Repackaged - Digital Guardian Data Loss Prevention
This commit is contained in:
Родитель
4f976d7966
Коммит
cf84d360e1
|
@ -1,35 +1,38 @@
|
|||
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
|
||||
name: Digital Guardian - Sensitive data transfer over insecure channel
|
||||
description: |
|
||||
'Detects sensitive data transfer over insecure channel.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(MatchedPolicies)
|
||||
| where isnotempty(inspected_document)
|
||||
| where NetworkApplicationProtocol =~ 'HTTP'
|
||||
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
|
||||
name: Digital Guardian - Sensitive data transfer over insecure channel
|
||||
description: |
|
||||
'Detects sensitive data transfer over insecure channel.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(MatchedPolicies)
|
||||
| where isnotempty(inspected_document)
|
||||
| where NetworkApplicationProtocol =~ 'HTTP'
|
||||
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,29 +1,32 @@
|
|||
id: 39e25deb-49bb-4cdb-89c1-c466d596e2bd
|
||||
name: Digital Guardian - Exfiltration using DNS protocol
|
||||
description: |
|
||||
'Detects exfiltration using DNS protocol.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where DstPortNumber == 53
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: 39e25deb-49bb-4cdb-89c1-c466d596e2bd
|
||||
name: Digital Guardian - Exfiltration using DNS protocol
|
||||
description: |
|
||||
'Detects exfiltration using DNS protocol.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where DstPortNumber == 53
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,33 +1,36 @@
|
|||
id: f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8
|
||||
name: Digital Guardian - Exfiltration to online fileshare
|
||||
description: |
|
||||
'Detects exfiltration to online fileshare.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let threshold = 10;
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(inspected_document)
|
||||
| where http_url contains 'dropbox' or http_url contains 'mega.nz'
|
||||
| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)
|
||||
| where f >= threshold
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8
|
||||
name: Digital Guardian - Exfiltration to online fileshare
|
||||
description: |
|
||||
'Detects exfiltration to online fileshare.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let threshold = 10;
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(inspected_document)
|
||||
| where http_url contains 'dropbox' or http_url contains 'mega.nz'
|
||||
| summarize f = dcount(inspected_document) by SrcUserName, bin(TimeGenerated, 30m)
|
||||
| where f >= threshold
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,36 +1,39 @@
|
|||
id: edead9b5-243a-466b-ae78-2dae32ab1117
|
||||
name: Digital Guardian - Exfiltration to private email
|
||||
description: |
|
||||
'Detects exfiltration to private email.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where isnotempty(inspected_document)
|
||||
| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))
|
||||
| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))
|
||||
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
|
||||
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
|
||||
| where s_domain != d_domain
|
||||
| where s_user == d_user
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: edead9b5-243a-466b-ae78-2dae32ab1117
|
||||
name: Digital Guardian - Exfiltration to private email
|
||||
description: |
|
||||
'Detects exfiltration to private email.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where isnotempty(inspected_document)
|
||||
| extend s_user = substring(SrcUserName, 0, indexof(SrcUserName, '@'))
|
||||
| extend d_user = substring(DstUserName, 0, indexof(DstUserName, '@'))
|
||||
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
|
||||
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
|
||||
| where s_domain != d_domain
|
||||
| where s_user == d_user
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,35 +1,38 @@
|
|||
id: a19885c8-1e44-47e3-81df-d1d109f5c92d
|
||||
name: Digital Guardian - Exfiltration to external domain
|
||||
description: |
|
||||
'Detects exfiltration to external domain.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let corp_domain = dynamic(['example.com']); //add all corporate domains to this list
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where isnotempty(inspected_document)
|
||||
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
