Adding parameters to Authentication +2 expansion queries
This commit is contained in:
Yaron
GitHub
Родитель
c5365366c8
Коммит
d1e617e111
|
|
@ -17,44 +17,66 @@ Tactics:
|
|||
- LateralMovement
|
||||
- Collection
|
||||
query: |
|
||||
|
||||
let SuccessfulLoginEventId = 4624;
|
||||
let FailedLoginEventId = 4625;
|
||||
let MostFailedLogins = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
|
||||
SecurityEvent
|
||||
| extend p_Account_Name = case(
|
||||
// Handles mixed use scenario of NTDomain\AccountName@UPNSuffix
|
||||
v_Account_Name has '@' and v_Account_Name has '\\', tostring(split(tostring(split(v_Account_Name, '\\')[1]),'@')[0]),
|
||||
v_Account_Name has '@', tostring(split(v_Account_Name, '@')[0]),
|
||||
v_Account_Name has '\\', tostring(split(v_Account_Name, '\\')[1]),
|
||||
v_Account_Name
|
||||
)
|
||||
| extend p_Account_UPNSuffix = case(
|
||||
v_Account_UPNSuffix has '@', tostring(split(v_Account_UPNSuffix, '@')[1]),
|
||||
v_Account_UPNSuffix has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
|
||||
v_Account_UPNSuffix
|
||||
)
|
||||
| extend p_Account_NTDomain = case(
|
||||
v_Account_NTDomain has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
|
||||
v_Account_NTDomain
|
||||
)
|
||||
// parse Account sections
|
||||
| extend Account_UPNSuffix = iff(Account has '@', tostring(split(Account,'@')[1]),'')
|
||||
| extend Account_NTDomain = iff(Account has '\\', tostring(split(Account,'\\')[0]),'')
|
||||
| extend Account_Name = extract(@'^([^\\]*\\)?([^@]+)@?',2,Account)
|
||||
// filter by account: Name has to match, NTDomain and UPNSuffix should not be different
|
||||
| where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name)
|
||||
and
|
||||
iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )
|
||||
and
|
||||
iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )
|
||||
)
|
||||
| summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId), Host_Aux_FailedLoginsCount = countif(EventID==FailedLoginEventId), Host_Aux_LogonTypes=make_set(LogonType)
|
||||
by Computer, Account, SourceComputerId, _ResourceId
|
||||
| top 10 by Host_Aux_FailedLoginsCount
|
||||
| parse Computer with Host_NTDomain '\\' *
|
||||
| extend Host_HostName = tostring(split(Computer,'.')[0]),
|
||||
Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
|
||||
| project-away Computer, Account, _ResourceId, SourceComputerId
|
||||
};
|
||||
MostFailedLogins('<Name>','<NTDomain>','<UPNSuffix>')
|
||||
let isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count>1));
|
||||
let Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
|
||||
(datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) | join
|
||||
(
|
||||
SecurityEvent
|
||||
| extend p_Account_Name = case(
|
||||
// Handles mixed use scenario of NTDomain\AccountName@UPNSuffix
|
||||
v_Account_Name has '@' and v_Account_Name has '\\', tostring(split(tostring(split(v_Account_Name, '\\')[1]),'@')[0]),
|
||||
v_Account_Name has '@', tostring(split(v_Account_Name, '@')[0]),
|
||||
v_Account_Name has '\\', tostring(split(v_Account_Name, '\\')[1]),
|
||||
v_Account_Name
|
||||
)
|
||||
| extend p_Account_UPNSuffix = case(
|
||||
v_Account_UPNSuffix has '@', tostring(split(v_Account_UPNSuffix, '@')[1]),
|
||||
v_Account_UPNSuffix has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
|
||||
v_Account_UPNSuffix
|
||||
)
|
||||
| extend p_Account_NTDomain = case(
|
||||
v_Account_NTDomain has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
|
||||
v_Account_NTDomain
|
||||
)
|
||||
// parse Account sections
|
||||
| extend Account_UPNSuffix = iff(Account has '@', tostring(split(Account,'@')[1]),'')
|
||||
| extend Account_NTDomain = iff(Account has '\\', tostring(split(Account,'\\')[0]),'')
|
||||
| extend Account_Name = extract(@'^([^\\]*\\)?([^@]+)@?',2,Account)
|
||||
// filter by account: Name has to match, NTDomain and UPNSuffix should not be different
|
||||
| where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name)
|
||||
and
|
||||
iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )
|
||||
and
|
||||
iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )
|
||||
)
|
||||
| summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId)
|
||||
, Host_Aux_FailedLoginsCount = countif(EventID==FailedLoginEventId)
|
||||
, Host_Aux_LogonTypes=make_set(LogonType)
|
||||
by Computer, Account, SourceComputerId, _ResourceId
|
||||
| top 10 by Host_Aux_FailedLoginsCount
|
||||
| parse Computer with Host_NTDomain '\\' *
|
||||
| extend Host_HostName = tostring(split(Computer,'.')[0]),
|
||||
Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.')
|
||||
, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
|
||||
| project-away Computer, Account, _ResourceId, SourceComputerId
|
||||
| extend exists=int(1) ) on exists | project-away exists, exists1
|
||||
};
|
||||
let Normalized = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
|
||||
(datatable(exists:int)[1] | where isimAuthenticationInstalled) | join
|
||||
(
|
||||
imAuthentication(starttime=ago(24h),targetusername_has=v_Account_Name)
|
||||
| where isnotempty(TargetDvcHostname)
|
||||
//* postfiltering *//
|
||||
| where TargetUsername has v_Account_Name
|
||||
| summarize Host_Aux_SuccessfulLoginCount = countif(EventResult=='Success')
|
||||
, Host_Aux_FailedLoginsCount = countif(EventResult=='Failure')
|
||||
, Host_Aux_LogonTypes=make_set(EventSubType)
|
||||
by TargetDvcHostname, TargetDvcId
|
||||
| top 10 by Host_Aux_FailedLoginsCount
|
||||
| parse TargetDvcHostname with Host_NTDomain '\\' *
|
||||
| extend Host_UnstructuredName = TargetDvcHostname
|
||||
| project-keep Host_*
|
||||
| extend exists=int(1) ) on exists | project-away exists, exists1
|
||||
};
|
||||
union isfuzzy=true Legacy('<Name>','<NTDomain>','<UPNSuffix>'),Normalized('<Name>','<NTDomain>','<UPNSuffix>')
|
||||
|
|
@ -16,9 +16,11 @@ Tactics:
|
|||
- LateralMovement
|
||||
- Collection
|
||||
query: |
|
||||
|
||||
let GetAllIPbyAccount = (v_Account_Name:string){
|
||||
OfficeActivity
|
||||
let isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count>1));
|
||||
let Legacy = (v_Account_Name:string){
|
||||
(datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) // if table is not installed this table is [1]
|
||||
| join
|
||||
(OfficeActivity
|
||||
| extend v_Account_Name = case(
|
||||
v_Account_Name has '@', tostring(split(v_Account_Name, '@')[0]),
|
||||
v_Account_Name has '\\', tostring(split(v_Account_Name, '\\')[1]),
|
||||
|
|
@ -29,7 +31,15 @@ query: |
|
|||
| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP
|
||||
| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info
|
||||
| project-rename IP_Address=ClientIP
|
||||
| top 10 by IP_Aux_StartTime desc nulls last
|
||||
| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists
|
||||
| project-away exists, exists1
|
||||
};
|
||||
// change <Name> value below
|
||||
GetAllIPbyAccount ('<Name>')
|
||||
let Normalized = (v_Account_Name:string){
|
||||
(datatable(exists:int)[1] | where isimAuthenticationInstalled)
|
||||
| join (
|
||||
imAuthentication(targetusername_has=v_Account_Name)
|
||||
| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated) by SrcDvcIpAddr
|
||||
| project-rename IP_Address=SrcDvcIpAddr
|
||||
| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists | project-away exists, exists1
|
||||
};
|
||||
union isfuzzy=true Legacy('<Name>'), Normalized('<Name>')
|
||||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAADManagedIdentitySignInLogs",
|
||||
"name": "ASimAuthenticationAADManagedIdentitySignInLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"etag": "*",
|
||||
"displayName": "Azure active directory managed identity authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs",
|
||||
"FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
|
||||
"query": "let AADMIAuthentication=(){\n AADManagedIdentitySignInLogs\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Managed Identity'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventOriginalResultDetails = ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcDvcIpAddr = IPAddress\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventOriginalResultDetails \n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppName\n , TargetAppId\n | lookup AADSTSErrorCodes on ResultType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n };\nAADMIAuthentication",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Azure active directory managed identity signin logs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAADNonInteractiveUserSignInLogs",
|
||||
"name": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"etag": "*",
|
||||
"displayName": "Azure active directory non interactive authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs",
|
||||
"FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
|
||||
"query": "let AADNIAuthentication=(){\n AADNonInteractiveUserSignInLogs\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Non Interactive'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetUserType='NonInteractive'\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADNIAuthentication",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Azure active directory nonInteractive signin logs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"name": "ASimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"etag": "*",
|
||||
"displayName": "Azure active directory service principal authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"query": "let AADSvcPrincipal=(){\n AADServicePrincipalSignInLogs\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Service Principal'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventResultDetails= ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , TargetSessionId=CorrelationId\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventResultDetails\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADSvcPrincipal",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Azure active directory service principal signin logs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationSigninLogs",
|
||||
"name": "ASimAuthenticationSigninLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,8 +27,8 @@
|
|||
"etag": "*",
|
||||
"displayName": "Azure active directory authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationSigninLogs",
|
||||
"query": "let AADSigninLogs=(){\nSigninLogs\n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Sign In Logs'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs",
