Key",
+						"description": "You need access to GitHub personal token, the key should have 'admin:org' scope"
+					}
+				]
+			},
+			"instructionSteps": [
+				{
+					"title": "Connect GitHub Enterprise Audit Log to Azure Sentinel",
+					"description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key",
+					"instructions": [
+						{
+							"parameters": {
+								"enable": "true",
+								"userRequestPlaceHoldersInput": [
+									{
+										"displayText": "Organization Name",
+										"requestObjectKey": "apiEndpoint",
+										"placeHolderName": "{{placeHolder1}}",
+										"placeHolderValue": ""
+									}
+								]
+							},
+							"type": "APIKey"
+						}
+					]
+				}
+			]
+		},
+		"pollingConfig": {
+			"owner": "ASI",
+			"version": "2.0",
+			"source": "PaaS",
+			"templateFilePath": "",
+			"templateFileName": "",
+			"auth": {
+				"authType": "APIKey",
+				"APIKeyName": "Authorization",
+				"APIKeyIdentifier": "token"
+			},
+			"request": {
+				"apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log",
+				"rateLimitQPS": 50,
+				"queryWindowInMin": 15,
+				"httpMethod": "Get",
+				"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+				"retryCount": 2,
+				"timeoutInSeconds": 60,
+				"headers": {
+					"Accept": "application/json",
+					"User-Agent": "Scuba"
+				},
+				"queryParameters": {
+					"phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}"
+				}
+			},
+			"paging": {
+				"pagingType": "LinkHeader",
+				"pageSizeParaName": "per_page"
+			},
+			"response": {
+				"eventsJsonPaths": [
+					"$"
+				]
+			}
+		}
+	}
+}
--- a/Solutions/GitHub/Detections/GH_SentinelRnalyticsRules.yaml
+++ b/Solutions/GitHub/Detections/GH_SentinelRnalyticsRules.yaml
@ -0,0 +1,163 @@
+---
+"$schema": https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#
+contentVersion: 1.0.0.0
+parameters:
+  workspace:
+    type: String
+resources:
+- id: "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'),
+    'Microsoft.SecurityInsights'),'/alertRules/0b85a077-8ba5-4cb5-90f7-1e882afe10c4')]"
+  name: "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b85a077-8ba5-4cb5-90f7-1e882afe10c4')]"
+  type: Microsoft.OperationalInsights/workspaces/providers/alertRules
+  kind: Scheduled
+  apiVersion: 2021-09-01-preview
+  properties:
+    displayName: "(Preview) GitHub - A payment method was removed"
+    description: This analytic alerts us everytime a payment method was removed, it
+      runs every 6 hours and its severity is Medium.
+    severity: Medium
+    enabled: false
+    query: "GitHubAuditLogPolling_CL\r\n| where action_s == \"payment_method.remove\""
+    queryFrequency: PT6H
+    queryPeriod: PT6H
+    triggerOperator: GreaterThan
+    triggerThreshold: 0
+    suppressionDuration: PT1H
+    suppressionEnabled: false
+    tactics:
+    - Persistence
+    - Exfiltration
+    - DefenseEvasion
+    techniques: []
+    alertRuleTemplateName:
+    incidentConfiguration:
+      createIncident: true
+      groupingConfiguration:
+        enabled: false
+        reopenClosedIncident: false
+        lookbackDuration: PT5M
+        matchingMethod: AllEntities
+        groupByEntities: []
+        groupByAlertDetails:
+        groupByCustomDetails:
+    eventGroupingSettings:
+    alertDetailsOverride:
+    customDetails:
+    entityMappings:
+- id: "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'),
+    'Microsoft.SecurityInsights'),'/alertRules/0b85a077-8ba5-4cb5-90f7-1e882afe10c5')]"
+  name: "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b85a077-8ba5-4cb5-90f7-1e882afe10c5')]"
+  type: Microsoft.OperationalInsights/workspaces/providers/alertRules
+  kind: Scheduled
+  apiVersion: 2021-09-01-preview
+  properties:
+    displayName: "(Preview) GitHub - Oauth application - a client secret was removed"
+    description: This analytic alerts us everytime a client sevret was removed, it
+      runs every 6 hours and its severity is Medium.