|
||||
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
|
||||
| where s_domain in~ (corp_domain)
|
||||
| where d_domain !in (corp_domain)
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: a19885c8-1e44-47e3-81df-d1d109f5c92d
|
||||
name: Digital Guardian - Exfiltration to external domain
|
||||
description: |
|
||||
'Detects exfiltration to external domain.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let corp_domain = dynamic(['example.com']); //add all corporate domains to this list
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where isnotempty(inspected_document)
|
||||
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
|
||||
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
|
||||
| where s_domain in~ (corp_domain)
|
||||
| where d_domain !in (corp_domain)
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,38 +1,41 @@
|
|||
id: 5f75a873-b524-4ba5-a3b8-2c20db517148
|
||||
name: Digital Guardian - Bulk exfiltration to external domain
|
||||
description: |
|
||||
'Detects bulk exfiltration to external domain.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let threshold = 10;
|
||||
let corp_domain = dynamic(['example.com']);
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where isnotempty(inspected_document)
|
||||
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
|
||||
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
|
||||
| where s_domain in~ (corp_domain)
|
||||
| where d_domain !in (corp_domain)
|
||||
| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)
|
||||
| where f >= threshold
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: 5f75a873-b524-4ba5-a3b8-2c20db517148
|
||||
name: Digital Guardian - Bulk exfiltration to external domain
|
||||
description: |
|
||||
'Detects bulk exfiltration to external domain.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let threshold = 10;
|
||||
let corp_domain = dynamic(['example.com']);
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where isnotempty(inspected_document)
|
||||
| extend s_domain = extract(@'@(.*)', 1, SrcUserName)
|
||||
| extend d_domain = extract(@'@(.*)', 1, DstUserName)
|
||||
| where s_domain in~ (corp_domain)
|
||||
| where d_domain !in (corp_domain)
|
||||
| summarize f = dcount(inspected_document) by SrcUserName, DstUserName, bin(TimeGenerated, 30m)
|
||||
| where f >= threshold
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,32 +1,35 @@
|
|||
id: e8901dac-2549-4948-b793-5197a5ed697a
|
||||
name: Digital Guardian - Multiple incidents from user
|
||||
description: |
|
||||
'Detects multiple incidents from user.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let threshold = 2;
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(MatchedPolicies)
|
||||
| summarize count() by SrcUserName, bin(TimeGenerated, 30m)
|
||||
| where count_ >= threshold
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: e8901dac-2549-4948-b793-5197a5ed697a
|
||||
name: Digital Guardian - Multiple incidents from user
|
||||
description: |
|
||||
'Detects multiple incidents from user.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
let threshold = 2;
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(MatchedPolicies)
|
||||
| summarize count() by SrcUserName, bin(TimeGenerated, 30m)
|
||||
| where count_ >= threshold
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,30 +1,33 @@
|
|||
id: a374a933-f6c4-4200-8682-70402a9054dd
|
||||
name: Digital Guardian - Possible SMTP protocol abuse
|
||||
description: |
|
||||
'Detects possible SMTP protocol abuse.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where DstPortNumber != 25
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: a374a933-f6c4-4200-8682-70402a9054dd
|
||||
name: Digital Guardian - Possible SMTP protocol abuse
|
||||
description: |
|
||||
'Detects possible SMTP protocol abuse.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where NetworkApplicationProtocol =~ 'SMTP'
|
||||
| where DstPortNumber != 25
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,29 +1,32 @@
|
|||
id: a14f2f95-bbd2-4036-ad59-e3aff132b296
|
||||
name: Digital Guardian - Unexpected protocol
|
||||
description: |
|
||||
'Detects RDP protocol usage for data transfer which is not common.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where DstPortNumber == 3389
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: a14f2f95-bbd2-4036-ad59-e3aff132b296
|
||||
name: Digital Guardian - Unexpected protocol
|
||||
description: |