|
||||
"FunctionAlias": "ASimAuthenticationSigninLogs",
|
||||
"query": "let AADSigninLogs=(){\nSigninLogs\n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Sign In Logs'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n , SrcDvcIpAddr\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs\n",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Azure SigninLogs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAWSCloudTrail",
|
||||
"name": "ASimAuthenticationAWSCloudTrail",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"etag": "*",
|
||||
"displayName": "ASIM AWS authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAWSCloudTrail",
|
||||
"FunctionAlias": "ASimAuthenticationAWSCloudTrail",
|
||||
"query": "let AWSLogon=(){\nAWSCloudTrail\n | where EventName == 'ConsoleLogin'\n | extend\n EventVendor = 'AWS'\n , EventProduct='AWSCloudTrail'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType='Logon'\n , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n , TargetUsernameType='Simple'\n , TargetUserIdType='AWSId'\n | project-rename\n EventOriginalUid= AwsEventId\n , EventOriginalResultDetails= ErrorMessage\n , TargetUsername= UserIdentityUserName\n , TargetUserType=UserIdentityType\n , TargetUserId=UserIdentityAccountId \n , SrcDvcIpAddr=SourceIpAddress\n , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n User=TargetUsername\n , LogonTarget=tostring(split(TargetUrl,'?')[0])\n , Dvc=EventVendor\n };\n AWSLogon\n",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Amazon web services cloud trail ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "imAuthentication",
|
||||
"name": "ASimAuthentication",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,8 +27,8 @@
|
|||
"etag": "*",
|
||||
"displayName": "ASIM Source Agnostic Authentication Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imAuthentication",
|
||||
"query": "union isfuzzy=true\nvimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs\n , vimAuthenticationAADNonInteractiveUserSignInLogs\n , vimAuthenticationAADServicePrincipalSignInLogs\n , vimAuthenticationSigninLogs\n , vimAuthenticationAWSCloudTrail\n , vimAuthenticationOktaSSO\n , vimAuthenticationWindowsSecurityEvent\n , vimAuthenticationM365Defender\n , vimAuthenticationMicrosoftWindowsEvent\n",
|
||||
"FunctionAlias": "ASimAuthentication",
|
||||
"query": "union isfuzzy=true\nvimAuthenticationEmpty\n , ASimAuthenticationAADManagedIdentitySignInLogs\n , ASimAuthenticationAADNonInteractiveUserSignInLogs\n , ASimAuthenticationAADServicePrincipalSignInLogs\n , ASimAuthenticationSigninLogs\n , ASimAuthenticationAWSCloudTrail\n , ASimAuthenticationOktaSSO\n , ASimAuthenticationWindowsSecurityEvent\n , ASimAuthenticationM365Defender\n , ASimAuthenticationMicrosoftWindowsEvent\n , ASimAuthenticationMD4IoT",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# ASIM Authentication Normalization source agnostic parser
|
||||
|
||||
This template deploys the ASIM Authentication source agnostic parser. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication source agnostic parser. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
@ -12,4 +12,4 @@ For more information, see:
|
|||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationGeneric%2FAuthenticationGeneric.json)
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationGeneric%2FAuthenticationGeneric.json)
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimAuthenticationM365Defender",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimAuthenticationM365Defender",
|
||||
"query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n ];\nlet AuthM365D=(){\n DeviceLogonEvents \n //\n | project-rename \n EventOriginalResultDetails=FailureReason \n | extend \n // ---- Event\n EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n , EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventOriginalType = LogonType\n , EventProduct='M365 Defender for EndPoint'\n , EventResult = case(ActionType =='LogonSuccess', 'Success'\n , ActionType=='LogonFailed', 'Failure'\n , ActionType=='LogonAttempted', 'NA'\n , 'NA')\n , EventSchemaVersion='0.1.0'\n , EventType='Logon'\n , EventVendor ='Microsoft'\n // ---- Target and Actor Users\n | project-rename \n TargetUserId=AccountSid\n , ActorUserId =InitiatingProcessAccountSid\n , ActorUserUpn=InitiatingProcessAccountUpn\n , ActorUserObjectId=InitiatingProcessAccountObjectId\n | extend \n TargetUserIdType ='SID'\n , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n , TargetUsernameType='Windows'\n , ActorUserIdType='SID'\n , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n , 'Simple')\n , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n , TargetDvcFQDN=DeviceName\n | project-rename \n LogonProtocol=Protocol\n , TargetDvcId=DeviceId\n , SrcDvcIpAddr=RemoteIP\n , OriginalEventUid=ReportId\n , SrcDvcHostname=RemoteDeviceName \n //\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime=InitiatingProcessCreationTime\n , ActingProcessPath=InitiatingProcessFolderPath\n , ActingProcessId=InitiatingProcessId\n , ActingProcessMD5=InitiatingProcessMD5\n , ActingProcessSHA1=InitiatingProcessSHA1\n , ActingProcessSHA256= InitiatingProcessSHA256\n , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n , ParentProcessName=InitiatingProcessParentFileName\n , ParentProcessId=InitiatingProcessParentId\n , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n | extend \n ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n , ActingProcessPath\n , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n , TargetDvcHostnameType='FQDN'\n , TargetDvcIdType='MDE'\n , TargetPortNumber=RemotePort\n , TargetSessionId = tostring(LogonId)\n | lookup FaliureReason on EventOriginalResultDetails \n // TargetUrl \n // ----------- Alias\n | extend \n User=TargetUsername \n , LogonTarget=TargetDvcHostname\n , Dvc=TargetDvcHostname\n };AuthM365D\n",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# M365 Defender ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for M365 Defender. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationM365D%2FAuthenticationM365D.json)
|
||||
|
|
@ -19,15 +19,15 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationMD4IoT",
|
||||
"name": "ASimAuthenticationMD4IoT",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Azure Defender for IoT Authentication Parser",
|
||||
"displayName": "ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationMD4IoT",
|
||||
"FunctionAlias": "ASimAuthenticationMD4IoT",
|
||||
"query": "let Authentication_MD4IoT=()\n {\n SecurityIoTRawEvent \n | where RawEventName == \"Login\" \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Azure Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName),\n SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Azure Defender 4 IoT ASIM Authentication Normalization Parser
|
||||
# Microsoft Defender for IoT - Endpoint ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure Defender 4 IoT. The parser is a part of the Azure Sentinel Information Model.
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,6 +1,6 @@
|
|||
# Microsoft Windows Events ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationOktaSSO",
|
||||
"name": "ASimAuthenticationOktaSSO",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,8 +27,8 @@
|
|||
"etag": "*",
|
||||
"displayName": "ASIM Okta identity management authentication parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationOktaSSO",
|
||||
"query": "let OktaSignin=(){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL\n | where eventType_s_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='Upn'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d_s)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d_s)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s_s\n ,EventOriginalResultDetails=outcome_reason_s_s\n , LogonMethod = authenticationContext_credentialType_s_s\n , TargetSessionId=authenticationContext_externalSessionId_s_s\n , TargetUserId= actor_id_s_s\n , TargetUsername=actor_alternateId_s_s\n , TargetUserType=actor_type_s_s\n , SrcDvcOs=client_userAgent_os_s_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s_s\n , ActingAppName = client_userAgent_browser_s_s\n , SrcIsp=securityContext_isp_s_s\n , SrcGeoCity=client_geographicalContext_city_s_s\n , SrcGeoCountry=client_geographicalContext_country_s_s\n , EventOriginalUid = uuid_g_g\n | project-reorder\n EventProduct\n , EventOriginalUid\n , TimeGenerated\n , EventMessage\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , EventType\n , EventSubType\n , LogonMethod\n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , TargetUserType\n , SrcDvcOs\n , HttpUserAgent\n , SrcIsp\n , SrcGeoCity\n , SrcGeoCountry\n , SrcGeoLongitude\n , SrcGeoLatitude\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n };\nOktaSignin\n",
|
||||
"FunctionAlias": "ASimAuthenticationOktaSSO",
|
||||
"query": "let OktaSignin=(){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL\n | where eventType_s_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='Upn'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s_s\n ,EventOriginalResultDetails=outcome_reason_s_s\n , LogonMethod = authenticationContext_credentialType_s_s\n , TargetSessionId=authenticationContext_externalSessionId_s_s\n , TargetUserId= actor_id_s_s\n , TargetUsername=actor_alternateId_s_s\n , TargetUserType=actor_type_s_s\n , SrcDvcOs=client_userAgent_os_s_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s_s\n , ActingAppName = client_userAgent_browser_s_s\n , SrcIsp=securityContext_isp_s_s\n , SrcGeoCity=client_geographicalContext_city_s_s\n , SrcGeoCountry=client_geographicalContext_country_s_s\n , EventOriginalUid = uuid_g_g\n | project-reorder\n EventProduct\n , EventOriginalUid\n , TimeGenerated\n , EventMessage\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , EventType\n , EventSubType\n , LogonMethod\n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , TargetUserType\n , SrcDvcOs\n , HttpUserAgent\n , SrcIsp\n , SrcGeoCity\n , SrcGeoCountry\n , SrcGeoLongitude\n , SrcGeoLatitude\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n };\nOktaSignin\n",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Okta identity management ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,6 +1,6 @@
|
|||
# Microsoft Windows ASIM Authentication Normalization Parser
|
||||
# Microsoft Windows Events ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Windows. The parser is a part of the Azure Sentinel Information Mode.
