Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into robutire-AddDetectionConnectorsIdsTest

This commit is contained in:
Ronen Butirev 2021-01-21 11:38:00 +02:00
Родитель 8733007394 c68dfab32b
Коммит d4d944aaa0
15 изменённых файлов: 1404 добавлений и 101 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

57
.script/tests/KqlvalidationsTests/CustomTables/CyberpionActionItems_CL.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"Name": "CyberpionActionItems_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_s",
"Type": "String"
},
{
"Name": "host_s",
"Type": "String"
},
{
"Name": "Category",
"Type": "String"
},
{
"Name": "title_s",
"Type": "String"
},
{
"Name": "urgency_d",
"Type": "Double"
},
{
"Name": "is_open_b",
"Type": "Boolean"
},
{
"Name": "impact_s",
"Type": "String"
},
{
"Name": "summary_s",
"Type": "String"
},
{
"Name": "solution_s",
"Type": "String"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "technical_details_s",
"Type": "String"
},
{
"Name": "opening_datetime_t",
"Type": "DateTime"
}
]
}

93
DataConnectors/CyberpionSecurityLogs.json Normal file
Просмотреть файл

@ -0,0 +1,93 @@
{
"id": "CyberpionSecurityLogs",
"title": "Cyberpion Security Logs",
"publisher": "Cyberpion",
"descriptionMarkdown": "The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "CyberpionActionItems_CL",
"baseQuery": "CyberpionActionItems_CL"
}
],
"sampleQueries": [
{
"description": "Fetch latest Action Items that are currently open",
"query": "let lookbackTime = 14d;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL \n | where TimeGenerated > ago(lookbackTime)\n | summarize max(bin(TimeGenerated, 1h))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\n | where bin(TimeGenerated, 1h) == maxTimeGeneratedBucket\n "
}
],
"dataTypes": [
{
"name": "CyberpionActionItems_CL",
"lastDataReceivedQuery": "CyberpionActionItems_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CyberpionActionItems_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Cyberpion Subscription",
"description": "a subscription and account is required for cyberpion logs. [One can be acquired here.](https://azuremarketplace.microsoft.com/en/marketplace/apps/cyberpion1597832716616.cyberpion)"
}
]
},
"instructionSteps": [
{
"title": "",
"description": "Follow the [instructions](https://www.cyberpion.com/resource-center/integrations/azure-sentinel/) to integrate Cyberpion Security Alerts into Sentinel.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}

95
DataConnectors/NXLogBSMmacOS.json Normal file
Просмотреть файл

@ -0,0 +1,95 @@
{
"id": "NXLogBSMmacOS",
"title": "NXLog BSM macOS",
"publisher": "NXLog",
"descriptionMarkdown": "The NXLog [BSM](https://nxlog.co/documentation/nxlog-user-guide/im_bsm.html) macOS data connector uses Suns Basic Security Module (BSM) Auditing API to read events directly from the kernel for capturing audit events on the macOS platform. This REST API connector can efficiently export macOS audit events to Azure Sentinel in real-time.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "BSMmacOS_CL",
"baseQuery": "BSMmacOS_CL"
}
],
"sampleQueries": [
{
"description" : "Most frequent event types",
"query": "BSMmacOS_CL\n| summarize EventCount = count() by EventType_s\n| where strlen(EventType_s) > 1\n| project Eventype = EventType_s, EventCount\n| order by EventCount desc\n| render barchart"
},
{
"description" : "Most frequent event names",
"query": "BSMmacOS_CL\n| summarize EventCount = count() by EventName_s\n| project EventCount, EventName = EventName_s\n| where strlen(EventName) > 1\n| order by EventCount desc\n| render barchart"
},
{
"description" : "Distribution of (notification) texts",
"query": "BSMmacOS_CL\n| summarize EventCount = count() by Text_s\n| where strlen(Text_s) > 1\n| order by EventCount\n| render piechart"
}
],
"dataTypes": [
{
"name": "BSMmacOS_CL",
"lastDataReceivedQuery": "BSMmacOS_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"BSMmacOS_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}