|
||||
'Detects RDP protocol usage for data transfer which is not common.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where DstPortNumber == 3389
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,32 +1,35 @@
|
|||
id: 07bca129-e7d6-4421-b489-32abade0b6a7
|
||||
name: Digital Guardian - Incident with not blocked action
|
||||
description: |
|
||||
'Detects when incident has not block action.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(IncidentStatus)
|
||||
| extend inc_act = split(IncidentStatus, ',')
|
||||
| where inc_act has 'New'
|
||||
| where inc_act !contains 'Block'
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
id: 07bca129-e7d6-4421-b489-32abade0b6a7
|
||||
name: Digital Guardian - Incident with not blocked action
|
||||
description: |
|
||||
'Detects when incident has not block action.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where isnotempty(IncidentStatus)
|
||||
| extend inc_act = split(IncidentStatus, ',')
|
||||
| where inc_act has 'New'
|
||||
| where inc_act !contains 'Block'
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"id": "DigitalGuardianDLP",
|
||||
"title": "Digital Guardian Data Loss Prevention",
|
||||
"title": "[Deprecated] Digital Guardian Data Loss Prevention",
|
||||
"publisher": "Digital Guardian",
|
||||
"descriptionMarkdown": "[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.",
|
||||
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution.",
|
|
@ -2,7 +2,7 @@
|
|||
"Name": "Digital Guardian Data Loss Prevention",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
|
||||
"Description": "The [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
|
||||
"Workbooks": [
|
||||
"Workbooks/DigitalGuardian.json"
|
||||
],
|
||||
|
@ -36,9 +36,12 @@
|
|||
"Data Connectors": [
|
||||
"Data Connectors/Connector_DigitalGuardian_Syslog.json"
|
||||
],
|
||||
"dependentDomainSolutionIds": [
|
||||
"azuresentinel.azure-sentinel-solution-syslog"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DigitalGuardianDLP",
|
||||
"Version": "3.0.0",
|
||||
"Version": "3.0.1",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
}
|
|
@ -1,26 +1,29 @@
|
|||
id: 444c91d4-e4b8-4adc-9b05-61fe908441b8
|
||||
name: Digital Guardian - Incident domains
|
||||
description: |
|
||||
'Query searches for incident domains.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(http_url)
|
||||
| extend u = parse_url(http_url)
|
||||
| extend domain=u.Host
|
||||
| summarize count() by tostring(domain), SrcUserName
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
id: 444c91d4-e4b8-4adc-9b05-61fe908441b8
|
||||
name: Digital Guardian - Incident domains
|
||||
description: |
|
||||
'Query searches for incident domains.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(http_url)
|
||||
| extend u = parse_url(http_url)
|
||||
| extend domain=u.Host
|
||||
| summarize count() by tostring(domain), SrcUserName
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,24 +1,27 @@
|
|||
id: 66dd7ab7-bbc0-48b7-a3b9-4e71e610df48
|
||||
name: Digital Guardian - Files sent by users
|
||||
description: |
|
||||
'Query searches for files sent by users.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(inspected_document)
|
||||
| summarize Files = makeset(inspected_document) by SrcUserName
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: 66dd7ab7-bbc0-48b7-a3b9-4e71e610df48
|
||||
name: Digital Guardian - Files sent by users
|
||||
description: |
|
||||
'Query searches for files sent by users.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(inspected_document)
|
||||
| summarize Files = makeset(inspected_document) by SrcUserName
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,25 +1,28 @@
|
|||
id: 83d5652c-025c-4cee-9f33-3bc114648859
|
||||
name: Digital Guardian - Users' incidents
|
||||
description: |
|
||||
'Query searches for users' incidents.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(IncidentStatus)
|
||||
| where IncidentStatus has 'New'
|
||||
| summarize makeset(IncidentsUrl) by SrcUserName
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: 83d5652c-025c-4cee-9f33-3bc114648859
|
||||
name: Digital Guardian - Users' incidents
|
||||
description: |
|
||||
'Query searches for users' incidents.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(IncidentStatus)
|
||||
| where IncidentStatus has 'New'
|
||||
| summarize makeset(IncidentsUrl) by SrcUserName
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,24 +1,27 @@
|
|||