+    severity: Medium
+    enabled: false
+    query: "GitHubAuditLogPolling_CL\r\n| where action_s == \"oauth_application.remove_client_secret\""
+    queryFrequency: PT6H
+    queryPeriod: PT6H
+    triggerOperator: GreaterThan
+    triggerThreshold: 0
+    suppressionDuration: PT1H
+    suppressionEnabled: false
+    tactics:
+    - Persistence
+    - Exfiltration
+    - DefenseEvasion
+    techniques: []
+    alertRuleTemplateName:
+    incidentConfiguration:
+      createIncident: true
+      groupingConfiguration:
+        enabled: false
+        reopenClosedIncident: false
+        lookbackDuration: PT5M
+        matchingMethod: AllEntities
+        groupByEntities: []
+        groupByAlertDetails:
+        groupByCustomDetails:
+    eventGroupingSettings:
+    alertDetailsOverride:
+    customDetails:
+    entityMappings:
+- id: "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'),
+    'Microsoft.SecurityInsights'),'/alertRules/0b85a077-8ba5-4cb5-90f7-1e882afe10c3')]"
+  name: "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b85a077-8ba5-4cb5-90f7-1e882afe10c3')]"
+  type: Microsoft.OperationalInsights/workspaces/providers/alertRules
+  kind: Scheduled
+  apiVersion: 2021-09-01-preview
+  properties:
+    displayName: "(Preview) GitHub - Repository was destroyed"
+    description: This analytic alerts us everytime a repository was destroyed, it
+      runs every 6 hours and its severity is Medium.
+    severity: Medium
+    enabled: false
+    query: "GitHubAuditLogPolling_CL\r\n| where action_s == \"repo.destroy\""
+    queryFrequency: PT6H
+    queryPeriod: PT6H
+    triggerOperator: GreaterThan
+    triggerThreshold: 0
+    suppressionDuration: PT1H
+    suppressionEnabled: false
+    tactics:
+    - Persistence
+    - Exfiltration
+    - DefenseEvasion
+    techniques: []
+    alertRuleTemplateName:
+    incidentConfiguration:
+      createIncident: true
+      groupingConfiguration:
+        enabled: false
+        reopenClosedIncident: false
+        lookbackDuration: PT5M
+        matchingMethod: AllEntities
+        groupByEntities: []
+        groupByAlertDetails:
+        groupByCustomDetails:
+    eventGroupingSettings:
+    alertDetailsOverride:
+    customDetails:
+    entityMappings:
+- id: "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'),
+    'Microsoft.SecurityInsights'),'/alertRules/0b85a077-8ba5-4cb5-90f7-1e882afe10c2')]"
+  name: "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b85a077-8ba5-4cb5-90f7-1e882afe10c2')]"
+  type: Microsoft.OperationalInsights/workspaces/providers/alertRules
+  kind: Scheduled
+  apiVersion: 2021-09-01-preview
+  properties:
+    displayName: "(Preview) GitHub - Repository was created"
+    description: This analytic alerts us everytime a repository is created, it runs
+      every 6 hours and its severity is low.