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,277 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAADSTSErrCodes",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AADSTSErrorCodes/AADSTSErrorCodes.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAAuthenticationEmpty",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationEmpty/AuthenticationEmpty.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationGeneric",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/AuthenticationGeneric.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADManagedIdentity",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADManagedIdentity/AuthenticationAADManagedIdentity.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADNonInteractive",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADNonInteractive/AuthenticationAADNonInteractive.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADServicePrincipalSignInLogs",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADServicePrincipalSignInLogs/AuthenticationAADServicePrincipalSignInLogs.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADSigninLogs",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADSigninLogs/AuthenticationAADSigninLogs.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAWSCloudTrail",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAWSCloudTrail/AuthenticationAWSCloudTrail.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationM365Defender",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/AuthenticationM365Defender.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationOktaOSS",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationOktaOSS/AuthenticationOktaOSS.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationWindowsSecurityEvent",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationWindowsSecurityEvent/AuthenticationWindowsSecurityEvent.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationMicrosoftMD4IoT",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftMD4IoT/AuthenticationMicrosoftMD4IoT.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationMicrosoftWindowsEvent",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftWindowsEvent/AuthenticationMicrosoftWindowsEvent.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
}
|
||||
}
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
# Authentication - Azure Sentinel Information Model
|
||||
|
||||
This template deploys the following:
|
||||
* imAuthentication - Authentication events from all normalized authentication providers
|
||||
* vimAuthenticationAADManagedIdentitySignInLogs
|
||||
* vimAuthenticationAADNonInteractiveUserSignInLogs
|
||||
* vimAuthenticationAADServicePrincipalSignInLogs
|
||||
* vimAuthenticationSigninLogs
|
||||
* vimAuthenticationAWSCloudTrail
|
||||
* vimAuthenticationOktaSSO
|
||||
* vimAuthenticationWindowsSecurityEvent
|
||||
* vimAuthenticationMicrosoftWindowsEvent
|
||||
* vimAuthenticationMD4IoT
|
||||
* AADSTSErrorCodes
|
||||
|
||||
|
||||
[](https://aka.ms/AzSentinelAuthenticationARM)
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
# ASIM Authentication Normalization source agnostic parser
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthenticationGeneric%2FimAuthenticationGeneric.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "imAuthentication",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Source Agnostic Authentication Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imAuthentication",
|
||||
"query": "let imAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nunion isfuzzy=true\nvimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs(starttime, endtime, targetusername_has)\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has)\n , vimAuthenticationAADServicePrincipalSignInLogs(starttime, endtime, targetusername_has)\n , vimAuthenticationSigninLogs(starttime, endtime, targetusername_has)\n , vimAuthenticationAWSCloudTrail(starttime, endtime, targetusername_has)\n , vimAuthenticationOktaSSO(starttime, endtime, targetusername_has)\n , vimAuthenticationWindowsSecurityEvent(starttime, endtime, targetusername_has)\n , vimAuthenticationM365Defender(starttime, endtime, targetusername_has)\n , vimAuthenticationMicrosoftWindowsEvent(starttime, endtime, targetusername_has)\n , vimAuthenticationMD4IoT(starttime, endtime, targetusername_has)\n };\n imAuthentication(starttime, endtime, targetusername_has)\n",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Azure active directory managed identity signin logs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAADManagedIdentitySignInLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Azure active directory managed identity authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs",
|
||||
"query": "let AADMIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n AADManagedIdentitySignInLogs\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Managed Identity'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventOriginalResultDetails = ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcDvcIpAddr = IPAddress\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventOriginalResultDetails \n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppName\n , TargetAppId\n | lookup AADSTSErrorCodes on ResultType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n };\nAADMIAuthentication(starttime, endtime, targetusername_has)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Azure active directory nonInteractive signin logs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAADNonInteractiveUserSignInLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Azure active directory non interactive authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs",
|
||||
"query": "let AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n AADNonInteractiveUserSignInLogs\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime)\n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Non Interactive'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetUserType='NonInteractive'\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCountry\n , SrcGeoCity\n , TargetAppId\n , TargetAppName\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADNIAuthentication(starttime, endtime, targetusername_has)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Azure active directory service principal signin logs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Azure active directory service principal authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"query": "let AADSvcPrincipal=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n AADServicePrincipalSignInLogs\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= starttime) \n and (targetusername_has=='*' or (ServicePrincipalName =~ targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Service Principal'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n //, EventResultDetails= ResultType\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , TargetAppName=ResourceDisplayName\n , TargetUserType='ServicePrincipal'\n , TargetUsername=ServicePrincipalName\n , TargetUserId=ServicePrincipalId\n , TargetUsernameType='Simple'\n , TargetUserIdType='AADID'\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , TargetSessionId=CorrelationId\n , SrcDvcIpAddr=IPAddress\n | lookup AADSTSErrorCodes on ResultType\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n //, EventResultDetails\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , TargetSessionId\n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor};\nAADSvcPrincipal(starttime, endtime, targetusername_has)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Azure SigninLogs ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationSigninLogs",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Azure active directory authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationSigninLogs",
|
||||
"query": "let AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nSigninLogs\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime) \n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD Sign In Logs'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetUserType=UserType\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | project-reorder\n TimeGenerated\n ,EventProduct\n , EventOriginalUid\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , LogonMethod \n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , SrcDvcId\n , SrcDvcHostname \n , SrcDvcOs\n , HttpUserAgent \n , SrcGeoCity\n , SrcGeoCountry\n , TargetAppId\n , TargetAppName\n , SrcDvcIpAddr\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor};\n AADSigninLogs(starttime, endtime, targetusername_has)\n",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Amazon web services cloud trail ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationAWSCloudTrail",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM AWS authentication",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationAWSCloudTrail",
|
||||
"query": "let AWSLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nAWSCloudTrail\n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime) \n and (targetusername_has=='*' or (UserIdentityUserName has targetusername_has ))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n | where EventName == 'ConsoleLogin'\n | extend\n EventVendor = 'AWS'\n , EventProduct='AWSCloudTrail'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType='Logon'\n , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n , TargetUsernameType='Simple'\n , TargetUserIdType='AWSId'\n | project-rename\n EventOriginalUid= AwsEventId\n , EventOriginalResultDetails= ErrorMessage\n , TargetUsername= UserIdentityUserName\n , TargetUserType=UserIdentityType\n , TargetUserId=UserIdentityAccountId \n , SrcDvcIpAddr=SourceIpAddress\n , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n User=TargetUsername\n , LogonTarget=tostring(split(TargetUrl,'?')[0])\n , Dvc=EventVendor\n };\n AWSLogon(starttime, endtime, targetusername_has)\n",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# M365 Defender ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for M365 Defender. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365D%2FvimAuthenticationM365D.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationM365Defender",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationM365Defender",
|
||||
"query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n ];\nlet AuthM365D=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n DeviceLogonEvents \n// ************************************************************************* \n// <Prefilterring>\n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime) \n and (targetusername_has=='*' or (AccountName has targetusername_has))\n// ************************************************************************* \n// </Prefilterring>\n// ************************************************************************* \n //\n | project-rename \n EventOriginalResultDetails=FailureReason \n | extend \n // ---- Event\n EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n , EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventOriginalType = LogonType\n , EventProduct='M365 Defender for EndPoint'\n , EventResult = case(ActionType =='LogonSuccess', 'Success'\n , ActionType=='LogonFailed', 'Failure'\n , ActionType=='LogonAttempted', 'NA'\n , 'NA')\n , EventSchemaVersion='0.1.0'\n , EventType='Logon'\n , EventVendor ='Microsoft'\n // ---- Target and Actor Users\n | project-rename \n TargetUserId=AccountSid\n , ActorUserId =InitiatingProcessAccountSid\n , ActorUserUpn=InitiatingProcessAccountUpn\n , ActorUserObjectId=InitiatingProcessAccountObjectId\n | extend \n TargetUserIdType ='SID'\n , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n , TargetUsernameType='Windows'\n , ActorUserIdType='SID'\n , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n , 'Simple')\n , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n , TargetDvcFQDN=DeviceName\n | project-rename \n LogonProtocol=Protocol\n , TargetDvcId=DeviceId\n , SrcDvcIpAddr=RemoteIP\n , OriginalEventUid=ReportId\n , SrcDvcHostname=RemoteDeviceName \n //\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime=InitiatingProcessCreationTime\n , ActingProcessPath=InitiatingProcessFolderPath\n , ActingProcessId=InitiatingProcessId\n , ActingProcessMD5=InitiatingProcessMD5\n , ActingProcessSHA1=InitiatingProcessSHA1\n , ActingProcessSHA256= InitiatingProcessSHA256\n , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n , ParentProcessName=InitiatingProcessParentFileName\n , ParentProcessId=InitiatingProcessParentId\n , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n | extend \n ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n , ActingProcessPath\n , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n , TargetDvcHostnameType='FQDN'\n , TargetDvcIdType='MDE'\n , TargetPortNumber=RemotePort\n , TargetSessionId = tostring(LogonId)\n | lookup FaliureReason on EventOriginalResultDetails \n // TargetUrl \n // ----------- Alias\n | extend \n User=TargetUsername \n , LogonTarget=TargetDvcHostname\n , Dvc=TargetDvcHostname\n };AuthM365D(starttime, endtime, targetusername_has)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Microsoft Defender for IoT - Endpoint ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationMD4IoT",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationMD4IoT",
|
||||
"query": "let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\")\n {\n SecurityIoTRawEvent \n | where RawEventName == \"Login\"\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime)\n and (targetusername_has=='*' or EventDetails has targetusername_has)\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Azure Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName),\n // ************************************************************************* \n // <Postfilterring>\n // *************************************************************************\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n // ************************************************************************* \n // <Postfilterring>\n // *************************************************************************\n SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(starttime, endtime, targetusername_has)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Microsoft Windows Events ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json)
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,15 @@
|
|||
# Okta identity management ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationOktaOSS%2FvimAuthenticationOktaOSS.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimAuthenticationOktaSSO",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Okta identity management authentication parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimAuthenticationOktaSSO",
|
||||
"query": "let OktaSignin=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL\n // ************************************************************************* \n // <Prefilterring>\n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= starttime)\n and (targetusername_has=='*' or (actor_alternateId_s has targetusername_has))\n // ************************************************************************* \n // </Prefilterring>\n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='Upn'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s\n ,EventOriginalResultDetails=outcome_reason_s\n , LogonMethod = authenticationContext_credentialType_s\n , TargetSessionId=authenticationContext_externalSessionId_s\n , TargetUserId= actor_id_s\n , TargetUsername=actor_alternateId_s\n , TargetUserType=actor_type_s\n , SrcDvcOs=client_userAgent_os_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s\n , ActingAppName = client_userAgent_browser_s\n , SrcIsp=securityContext_isp_s\n , SrcGeoCity=client_geographicalContext_city_s\n , SrcGeoCountry=client_geographicalContext_country_s\n , EventOriginalUid = uuid_g_g\n | project-reorder\n EventProduct\n , EventOriginalUid\n , TimeGenerated\n , EventMessage\n , EventResult\n , EventOriginalResultDetails\n , EventStartTime\n , EventEndTime\n , EventType\n , EventSubType\n , LogonMethod\n , TargetSessionId\n , TargetUserId\n , TargetUsername\n , TargetUserType\n , SrcDvcOs\n , HttpUserAgent\n , SrcIsp\n , SrcGeoCity\n , SrcGeoCountry\n , SrcGeoLongitude\n , SrcGeoLatitude\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n };\nOktaSignin(starttime, endtime, targetusername_has)\n",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Microsoft Security Events ASIM Authentication Normalization Parser
|
||||
|
||||
This template deploys the ASIM Authentication schema parser for Microsoft Security Events. The parser is a part of the Azure Sentinel Information Model.