id: 196930a4-bd79-4800-b2bb-582a8f1c8dd4
|
||||
name: Digital Guardian - Insecure file transfer sources
|
||||
description: |
|
||||
'Query searches for insecure file transfer sources.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')
|
||||
| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: 196930a4-bd79-4800-b2bb-582a8f1c8dd4
|
||||
name: Digital Guardian - Insecure file transfer sources
|
||||
description: |
|
||||
'Query searches for insecure file transfer sources.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where NetworkApplicationProtocol in~ ('HTTP', 'FTP')
|
||||
| project SrcUserName, SrcIpAddr, DstIpAddr, DstPortNumber, File=inspected_document
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,24 +1,27 @@
|
|||
id: e459b709-55f7-48b6-8afc-0ae1062d3584
|
||||
name: Digital Guardian - Inspected files
|
||||
description: |
|
||||
'Query searches for inspected files.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(inspected_document)
|
||||
| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: e459b709-55f7-48b6-8afc-0ae1062d3584
|
||||
name: Digital Guardian - Inspected files
|
||||
description: |
|
||||
'Query searches for inspected files.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(inspected_document)
|
||||
| project SrcUserName, DstUserName, File=inspected_document, MatchedPolicies
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,25 +1,28 @@
|
|||
id: ae482a2c-b4e7-46fc-aeb7-744f7aad27ea
|
||||
name: Digital Guardian - New incidents
|
||||
description: |
|
||||
'Query searches for new incidents.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(IncidentStatus)
|
||||
| extend inc_act = split(IncidentStatus, ',')
|
||||
| where inc_act has 'New'
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: ae482a2c-b4e7-46fc-aeb7-744f7aad27ea
|
||||
name: Digital Guardian - New incidents
|
||||
description: |
|
||||
'Query searches for new incidents.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(IncidentStatus)
|
||||
| extend inc_act = split(IncidentStatus, ',')
|
||||
| where inc_act has 'New'
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,25 +1,28 @@
|
|||
id: 82cba92e-fe2f-4bba-9b46-647040b24090
|
||||
name: Digital Guardian - Rare destination ports
|
||||
description: |
|
||||
'Query searches for rare destination ports.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| summarize count() by DstIpAddr, DstPortNumber
|
||||
| order by count_ asc
|
||||
| top 10 by count_
|
||||
| extend IPCustomEntity = DstIpAddr
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
id: 82cba92e-fe2f-4bba-9b46-647040b24090
|
||||
name: Digital Guardian - Rare destination ports
|
||||
description: |
|
||||
'Query searches for rare destination ports.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| summarize count() by DstIpAddr, DstPortNumber
|
||||
| order by count_ asc
|
||||
| top 10 by count_
|
||||
| extend IPCustomEntity = DstIpAddr
|
||||
entityMappings:
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
|
@ -1,30 +1,33 @@
|
|||
id: 8ab2f0db-baa1-495c-a8dd-718b81d0b8c7
|
||||
name: Digital Guardian - Rare network protocols
|
||||
description: |
|
||||
'Query searches rare network protocols.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(NetworkApplicationProtocol)
|
||||
| summarize count() by SrcIpAddr, SrcUserName
|
||||
| order by count_ asc
|
||||
| top 10 by count_
|
||||
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
id: 8ab2f0db-baa1-495c-a8dd-718b81d0b8c7
|
||||
name: Digital Guardian - Rare network protocols
|
||||
description: |
|
||||
'Query searches rare network protocols.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(NetworkApplicationProtocol)
|
||||
| summarize count() by SrcIpAddr, SrcUserName
|
||||
| order by count_ asc
|
||||
| top 10 by count_
|
||||
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
|
@ -1,26 +1,29 @@
|
|||
id: b9a69da9-1ca0-4e09-a24f-5d88d57e0402
|
||||
name: Digital Guardian - Rare Urls
|
||||
description: |
|
||||
'Query searches for rare Urls.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(http_url)
|
||||
| summarize count() by SrcUserName, http_url
|
||||
| order by count_ asc
|
||||
| top 10 by count_
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: b9a69da9-1ca0-4e09-a24f-5d88d57e0402
|
||||
name: Digital Guardian - Rare Urls
|
||||
description: |
|
||||
'Query searches for rare Urls.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(http_url)
|
||||
| summarize count() by SrcUserName, http_url