83
Detections/MultipleDataSources/SecurityServiceRegistryACLModification.yaml Normal file
Просмотреть файл

@ -0,0 +1,83 @@
id: 473d57e6-f787-435c-a16b-b38b51fa9a4b
name: Security Service Registry ACL Modification
description: |
'Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.
The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified.
Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity.
Reference on guidance for enabling registry auditing:
- https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq
- https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events
- https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670
- For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner
- https://github.com/OTRF/Set-AuditRule
- https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
tags:
- Solorigate
query: |
let servicelist = dynamic(['Services\\HealthService', 'Services\\Sense', 'Services\\WinDefend', 'Services\\MsSecFlt', 'Services\\DiagTrack', 'Services\\SgrmBroker', 'Services\\SgrmAgent', 'Services\\AATPSensorUpdater' , 'Services\\AATPSensor', 'Services\\mpssvc']);
let filename = dynamic(["subinacl.exe",'SetACL.exe']);
let parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);
let FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);
let ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);
let DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);
let timeframe = 1d;
(union isfuzzy=true
(
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4670
| where ObjectType == 'Key'
| where ObjectName has_any (servicelist)
| parse EventData with * 'OldSd">' OldSd "<" *
| parse EventData with * 'NewSd">' NewSd "<" *
| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')
| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason
),
(
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4688
| extend ProcessName = tostring(split(NewProcessName, '\\')[-1])
| where ProcessName in~ (filename)
| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
),
(
DeviceProcessEvents
| where TimeGenerated >= ago(timeframe)
| where InitiatingProcessFileName in~ (filename)
| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)
| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

6
Detections/SigninLogs/Brute Force Attack against GitHub Account.yaml
Просмотреть файл

@ -26,16 +26,16 @@ query: |
let EndLearningTime = StartTime + LearningPeriod;
let GitHubFailedSSOLogins = (SigninLogs
| where AppDisplayName == "GitHub.com"
| where ResultType == 50056);
| where ResultType != 0);
GitHubFailedSSOLogins
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime)
| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, tostring(set_IPAddress)
| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName
| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold)
| join kind=innerunique (
GitHubFailedSSOLogins
| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
| summarize FailedLoginsCountInRunTime = count() by User = Identity
| summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime)
) on UserPrincipalName
| where FailedLoginsCountInRunTime > LearningThreshold
| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated

2
Hunting Queries/MultipleDataSources/PotentialMicrosoftSecurityServicesTampering.yaml
Просмотреть файл

@ -41,7 +41,7 @@ query: |
| where (CommandLine has_any (action) and CommandLine has_any (service1))
or (CommandLine has_any (params1) and CommandLine has 'Set-MpPreference' and CommandLine has '$true')
or (CommandLine has_any (params2) and CommandLine has "/IM")
or (CreatedProcessCommandLine has_any (regparams5) and CreatedProcessCommandLine has 'Start' and CreatedProcessCommandLine has_any (regparams6))
or (CommandLine has_any (regparams5) and CommandLine has 'Start' and CommandLine has_any (regparams6))
or (CommandLine has_any (regparams1) and CommandLine has_any (regparams2) and CommandLine has_any (regparams7))
or (CommandLine has "start" and CommandLine has "config" and CommandLine has_any (regparams3) and CommandLine has_any (regparams4))
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type

9
Logos/cyberpion_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,9 @@
<svg xmlns="http://www.w3.org/2000/svg" width="40" height="40" viewBox="0 4 40 40">
<g>
<g>
<path d="M38.121,28.7a3.565,3.565,0,0,0-5.033-.147A3.627,3.627,0,0,0,32,30.7a7.4,7.4,0,0,1-.576.62,10.823,10.823,0,0,1-7.768,3.24,10.981,10.981,0,0,1-7.809-3.247,11.169,11.169,0,0,1-1.164-1.4l-.449-.635H8.083l1.2,2.214a16.739,16.739,0,0,0,2.75,3.669,16.46,16.46,0,0,0,23.218,0c.139-.141.271-.28.4-.42V34.7l.042.044v-.051l.023-.022a3.63,3.63,0,0,0,2.236-.966A3.547,3.547,0,0,0,38.121,28.7Z" fill="#3b1c34"/>
<path d="M14.683,17.157a13.4,13.4,0,0,1,1.155-1.39,11.087,11.087,0,0,1,7.818-3.223,10.925,10.925,0,0,1,7.776,3.215c.1.1.192.212.289.318a3.635,3.635,0,0,0,.994,2.19A3.543,3.543,0,1,0,37.8,13.328a3.631,3.631,0,0,0-2.173-1.06l-.022.021c-.116-.12-.233-.24-.348-.339a16.378,16.378,0,0,0-23.221-.007,15.782,15.782,0,0,0-2.751,3.635l-1.2,2.214h6.151Z" fill="#3b1c34"/>
</g>
<path d="M18.656,20.475a2.978,2.978,0,0,0-2.125.864H5.15a2.973,2.973,0,0,0-2.123-.864,3.06,3.06,0,1,0,2.107,5.289H16.55a3.078,3.078,0,0,0,2.106.83,3.06,3.06,0,0,0,0-6.119Z" fill="#5dcfca"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.1 KiB