|
||||
|
||||
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationWindowsSecurityEvent%2FvimAuthenticationWindowsSecurityEvent.json)
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,476 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAADSTSErrCodes",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AADSTSErrorCodes/AADSTSErrorCodes.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADManagedIdentity",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADManagedIdentity/AuthenticationAADManagedIdentity.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADNonInteractive",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADNonInteractive/AuthenticationAADNonInteractive.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADServicePrincipalSignInLogs",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADServicePrincipalSignInLogs/AuthenticationAADServicePrincipalSignInLogs.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAADSigninLogs",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADSigninLogs/AuthenticationAADSigninLogs.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationAWSCloudTrail",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAWSCloudTrail/AuthenticationAWSCloudTrail.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationGeneric",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/AuthenticationGeneric.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationM365D",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationM365D/AuthenticationM365D.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationMicrosoftMD4IoT",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftMD4IoT/AuthenticationMicrosoftMD4IoT.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationMicrosoftWindowsEvent",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftWindowsEvent/AuthenticationMicrosoftWindowsEvent.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationOktaOSS",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationOktaOSS/AuthenticationOktaOSS.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthenticationWindowsSecurityEvent",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationWindowsSecurityEvent/AuthenticationWindowsSecurityEvent.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedimAuthenticationGeneric",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/imAuthenticationGeneric/imAuthenticationGeneric.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationAADManagedIdentity",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationAADNonInteractive",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationAADServicePrincipalSignInLogs",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationAADSigninLogs",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationAWSCloudTrail",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationM365D",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationM365D/vimAuthenticationM365D.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationMicrosoftMD4IoT",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationMicrosoftWindowsEvent",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationOktaOSS",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimAuthenticationWindowsSecurityEvent",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationWindowsSecurityEvent/vimAuthenticationWindowsSecurityEvent.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
}
|
||||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Managed Identity sign in logs (AADManagedIdentitySignInLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAADManagedIdentitySignInLogs
|
||||
ParserName: ASimAuthenticationAADManagedIdentitySignInLogs
|
||||
ParserQuery: |
|
||||
let AADMIAuthentication=(){
|
||||
AADManagedIdentitySignInLogs
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Non Interactive sign in logs (AADNonInteractiveUserSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAADNonInteractiveUserSignInLogs
|
||||
ParserName: ASimAuthenticationAADNonInteractiveUserSignInLogs
|
||||
ParserQuery: |
|
||||
let AADNIAuthentication=(){
|
||||
AADNonInteractiveUserSignInLogs
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Service Principal sign in logs (AADServicePrincipalSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAADServicePrincipalSignInLogs
|
||||
ParserName: ASimAuthenticationAADServicePrincipalSignInLogs
|
||||
ParserQuery: |
|
||||
let AADSvcPrincipal=(){
|
||||
AADServicePrincipalSignInLogs
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Signin logs (SigninLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationSigninLogs
|
||||
ParserName: ASimAuthenticationSigninLogs
|
||||
ParserQuery: |
|
||||
let AADSigninLogs=(){
|
||||
SigninLogs
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Amazon Web Service sign in logs (AWSCloudTrail) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAWSCloudTrail
|
||||
ParserName: ASimAuthenticationAWSCloudTrail
|
||||
ParserQuery: |
|
||||
let AWSLogon=(){
|
||||
AWSCloudTrail
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query creates an empty table of the authentication schema.
|
||||
ParserName: imAuthentication
|
||||
ParserName: ASimAuthentication
|
||||
ParserQuery: |
|
||||
union isfuzzy=true
|
||||
vimAuthenticationEmpty
|
||||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps M365 Defender Device Logon Events (DeviceLogonEvents) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationM365Defender
|
||||
ParserName: ASimAuthenticationM365Defender
|
||||
ParserQuery: |
|
||||
let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[
|
||||
'InvalidUserNameOrPassword','No such user or password'
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ References:
|
|||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: ASIM Azure Defender for IoT Authentication Parser
|
||||
ParserName: vimAuthenticationMD4IoT
|
||||
ParserName: ASimAuthenticationMD4IoT
|
||||
ParserQuery: |
|
||||
let Authentication_MD4IoT=()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Windows sign in logs (WindowsEvent) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationMicrosoftWindowsEvent
|
||||
ParserName: ASimAuthenticationMicrosoftWindowsEvent
|
||||
ParserQuery: |
|
||||
let LogonEvents=dynamic([4624,4625]);
|
||||
let LogoffEvents=dynamic([4634,4647]);
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Okta sign in logs (Okta_CL) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationOktaSSO
|
||||
ParserName: ASimAuthenticationOktaSSO
|
||||
ParserQuery: |
|
||||
let OktaSignin=(){
|
||||
let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);
|
||||
|
|
@ -22,36 +22,36 @@ ParserQuery: |
|
|||
let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);
|
||||
// https://developer.okta.com/docs/reference/api/event-types/#catalog
|
||||
Okta_CL
|
||||
| where eventType_s_s in (OktaSigninEvents)
|
||||
| where eventType_s in (OktaSigninEvents)
|
||||
| extend
|
||||
EventProduct='Okta'
|
||||
, EventVendor='Okta'
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventResult = case (outcome_result_s_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s_s in (OktaFailedOutcome),'Failure', 'Partial')
|
||||
, EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')
|
||||
, EventStartTime=TimeGenerated
|
||||
, EventEndTime=TimeGenerated
|
||||
, EventType=iff(eventType_s_s hassuffix 'start', 'Logon', 'Logoff')
|
||||
, EventSubType=legacyEventType_s_s
|
||||
, EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')
|
||||
, EventSubType=legacyEventType_s
|
||||
, TargetUserIdType='OktaId'
|
||||
, TargetUsernameType='Upn'
|
||||
, SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d_s)
|
||||
, SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d_s)
|
||||
, SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)
|
||||
, SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)
|
||||
, ActingAppType = "Browser"
|
||||
| project-rename
|
||||
EventMessage=displayMessage_s_s
|
||||
,EventOriginalResultDetails=outcome_reason_s_s
|
||||
, LogonMethod = authenticationContext_credentialType_s_s
|
||||
, TargetSessionId=authenticationContext_externalSessionId_s_s
|
||||
, TargetUserId= actor_id_s_s
|
||||
, TargetUsername=actor_alternateId_s_s
|
||||
, TargetUserType=actor_type_s_s
|
||||
, SrcDvcOs=client_userAgent_os_s_s
|
||||
, HttpUserAgent=client_userAgent_rawUserAgent_s_s
|
||||
, ActingAppName = client_userAgent_browser_s_s
|
||||
, SrcIsp=securityContext_isp_s_s
|
||||
, SrcGeoCity=client_geographicalContext_city_s_s
|
||||
, SrcGeoCountry=client_geographicalContext_country_s_s
|
||||
EventMessage=displayMessage_s
|
||||
,EventOriginalResultDetails=outcome_reason_s
|
||||
, LogonMethod = authenticationContext_credentialType_s
|
||||
, TargetSessionId=authenticationContext_externalSessionId_s
|
||||
, TargetUserId= actor_id_s
|
||||
, TargetUsername=actor_alternateId_s
|
||||
, TargetUserType=actor_type_s
|
||||
, SrcDvcOs=client_userAgent_os_s
|
||||
, HttpUserAgent=client_userAgent_rawUserAgent_s
|
||||
, ActingAppName = client_userAgent_browser_s
|
||||
, SrcIsp=securityContext_isp_s
|
||||
, SrcGeoCity=client_geographicalContext_city_s
|
||||
, SrcGeoCountry=client_geographicalContext_country_s
|
||||
, EventOriginalUid = uuid_g_g
|
||||
| project-reorder
|
||||
EventProduct
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ References:
|
|||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Windows Active Directory sign in logs (SecurityEvent) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationWindowsSecurityEvent
|
||||
ParserName: ASimAuthenticationWindowsSecurityEvent
|
||||
ParserQuery: |
|
||||
let LogonEvents=dynamic([4624,4625]);
|
||||
let LogoffEvents=dynamic([4634,4647]);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,43 @@
|
|||
Parser:
|
||||
Title: ASIM Source Agnostic Authentication Parser
|
||||
Version: '0.0'
|
||||
LastUpdated: June 9, 2021
|
||||
Product:
|
||||
Name: Microsoft Windows Events
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query creates an empty table of the authentication schema.