+    severity: Low
+    enabled: false
+    query: "GitHubAuditLogPolling_CL\r\n| where action_s == \"repo.create\""
+    queryFrequency: PT6H
+    queryPeriod: PT6H
+    triggerOperator: GreaterThan
+    triggerThreshold: 0
+    suppressionDuration: PT1H
+    suppressionEnabled: false
+    tactics:
+    - Persistence
+    - Exfiltration
+    - DefenseEvasion
+    techniques: []
+    alertRuleTemplateName:
+    incidentConfiguration:
+      createIncident: true
+      groupingConfiguration:
+        enabled: false
+        reopenClosedIncident: false
+        lookbackDuration: PT5M
+        matchingMethod: AllEntities
+        groupByEntities: []
+        groupByAlertDetails:
+        groupByCustomDetails:
+    eventGroupingSettings:
+    alertDetailsOverride:
+    customDetails:
+    entityMappings:
--- a/Solutions/GitHub/Workbooks/Github
+++ b/Solutions/GitHub/Workbooks/Github
@ -0,0 +1,156 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "## GitHub - Security\n"
+      },
+      "name": "text - 2"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "a9923eb9-9a02-4a48-bb72-e9be338eeb3b",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "type": 4,
+            "value": {
+              "durationMs": 1209600000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 300000
+                },
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 1800000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 14400000
+                },
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 172800000
+                },
+                {
+                  "durationMs": 259200000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 1209600000
+                },
+                {
+                  "durationMs": 2419200000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "GitHubAuditLogPolling_CL \n| extend TimeGenerated = created_at_d\n| where action_s == \"org.add_member\" or action_s == \"org.remove_member\"\n| extend MemberName = actor_s\n| extend Action = iif(action_s==\"org.add_member\", \"Added\", \"Removed\")\n| extend Organization = org_s\n| sort by TimeGenerated desc\n| project MemberName, Action, Organization\n",
+        "size": 1,
+        "title": "Members Added or Removed",
+        "timeContext": {
+          "durationMs": 11318400000,
+          "endTime": "2021-08-10T16:00:00.000Z"
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "sortBy": []
+      },
+      "customWidth": "50",
+      "name": "membersaddedorremoved"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "GitHubAuditLogPolling_CL \r\n| extend TimeGenerated = created_at_d\r\n| where action_s == \"repo.create\"\r\n| extend RepoName = repo_s\r\n| extend Actor = actor_s\r\n| extend Private = visibility_s\r\n| sort by TimeGenerated desc\r\n| project RepoName, Actor, Private\r\n\r\n\r\n\r\n",
+        "size": 0,
+        "title": "Repositories Created",
+        "timeContext": {
+          "durationMs": 15116400000,
+          "endTime": "2021-08-10T16:04:00.000Z"
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "customWidth": "50",
+      "name": "repositoriescreated"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "GitHubAuditLogPolling_CL\r\n| extend TimeGenerated = created_at_d\r\n| where action_s == \"team.add_repository\" or action_s == \"team.remove_repository\"\r\n| extend Organization = org_s\r\n| extend RepoName = repo_s\r\n| extend Action = iif(action_s==\"team.add_repository\", \"Added\", \"Removed\")\r\n| sort by TimeGenerated desc\r\n| project Organization, RepoName, Action",
+        "size": 0,
+        "title": "Teams Added/Removed Repository",
+        "timeContext": {
+          "durationMs": 37411200000,
+          "endTime": "2021-08-10T16:06:00.000Z"
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "customWidth": "50",
+      "name": "teamsaddedremovedtorepository"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "GitHubAuditLogPolling_CL \r\n| extend TimeGenerated = created_at_d\r\n| where action_s == \"repo.access\"  and visibility_s == \"PUBLIC\"\r\n| extend Organiation = org_s\r\n| extend Repo = repo_s\r\n| extend Actor = actor_s\r\n| sort by TimeGenerated desc\r\n| project Organiation, Repo, Actor\r\n",
+        "size": 0,
+        "title": "Private Repos made Public",
+        "timeContext": {
+          "durationMs": 19263600000,
+          "endTime": "2021-08-10T16:08:00.000Z"
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "customWidth": "50",
+      "name": "privatereposmadepublic"
+    }
+  ],
+  "fallbackResourceIds": [
+    "/subscriptions/fdee8146-8bcf-460f-86f3-3f788c285efd/resourcegroups/p_yoavdaniely/providers/microsoft.operationalinsights/workspaces/saplookalike"
+  ],
+  "fromTemplateId": "sentinel-GitHubSecurity",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}