|
||||
| order by count_ asc
|
||||
| top 10 by count_
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
|
@ -1,24 +1,27 @@
|
|||
id: 310433ca-67aa-406d-bbdf-c167a474b0a0
|
||||
name: Digital Guardian - Urls used
|
||||
description: |
|
||||
'Query searches for URLs used.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(http_url)
|
||||
| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
id: 310433ca-67aa-406d-bbdf-c167a474b0a0
|
||||
name: Digital Guardian - Urls used
|
||||
description: |
|
||||
'Query searches for URLs used.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: DigitalGuardianDLP
|
||||
dataTypes:
|
||||
- DigitalGuardianDLPEvent
|
||||
- connectorId: SyslogAma
|
||||
datatypes:
|
||||
- Syslog
|
||||
tactics:
|
||||
- Exfiltration
|
||||
relevantTechniques:
|
||||
- T1048
|
||||
query: |
|
||||
DigitalGuardianDLPEvent
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(http_url)
|
||||
| project SrcUserName, DstUserName, URL=http_url, MatchedPolicies
|
||||
| extend AccountCustomEntity = SrcUserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
Двоичный файл не отображается.
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DigitalGuardianDLP/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.\n\n This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
@ -60,14 +60,14 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the data connector for ingesting Digital Guardian Data Loss Prevention logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
"text": "This Solution installs the data connector for Digital Guardian Data Loss Prevention. You can get Digital Guardian Data Loss Prevention Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the DigitalGuardianDLPEvent Kusto Function alias."
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -323,7 +323,7 @@
|
|||
"name": "huntingquery1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for incident domains. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -337,7 +337,7 @@
|
|||
"name": "huntingquery2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for files sent by users. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -351,7 +351,7 @@
|
|||
"name": "huntingquery3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for users' incidents. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -365,7 +365,7 @@
|
|||
"name": "huntingquery4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for insecure file transfer sources. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -379,7 +379,7 @@
|
|||
"name": "huntingquery5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for inspected files. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -393,7 +393,7 @@
|
|||
"name": "huntingquery6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for new incidents. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -407,7 +407,7 @@
|
|||
"name": "huntingquery7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for rare destination ports. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -421,7 +421,7 @@
|
|||
"name": "huntingquery8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches rare network protocols. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -435,7 +435,7 @@
|
|||
"name": "huntingquery9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for rare Urls. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -449,7 +449,7 @@
|
|||
"name": "huntingquery10-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP data connector (DigitalGuardianDLPEvent Parser or Table)"
|
||||
"text": "Query searches for URLs used. This hunting query depends on DigitalGuardianDLP SyslogAma data connector (DigitalGuardianDLPEvent Syslog Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": "DigitalGuardianDLP",
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,5 +1,4 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|-------------------------------------------------------------------------------------------|
|
||||
| 3.0.0 | 09-10-2023 | Fixed KQL validation failure in **Hunting Query** (Digital Guardian - Users incidents) |
|
||||
|
||||
|
||||
| 3.0.1 | 25-07-2024 | Deprecating data connectors |
|
||||
| 3.0.0 | 09-10-2023 | Fixed KQL validation failure in **Hunting Query** (Digital Guardian - Users incidents) |
|
До Ширина: | Высота: | Размер: 194 KiB После Ширина: | Высота: | Размер: 194 KiB |
До Ширина: | Высота: | Размер: 204 KiB После Ширина: | Высота: | Размер: 204 KiB |
Загрузка…
Ссылка в новой задаче