|
||||
ParserName: imAuthentication
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let imAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
union isfuzzy=true
|
||||
vimAuthenticationEmpty
|
||||
, vimAuthenticationAADManagedIdentitySignInLogs(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationAADServicePrincipalSignInLogs(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationSigninLogs(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationAWSCloudTrail(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationOktaSSO(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationWindowsSecurityEvent(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationM365Defender(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationMicrosoftWindowsEvent(starttime, endtime, targetusername_has)
|
||||
, vimAuthenticationMD4IoT(starttime, endtime, targetusername_has)
|
||||
};
|
||||
imAuthentication(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,90 @@
|
|||
Parser:
|
||||
Title: Azure active directory managed identity authentication
|
||||
Version: '0.1.0'
|
||||
LastUpdated: June 17, 2021
|
||||
Product:
|
||||
Name: Azure active directory managed identity signin logs
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: 0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Managed Identity sign in logs (AADManagedIdentitySignInLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAADManagedIdentitySignInLogs
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let AADMIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
AADManagedIdentitySignInLogs
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| extend
|
||||
EventVendor = 'Microsoft'
|
||||
, EventProduct = 'AAD Managed Identity'
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventResult = iff (ResultType ==0, 'Success', 'Failure')
|
||||
//, EventOriginalResultDetails = ResultType
|
||||
, EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
|
||||
, EventStartTime = TimeGenerated
|
||||
, EventEndTime= TimeGenerated
|
||||
, EventType= 'Logon'
|
||||
, Location = todynamic(LocationDetails)
|
||||
, TargetAppId = ResourceIdentity
|
||||
, TargetAppName=ResourceDisplayName
|
||||
, TargetUserType='ServicePrincipal'
|
||||
, TargetUsername=ServicePrincipalName
|
||||
, TargetUserId=ServicePrincipalId
|
||||
, TargetUsernameType='Simple'
|
||||
, TargetUserIdType='AADID'
|
||||
| extend
|
||||
SrcGeoCity=tostring(Location.city)
|
||||
, SrcGeoCountry=tostring(Location.countryOrRegion)
|
||||
, SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
|
||||
, SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
|
||||
| project-rename
|
||||
EventOriginalUid = Id
|
||||
, TargetSessionId = CorrelationId
|
||||
, SrcDvcIpAddr = IPAddress
|
||||
| project-reorder
|
||||
TimeGenerated
|
||||
,EventProduct
|
||||
, EventOriginalUid
|
||||
, EventResult
|
||||
//, EventOriginalResultDetails
|
||||
, EventOriginalResultDetails
|
||||
, EventStartTime
|
||||
, EventEndTime
|
||||
, TargetSessionId
|
||||
, SrcGeoCountry
|
||||
, SrcGeoCity
|
||||
, TargetAppName
|
||||
, TargetAppId
|
||||
| lookup AADSTSErrorCodes on ResultType
|
||||
// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=ResourceIdentity
|
||||
, Dvc=EventVendor
|
||||
};
|
||||
AADMIAuthentication(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,99 @@
|
|||
Parser:
|
||||
Title: Azure active directory non interactive authentication
|
||||
Version: '0.0'
|
||||
LastUpdated: June 3, 2021
|
||||
Product:
|
||||
Name: Azure active directory nonInteractive signin logs
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: Using functions
|
||||
Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
|
||||
- Title: Authentication schema documentation
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Non Interactive sign in logs (AADNonInteractiveUserSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAADNonInteractiveUserSignInLogs
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
AADNonInteractiveUserSignInLogs
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| extend
|
||||
EventVendor = 'Microsoft'
|
||||
, EventProduct = 'AAD Non Interactive'
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventCount=int(1)
|
||||
, EventResult = iff (ResultType ==0, 'Success', 'Failure')
|
||||
, EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
|
||||
, EventStartTime = TimeGenerated
|
||||
, EventEndTime= TimeGenerated
|
||||
, EventType= 'Logon'
|
||||
, SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)
|
||||
, SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)
|
||||
, SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)
|
||||
, Location = todynamic(LocationDetails)
|
||||
, TargetAppId = ResourceIdentity
|
||||
, TargetUserType='NonInteractive'
|
||||
, TargetUsernameType='Upn'
|
||||
, TargetUserIdType='AADID'
|
||||
, TargetAppName=ResourceDisplayName
|
||||
| extend
|
||||
SrcGeoCity=tostring(Location.city)
|
||||
, SrcGeoCountry=tostring(Location.countryOrRegion)
|
||||
, SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
|
||||
, SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
|
||||
| project-rename
|
||||
EventOriginalUid =Id
|
||||
, LogonMethod = AuthenticationRequirement
|
||||
, HttpUserAgent=UserAgent
|
||||
, TargetSessionId=CorrelationId
|
||||
, TargetUserId = UserId
|
||||
, TargetUsername=UserPrincipalName
|
||||
, SrcDvcIpAddr=IPAddress
|
||||
| lookup AADSTSErrorCodes on ResultType
|
||||
| project-reorder
|
||||
TimeGenerated
|
||||
,EventProduct
|
||||
, EventOriginalUid
|
||||
, EventResult
|
||||
, EventOriginalResultDetails
|
||||
, EventStartTime
|
||||
, EventEndTime
|
||||
, LogonMethod
|
||||
, TargetSessionId
|
||||
, TargetUserId
|
||||
, TargetUsername
|
||||
, SrcDvcId
|
||||
, SrcDvcHostname
|
||||
, SrcDvcOs
|
||||
, HttpUserAgent
|
||||
, SrcGeoCountry
|
||||
, SrcGeoCity
|
||||
, TargetAppId
|
||||
, TargetAppName
|
||||
// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=ResourceIdentity
|
||||
, Dvc=EventVendor};
|
||||
AADNIAuthentication(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,88 @@
|
|||
Parser:
|
||||
Title: Azure active directory service principal authentication
|
||||
Version: '0.0'
|
||||
LastUpdated: June 3, 2021
|
||||
Product:
|
||||
Name: Azure active directory service principal signin logs
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: Using functions
|
||||
Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
|
||||
- Title: Authentication schema documentation
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Service Principal sign in logs (AADServicePrincipalSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAADServicePrincipalSignInLogs
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let AADSvcPrincipal=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
AADServicePrincipalSignInLogs
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (ServicePrincipalName =~ targetusername_has))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| extend
|
||||
EventVendor = 'Microsoft'
|
||||
, EventProduct = 'AAD Service Principal'
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventResult = iff (ResultType ==0, 'Success', 'Failure')
|
||||
//, EventResultDetails= ResultType
|
||||
, EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
|
||||
, EventStartTime = TimeGenerated
|
||||
, EventEndTime= TimeGenerated
|
||||
, EventType= 'Logon'
|
||||
, Location = todynamic(LocationDetails)
|
||||
, TargetAppId = ResourceIdentity
|
||||
, TargetAppName=ResourceDisplayName
|
||||
, TargetUserType='ServicePrincipal'
|
||||
, TargetUsername=ServicePrincipalName
|
||||
, TargetUserId=ServicePrincipalId
|
||||
, TargetUsernameType='Simple'
|
||||
, TargetUserIdType='AADID'
|
||||
| extend
|
||||
SrcGeoCity=tostring(Location.city)
|
||||
, SrcGeoCountry=tostring(Location.countryOrRegion)
|
||||
, SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
|
||||
, SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
|
||||
| project-rename
|
||||
EventOriginalUid =Id
|
||||
, TargetSessionId=CorrelationId
|
||||
, SrcDvcIpAddr=IPAddress
|
||||
| lookup AADSTSErrorCodes on ResultType
|
||||
| project-reorder
|
||||
TimeGenerated
|
||||
,EventProduct
|
||||
, EventOriginalUid
|
||||
, EventResult
|
||||
//, EventResultDetails
|
||||
, EventOriginalResultDetails
|
||||
, EventStartTime
|
||||
, EventEndTime
|
||||
, TargetSessionId
|
||||
, SrcGeoCity
|
||||
, SrcGeoCountry
|
||||
, TargetAppId
|
||||
// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=ResourceIdentity
|
||||
, Dvc=EventVendor};
|
||||
AADSvcPrincipal(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
Parser:
|
||||
Title: Azure active directory authentication
|
||||
Version: '0.0'
|
||||
LastUpdated: June 3, 2021
|
||||
Product:
|
||||
Name: Azure SigninLogs
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: Using functions
|
||||
Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
|
||||
- Title: Authentication schema documentation
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
Description: |
|
||||
This Query Parser maps Azure Active Directory Signin logs (SigninLogs) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationSigninLogs
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
SigninLogs
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| extend
|
||||
EventVendor = 'Microsoft'
|
||||
, EventProduct = 'AAD Sign In Logs'
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventResult = iff (ResultType ==0, 'Success', 'Failure')
|
||||
, EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
|
||||
, EventStartTime = TimeGenerated
|
||||
, EventEndTime= TimeGenerated
|
||||
, EventType= 'Logon'
|
||||
, SrcDvcId=tostring(DeviceDetail.deviceId)
|
||||
, SrcDvcHostname =tostring(DeviceDetail.displayName)
|
||||
, SrcDvcOs=tostring(DeviceDetail.operatingSystem)
|
||||
// , SrcBrowser= tostring(DeviceDetail.browser)
|
||||
, Location = todynamic(LocationDetails)
|
||||
, TargetUsernameType='Upn'
|
||||
, TargetUserIdType='AADID'
|
||||
, SrcDvcIpAddr=IPAddress
|
||||
| extend
|
||||
SrcGeoCity=tostring(Location.city)
|
||||
, SrcGeoCountry=tostring(Location.countryOrRegion)
|
||||
, SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
|
||||
, SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
|
||||
| lookup AADSTSErrorCodes on ResultType
|
||||
| project-rename
|
||||
EventOriginalUid =Id
|
||||
, LogonMethod = AuthenticationRequirement
|
||||
, HttpUserAgent=UserAgent
|
||||
, TargetSessionId=CorrelationId
|
||||
, TargetUserId = UserId
|
||||
, TargetUsername=UserPrincipalName
|
||||
, TargetUserType=UserType
|
||||
, TargetAppId = ResourceIdentity
|
||||
, TargetAppName=ResourceDisplayName
|
||||
| project-reorder
|
||||
TimeGenerated
|
||||
,EventProduct
|
||||
, EventOriginalUid
|
||||
, EventResult
|
||||
, EventOriginalResultDetails
|
||||
, EventStartTime
|
||||
, EventEndTime
|
||||
, LogonMethod
|
||||
, TargetSessionId
|
||||
, TargetUserId
|
||||
, TargetUsername
|
||||
, SrcDvcId
|
||||
, SrcDvcHostname
|
||||
, SrcDvcOs
|
||||
, HttpUserAgent
|
||||
, SrcGeoCity
|
||||
, SrcGeoCountry
|
||||
, TargetAppId
|
||||
, TargetAppName
|
||||
, SrcDvcIpAddr
|
||||
// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=TargetAppName
|
||||
, Dvc=EventVendor};
|
||||
AADSigninLogs(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
Parser:
|
||||
Title: ASIM AWS authentication
|
||||
Version: '0.1.0'
|
||||
LastUpdated: June 17, 2021
|
||||
Product:
|
||||
Name: Amazon web services cloud trail
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Amazon Web Service sign in logs (AWSCloudTrail) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationAWSCloudTrail
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let AWSLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
AWSCloudTrail
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (UserIdentityPrincipalid has targetusername_has ))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| where EventName == 'ConsoleLogin'
|
||||
| extend
|
||||
EventVendor = 'AWS'
|
||||
, EventProduct='AWSCloudTrail'
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')
|
||||
, EventStartTime=TimeGenerated
|
||||
, EventEndTime=TimeGenerated
|
||||
, EventType='Logon'
|
||||
, LogonMethod=iff(AdditionalEventData has '"MFAUsed": "No"', 'NoMFA', 'MFA')
|
||||
, TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)
|
||||
, TargetUsernameType='Simple'
|
||||
, TargetUserIdType='AWSId'
|
||||
, TargetUsername= tostring(split(UserIdentityPrincipalid,':',1))
|
||||
| project-rename
|
||||
EventOriginalUid= AwsEventId
|
||||
, EventOriginalResultDetails= ErrorMessage
|
||||
, TargetUserType=UserIdentityType
|
||||
, TargetUserId=UserIdentityAccountId
|
||||
, SrcDvcIpAddr=SourceIpAddress
|
||||
, HttpUserAgent=UserAgent
|
||||
// **** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=tostring(split(TargetUrl,'?')[0])
|
||||
, Dvc=EventVendor
|
||||
};
|
||||
AWSLogon(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,113 @@
|
|||
Parser:
|
||||
Title: ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser
|
||||
Version: '0.1.0'
|
||||
LastUpdated: July 1, 2021
|
||||
Product:
|
||||
Name: M365 Defender
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps M365 Defender Device Logon Events (DeviceLogonEvents) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationM365Defender
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[
|
||||
'InvalidUserNameOrPassword','No such user or password'
|
||||
];
|
||||
let AuthM365D=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
DeviceLogonEvents
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (AccountName has targetusername_has))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
//
|
||||
| project-rename
|
||||
EventOriginalResultDetails=FailureReason
|
||||
| extend
|
||||
// ---- Event
|
||||
EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)
|
||||
, EventCount=int(1)
|
||||
, EventStartTime=TimeGenerated
|
||||
, EventEndTime=TimeGenerated
|
||||
, EventOriginalType = LogonType
|
||||
, EventProduct='M365 Defender for EndPoint'
|
||||
, EventResult = case(ActionType =='LogonSuccess', 'Success'
|
||||
, ActionType=='LogonFailed', 'Failure'
|
||||
, ActionType=='LogonAttempted', 'NA'
|
||||
, 'NA')
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventType='Logon'
|
||||
, EventVendor ='Microsoft'
|
||||
// ---- Target and Actor Users
|
||||
| project-rename
|
||||
TargetUserId=AccountSid
|
||||
, ActorUserId =InitiatingProcessAccountSid
|
||||
, ActorUserUpn=InitiatingProcessAccountUpn
|
||||
, ActorUserObjectId=InitiatingProcessAccountObjectId
|
||||
| extend
|
||||
TargetUserIdType ='SID'
|
||||
, TargetUsername = strcat(AccountDomain,'\\',AccountName)
|
||||
, TargetUsernameType='Windows'
|
||||
, ActorUserIdType='SID'
|
||||
, ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName
|
||||
, ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'
|
||||
, isnotempty(InitiatingProcessAccountDomain), 'Windows'
|
||||
, 'Simple')
|
||||
, TargetDvcHostname=tostring(split(DeviceName,'.')[0])
|
||||
, TargetDvcFQDN=DeviceName
|
||||
| project-rename
|
||||
LogonProtocol=Protocol
|
||||
, TargetDvcId=DeviceId
|
||||
, SrcDvcIpAddr=RemoteIP
|
||||
, OriginalEventUid=ReportId
|
||||
, SrcDvcHostname=RemoteDeviceName
|
||||
//
|
||||
, ActingProcessCommandLine = InitiatingProcessCommandLine
|
||||
, ActingProcessCreationTime=InitiatingProcessCreationTime
|
||||
, ActingProcessPath=InitiatingProcessFolderPath
|
||||
, ActingProcessId=InitiatingProcessId
|
||||
, ActingProcessMD5=InitiatingProcessMD5
|
||||
, ActingProcessSHA1=InitiatingProcessSHA1
|
||||
, ActingProcessSHA256= InitiatingProcessSHA256
|
||||
, ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel
|
||||
, ActingProcessTokenElevation=InitiatingProcessTokenElevation
|
||||
, ParentProcessName=InitiatingProcessParentFileName
|
||||
, ParentProcessId=InitiatingProcessParentId
|
||||
, ParentProcessCreationTime=InitiatingProcessParentCreationTime
|
||||
| extend
|
||||
ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName
|
||||
, ActingProcessPath
|
||||
, strcat(ActingProcessPath,'\\',InitiatingProcessFileName))
|
||||
, TargetDvcHostnameType='FQDN'
|
||||
, TargetDvcIdType='MDE'
|
||||
, TargetPortNumber=RemotePort
|
||||
, TargetSessionId = tostring(LogonId)
|
||||
| lookup FaliureReason on EventOriginalResultDetails
|
||||
// TargetUrl
|
||||
// ----------- Alias
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=TargetDvcHostname
|
||||
, Dvc=TargetDvcHostname
|
||||
};AuthM365D(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,85 @@
|
|||
Parser:
|
||||
Title: ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint
|
||||
Version: '0.1.0'
|
||||
LastUpdated: Aug 16, 2021
|
||||
Product:
|
||||
Name: Microsoft Defender for IoT - Endpoint
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: ASIM Azure Defender for IoT Authentication Parser
|
||||
ParserName: vimAuthenticationMD4IoT
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*")
|
||||
{
|
||||
SecurityIoTRawEvent
|
||||
| where RawEventName == "Login"
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or EventDetails has targetusername_has)
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| extend
|
||||
EventDetails = todynamic(EventDetails)
|
||||
//
|
||||
| extend
|
||||
EventOriginalUid = tostring(EventDetails.OriginalEventId),
|
||||
EventProduct = 'Azure Defender for IoT',
|
||||
EventCount=int(1),
|
||||
EventVendor = 'Microsoft',
|
||||
EventSchemaVersion = '0.1.0',
|
||||
EventStartTime = todatetime(EventDetails.TimestampUTC),
|
||||
EventEndTime = todatetime(TimeGenerated),
|
||||
EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'),
|
||||
EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success')
|
||||
//
|
||||
| extend
|
||||
ActingProcessId = tostring(EventDetails.ProcessId),
|
||||
ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty
|
||||
DvcOs = iif (EventDetails.MessageSource == "Linux", "Linux", "Windows"), // -- Intermediate fix
|
||||
TargetUsernameType = "Simple",
|
||||
TargetUsername = tostring(EventDetails.UserName)
|
||||
// *************************************************************************
|
||||
// <Postfilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(targetusername_has=='*' or TargetUsername has targetusername_has)
|
||||
// *************************************************************************
|
||||
// <Postfilterring>
|
||||
// *************************************************************************
|
||||
| extend SrcIpAddr = tostring(EventDetails.RemoteAddress)
|
||||
| project-rename
|
||||
DvcHostname = DeviceId,
|
||||
EventProductVersion = AgentVersion, // -- Not available in Windows
|
||||
_ResourceId = AssociatedResourceId,
|
||||
_SubscriptionId = AzureSubscriptionId
|
||||
//
|
||||
// -- aliases
|
||||
| extend
|
||||
User = TargetUsername,
|
||||
Process = ActingProcessName,
|
||||
Dvc = DvcHostname,
|
||||
SrcDvcIpAddr = SrcIpAddr,
|
||||
IpAddr = SrcIpAddr
|
||||
};
|
||||
Authentication_MD4IoT(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,160 @@
|
|||
Parser:
|
||||
Title: Microsoft Windows Events Logon and Logoff
|
||||
Version: '1.0.0'
|
||||
LastUpdated: Aug 8, 2021
|
||||
Product:
|
||||
Name: Microsoft Windows Events
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Windows sign in logs (WindowsEvent) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationMicrosoftWindowsEvent
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let LogonEvents=dynamic([4624,4625]);
|
||||
let LogoffEvents=dynamic([4634,4647]);
|
||||
let LogonTypes=datatable(LogonType:string, EventSubType:string)[
|
||||
2, 'Interactive',
|
||||
3, 'Network',
|
||||
4, 'Batch',
|
||||
5, 'Service',
|
||||
7, 'Unlock',
|
||||
8, 'NetworkCleartext',
|
||||
9, 'NewCredentials',
|
||||
10, 'RemoteInteractive',
|
||||
11, 'CachedInteractive'];
|
||||
// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
|
||||
let LogonStatus=datatable
|
||||
(EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
|
||||
'0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
|
||||
'0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
|
||||
'0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
|
||||
'0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
|
||||
'0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
|
||||
'0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
|
||||
'0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
|
||||
'0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
|
||||
'0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
|
||||
'0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
|
||||
'0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
|
||||
'0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
|
||||
'0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
|
||||
'0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
|
||||
'0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
|
||||
'0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
|
||||
'0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
|
||||
'0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
|
||||
'0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
|
||||
'0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
|
||||
'0x80090308', 'SEC_E_INVALID_TOKEN','Other',
|
||||
'0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
|
||||
'0xc0000008', 'STATUS_INVALID_HANDLE','Other',
|
||||
'0xc0000017', 'STATUS_NO_MEMORY','Other',
|
||||
'0xc0000022', 'STATUS_ACCESS_DENIED','Other',
|
||||
'0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
|
||||
'0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
|
||||
'0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
|
||||
'0xc000006d', 'STATUS_LOGON_FAILURE','Other',
|
||||
'0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
|
||||
'0xc0000073', 'STATUS_NONE_MAPPED','Other',
|
||||
'0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
|
||||
'0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
|
||||
'0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
|
||||
'0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
|
||||
'0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
|
||||
'0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
|
||||
'0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
|
||||
'0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
|
||||
'0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
|
||||
'0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
|
||||
let WinLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
WindowsEvent
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or EventData.TargetUserName has targetusername_has)
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| where Provider == 'Microsoft-Windows-Security-Auditing'
|
||||
| where EventID in (LogonEvents) or EventID in (LogoffEvents)
|
||||
| extend LogonProtocol = tostring(EventData.AuthenticationPackageName),
|
||||
SrcDvcIpAddr = tostring(EventData.IpAddress),
|
||||
TargetPortNumber = toint(EventData.IpPort),
|
||||
LogonGuid = tostring(EventData.LogonGuid),
|
||||
LogonType = tostring(EventData.LogonType),
|
||||
ActingProcessCreationTime = EventData.ProcessCreationTime,
|
||||
ActingProcessId = tostring(toint(EventData.ProcessId)),
|
||||
ActingProcessName = tostring(EventData.ProcessName),
|
||||
Status = tostring(EventData.Status),
|
||||
ActorSessionId = tostring(EventData.SubjectLogonId),
|
||||
ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
|
||||
ActorUserId = tostring(EventData.SubjectUserSid),
|
||||
SubStatus = tostring(EventData.SubStatus),
|
||||
TargetDomainName = tostring(EventData.TargetDomainName),
|
||||
TargetSessionId = tostring(EventData.TargetLogonId),
|
||||
TargetUserId = tostring(EventData.TargetUserSid),
|
||||
TargetUsername = tostring(iff (EventData.TargetDomainName == '-', EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\" , EventData.TargetUserName)))
|
||||
// *************************************************************************
|
||||
// <Postfilterring>
|
||||
// *************************************************************************
|
||||
| where (targetusername_has=='*' or TargetUsername has targetusername_has),
|
||||
// *************************************************************************
|
||||
// <Postfilterring>
|
||||
// *************************************************************************
|
||||
| extend
|
||||
SrcDvcHostname = tostring(EventData.WorkstationName),
|
||||
EventProduct = "Security Events"
|
||||
| extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
|
||||
// -- creating EventMessage matching EventMessage in SecurityEvent table
|
||||
| extend EventMessage = case(EventID == 4634, "4634 - An account was logged off.",
|
||||
EventID == 4625, "4625 - An account failed to log on.",
|
||||
EventID == 4624 ,"4624 - An account was successfully logged on.",
|
||||
"4647 - User initiated logoff."),
|
||||
EventResult = iff(EventID == 4625, 'Failure', 'Success')
|
||||
| project-rename
|
||||
TargetDvcHostname = Computer
|
||||
// , TargetUserType=AccountType - no AccountType in windowsEvents
|
||||
// , EventOriginalUid = EventOriginId - no EventOriginalId in WindowsEvents
|
||||
, EventOriginId=EventID
|
||||
| extend EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, ActorUserIdType='SID'
|
||||
, TargetUserIdType='SID'
|
||||
, EventVendor='Microsoft'
|
||||
, EventStartTime =TimeGenerated
|
||||
, EventEndTime=TimeGenerated
|
||||
, EventType=iff(EventOriginId in (LogoffEvents), 'Logoff', 'Logon')
|
||||
, ActorUsername = tostring(EventData.SubjectUserName)
|
||||
, ActorUsernameType= iff(EventData.SubjectDomainName == '-','Simple', 'Windows' )
|
||||
, TargetUsername = tostring(EventData.TargetUsername)
|
||||
, TargetUsernameType=iff (TargetDomainName == '-', 'Simple', 'Windows')
|
||||
, SrcDvcOs = 'Windows'
|
||||
, EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
|
||||
| lookup LogonStatus on EventStatus
|
||||
| lookup LogonTypes on LogonType
|
||||
/// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=TargetDvcHostname
|
||||
, Dvc=SrcDvcHostname
|
||||
};
|
||||
WinLogon(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,104 @@
|
|||
Parser:
|
||||
Title: ASIM Okta identity management authentication parser
|
||||
Version: '0.1.0'
|
||||
LastUpdated: June 17, 2021
|
||||
Product:
|
||||
Name: Okta identity management
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Okta sign in logs (Okta_CL) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationOktaSSO
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let OktaSignin=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);
|
||||
let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);
|
||||
let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);
|
||||
// https://developer.okta.com/docs/reference/api/event-types/#catalog
|
||||
Okta_CL
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or (actor_alternateId_s has targetusername_has))
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| where eventType_s in (OktaSigninEvents)
|
||||
| extend
|
||||
EventProduct='Okta'
|
||||
, EventVendor='Okta'
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')
|
||||
, EventStartTime=TimeGenerated
|
||||
, EventEndTime=TimeGenerated
|
||||
, EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')
|
||||
, EventSubType=legacyEventType_s
|
||||
, TargetUserIdType='OktaId'
|
||||
, TargetUsernameType='Upn'
|
||||
, SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)
|
||||
, SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)
|
||||
, ActingAppType = "Browser"
|
||||
| project-rename
|
||||
EventMessage=displayMessage_s
|
||||
,EventOriginalResultDetails=outcome_reason_s
|
||||
, LogonMethod = authenticationContext_credentialType_s
|
||||
, TargetSessionId=authenticationContext_externalSessionId_s
|
||||
, TargetUserId= actor_id_s
|
||||
, TargetUsername=actor_alternateId_s
|
||||
, TargetUserType=actor_type_s
|
||||
, SrcDvcOs=client_userAgent_os_s
|
||||
, HttpUserAgent=client_userAgent_rawUserAgent_s
|
||||
, ActingAppName = client_userAgent_browser_s
|
||||
, SrcIsp=securityContext_isp_s
|
||||
, SrcGeoCity=client_geographicalContext_city_s
|
||||
, SrcGeoCountry=client_geographicalContext_country_s
|
||||
, EventOriginalUid = uuid_g_g
|
||||
| project-reorder
|
||||
EventProduct
|
||||
, EventOriginalUid
|
||||
, TimeGenerated
|
||||
, EventMessage
|
||||
, EventResult
|
||||
, EventOriginalResultDetails
|
||||
, EventStartTime
|
||||
, EventEndTime
|
||||
, EventType
|
||||
, EventSubType
|
||||
, LogonMethod
|
||||
, TargetSessionId
|
||||
, TargetUserId
|
||||
, TargetUsername
|
||||
, TargetUserType
|
||||
, SrcDvcOs
|
||||
, HttpUserAgent
|
||||
, SrcIsp
|
||||
, SrcGeoCity
|
||||
, SrcGeoCountry
|
||||
, SrcGeoLongitude
|
||||
, SrcGeoLatitude
|
||||
// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, Dvc=EventVendor
|
||||
};
|
||||
OktaSignin(starttime, endtime, targetusername_has)
|
||||
|
|
@ -0,0 +1,158 @@
|
|||
Parser:
|
||||
Title: Microsoft Windows Logon and Logoff
|
||||
Version: '0.1.0'
|
||||
LastUpdated: June 17, 2021
|
||||
Product:
|
||||
Name: Microsoft Windows Events
|
||||
Normalization:
|
||||
Schema: Authentication
|
||||
Version: '0.1.0'
|
||||
References:
|
||||
- Title: ASIM Authentication Schema
|
||||
Link: https://aka.ms/AzSentinelAuthenticationDoc
|
||||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: |
|
||||
This Query Parser maps Windows Active Directory sign in logs (SecurityEvent) to the Azure Sentinel Information Model authenticaion schema.
|
||||
ParserName: vimAuthenticationWindowsSecurityEvent
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: targetusername_has
|
||||
Type: string
|
||||
Default: '*'
|
||||
ParserQuery: |
|
||||
let LogonEvents=dynamic([4624,4625]);
|
||||
let LogoffEvents=dynamic([4634,4647]);
|
||||
let LogonTypes=datatable(LogonType:int, EventSubType:string)[
|
||||
2, 'Interactive',
|
||||
3, 'Network',
|
||||
4, 'Batch',
|
||||
5, 'Service',
|
||||
7, 'Unlock',
|
||||
8, 'NetworkCleartext',
|
||||
9, 'NewCredentials',
|
||||
10, 'RemoteInteractive',
|
||||
11, 'CachedInteractive'
|
||||
];
|
||||
// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
|
||||
let LogonStatus=datatable
|
||||
(EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
|
||||
'0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
|
||||
'0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
|
||||
'0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
|
||||
'0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
|
||||
'0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
|
||||
'0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
|
||||
'0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
|
||||
'0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
|
||||
'0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
|
||||
'0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
|
||||
'0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
|
||||
'0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
|
||||
'0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
|
||||
'0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
|
||||
'0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
|
||||
'0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
|
||||
'0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
|
||||
'0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
|
||||
'0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
|
||||
'0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
|
||||
'0x80090308', 'SEC_E_INVALID_TOKEN','Other',
|
||||
'0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
|
||||
'0xc0000008', 'STATUS_INVALID_HANDLE','Other',
|
||||
'0xc0000017', 'STATUS_NO_MEMORY','Other',
|
||||
'0xc0000022', 'STATUS_ACCESS_DENIED','Other',
|
||||
'0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
|
||||
'0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
|
||||
'0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
|
||||
'0xc000006d', 'STATUS_LOGON_FAILURE','Other',
|
||||
'0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
|
||||
'0xc0000073', 'STATUS_NONE_MAPPED','Other',
|
||||
'0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
|
||||
'0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
|
||||
'0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
|
||||
'0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
|
||||
'0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
|
||||
'0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
|
||||
'0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
|
||||
'0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
|
||||
'0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
|
||||
'0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
|
||||
let WinLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
|
||||
SecurityEvent
|
||||
// *************************************************************************
|
||||
// <Prefilterring>
|
||||
// *************************************************************************
|
||||
| where
|
||||
(isnull(starttime) or TimeGenerated >= starttime)
|
||||
and (isnull(endtime) or TimeGenerated <= starttime)
|
||||
and (targetusername_has=='*' or TargetUserName has targetusername_has)
|
||||
// *************************************************************************
|
||||
// </Prefilterring>
|
||||
// *************************************************************************
|
||||
| where EventID in (LogonEvents) or
|
||||
EventID in (LogoffEvents)
|
||||
| project-rename
|
||||
EventMessage = Activity
|
||||
, ActorSessionId=SubjectLogonId
|
||||
, TargetSessionId=TargetLogonId
|
||||
, ActorUserId=SubjectUserSid
|
||||
, TargetUserId =TargetUserSid
|
||||
, TargetUserType=AccountType
|
||||
, SrcDvcHostname = WorkstationName
|
||||
, TargetDvcHostname = Computer
|
||||
, EventOriginalUid = EventOriginId
|
||||
, LogonProtocol=AuthenticationPackageName
|
||||
, SrcDvcIpAddr=IpAddress
|
||||
| extend EventOriginId=EventID | project-away EventID
|
||||
| extend EventResult = iff(EventOriginId == 4625, 'Failure', 'Success')
|
||||
, EventCount=int(1)
|
||||
, EventSchemaVersion='0.1.0'
|
||||
, EventProduct = "Security Event"
|
||||
, ActorUserIdType='SID'
|
||||
, TargetUserIdType='SID'
|
||||
, EventVendor='Microsoft'
|
||||
, EventStartTime =TimeGenerated
|
||||
, EventEndTime=TimeGenerated
|
||||
, EventType=iff(EventOriginId in (LogoffEvents), 'Logoff', 'Logon')
|
||||
, ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount)
|
||||
, ActorUsernameType= iff(SubjectDomainName == '-','Simple', 'Windows' )
|
||||
, TargetUsername = iff (TargetDomainName == '-', trim(@'\\',TargetUserName), trim(@'\\',TargetAccount))
|
||||
, TargetUsernameType=iff (TargetDomainName == '-', 'Simple', 'Windows')
|
||||
, SrcDvcOs = 'Windows'
|
||||
, EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
|
||||
| lookup LogonStatus on EventStatus
|
||||
| lookup LogonTypes on LogonType
|
||||
| project-reorder
|
||||
TimeGenerated
|
||||
, EventProduct
|
||||
, EventMessage
|
||||
, EventResult
|
||||
, EventOriginalResultDetails
|
||||
, EventStartTime
|
||||
, EventEndTime
|
||||
, EventType
|
||||
, EventSubType
|
||||
, ActorSessionId
|
||||
, TargetSessionId
|
||||
, ActorUserId
|
||||
, ActorUsername
|
||||
, TargetUserId
|
||||
, TargetUsername
|
||||
, TargetUserType
|
||||
, SrcDvcOs
|
||||
, TargetDvcHostname
|
||||
, LogonProtocol
|
||||
, ImpersonationLevel
|
||||
/// ** Aliases
|
||||
| extend
|
||||
User=TargetUsername
|
||||
, LogonTarget=TargetDvcHostname
|
||||
, Dvc=SrcDvcHostname
|
||||
};
|
||||
WinLogon(starttime, endtime, targetusername_has)
|
||||
|
|
@ -22,7 +22,8 @@ To deploy all parsers to your workspace using ARM templates use the button below
|
|||
This template deploys the following parsers:
|
||||
|
||||
- Source agnostic parsers:
|
||||
- imAuthentication - Authentication events from all normalized authentication providers
|
||||
- ASimAuthentication - Authentication events from all normalized authentication providers
|
||||
- imAuthentication - Use this parser, which supports the optimization parameters desribed below, when using Authentication logs in your content such as detection, hunting queries or workbooks. You can also use it interactively if you want to optimize your query
|
||||
- vimAuthenticationEmpty - Empty ASim Authentication table
|
||||
|
||||
- Source specific parsers:
|
||||
|
|
@ -36,3 +37,19 @@ This template deploys the following parsers:
|
|||
- **Windows Security Events** collecting using the Log Analytics Agent or Azure Monitor Agent - vimAuthenticationWindowsSecurityEvent
|
||||
- **Windows Events** collecting using the Azure Monitor Agent - vimAuthenticationMicrosoftWindowsEvent. Note that those are the same original events as Windows Security events, but collected to the WindowsEvent table, for example when collecting using Windows Event Forwarding.
|
||||
- **Microsoft Defender for IoT - Endpoint**, reporting Linux authentication events - vimAuthenticationMD4IoT
|
||||
|
||||
## Parser parameters
|
||||
|
||||
Parametersize parsers support the following parameters which allow for pre-filtering and therefore significantly enhance parser perofrmance. All parameters are optional. The results will match all of the used parameters (AND logic).
|
||||
|
||||
To use parameters, set their value as you invoke the parser, for example
|
||||
|
||||
`imAuthentication (targetusername_has = 'mike') | ...`
|
||||
|
||||
Supported parameters:
|
||||
|
||||
| Name | Type | Default value |
|
||||
|----------|-----------|---------------|
|
||||
| starttime| datetime | datetime(null)|
|
||||
| endtime | datetime | datetime(null) |
|
||||
| targetusername | string | '*' |
|
||||
|
|
|
|||
|
|
@ -1,43 +0,0 @@
|
|||
# Restrict-MDEDomain
|
||||
author: Nicholas DiCola
|
||||
|
||||
This playbook will take DNS entities and generate alert and block threat indicators for each domain in MDE for 90 days.
|
||||
|
||||
## Quick Deployment
|
||||
**Deploy with incident trigger** (recommended)
|
||||
|
||||
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
|
||||
|
||||
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEDomain%2Fincident-trigger%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEDomain%2Fincident-trigger%2Fazuredeploy.json)
|
||||
|
||||
**Deploy with alert trigger**
|
||||
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEDomain%2Falert-trigger%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEDomain%2Falert-trigger%2Fazuredeploy.json)
|
||||
|
||||
## Prerequisites
|
||||
- **For Gov Only** You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api)
|
||||
- You will need to grant Ti.ReadWrite permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
|
||||
```powershell
|
||||
$MIGuid = "<Enter your managed identity guid here>"
|
||||
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
|
||||
|
||||
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
|
||||
$PermissionName = "Ti.ReadWrite"
|
||||
|
||||
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
|
||||
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
|
||||
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
|
||||
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
|
||||
```
|
||||
|
||||
## Screenshots
|
||||
**Incident Trigger**<br>
|
||||
<br>
|
||||
**Alert Trigger**<br>
|
||||
<br>
|
||||
Загрузка…
Ссылка в новой задаче