529
Sample Data/Custom/BSMmacOS_CL.json Normal file
Просмотреть файл

@ -0,0 +1,529 @@
[
{
"TokenVersion": "11",
"EventType": "AUE_auth_user",
"EventName": "user authentication",
"EventModifier": "",
"EventTime": "2021-01-06 21:20:50",
"SubjectAuditID": "ruser",
"SubjectUID": "ruser",
"SubjectGID": "staff",
"SubjectRealUID": "root",
"SubjectRealGID": "staff",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "Verify password for record type Users 'ruser' node '/Local/Default'",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.opendirectoryd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x4ab4c898fd4a994fd267ed1edeb21b9c9b5cb70f",
"TrailerCount": "198",
"EventReceivedTime": "2021-01-06T21:20:50.761144-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthorize",
"EventName": "SecSrvr AuthEngine",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:33",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "begin evaluation",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "138",
"EventReceivedTime": "2021-01-06T21:23:33.308356-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthorize",
"EventName": "SecSrvr AuthEngine",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:33",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "system.login.fus",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "158",
"EventReceivedTime": "2021-01-06T21:23:33.309622-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:33",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism builtin:smartcard-sniffer,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "188",
"EventReceivedTime": "2021-01-06T21:23:33.337214-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:38",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism loginwindow:login",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "169",
"EventReceivedTime": "2021-01-06T21:23:38.641095-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:38",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism builtin:reset-password,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "185",
"EventReceivedTime": "2021-01-06T21:23:38.646485-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:38",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism builtin:authenticate-nocred,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "190",
"EventReceivedTime": "2021-01-06T21:23:38.892300-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:39",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism loginwindow:success",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "171",
"EventReceivedTime": "2021-01-06T21:23:39.093626-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthorize",
"EventName": "SecSrvr AuthEngine",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:39",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "creator /System/Library/CoreServices/loginwindow.app",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "249",
"EventReceivedTime": "2021-01-06T21:23:39.287141-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthorize",
"EventName": "SecSrvr AuthEngine",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:39",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "159",
"SubjectSID": "100006",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:316",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "end evaluation",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "136",
"EventReceivedTime": "2021-01-06T21:23:39.290938-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthorize",
"EventName": "SecSrvr AuthEngine",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:39",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "1031",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2693",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "begin evaluation",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "138",
"EventReceivedTime": "2021-01-06T21:23:39.702351-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:40",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "1031",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2693",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism loginwindow:FDESupport,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "189",
"EventReceivedTime": "2021-01-06T21:23:40.520165-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:40",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "1031",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2693",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism builtin:forward-login,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "188",
"EventReceivedTime": "2021-01-06T21:23:40.526217-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:40",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "1031",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2693",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism PKINITMechanism:auth,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "187",
"EventReceivedTime": "2021-01-06T21:23:40.875058-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:41",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "1031",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2693",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism HomeDirMechanism:login,privileged",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "189",
"EventReceivedTime": "2021-01-06T21:23:41.105265-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthmech",
"EventName": "SecSrvr AuthMechanism",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:41",
"SubjectAuditID": "4294967295",
"SubjectUID": "root",
"SubjectGID": "wheel",
"SubjectRealUID": "root",
"SubjectRealGID": "wheel",
"SubjectPID": "1031",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2693",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "mechanism CryptoTokenKit:login",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "176",
"EventReceivedTime": "2021-01-06T21:23:41.467223-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
},
{
"TokenVersion": "11",
"EventType": "AUE_ssauthorize",
"EventName": "SecSrvr AuthEngine",
"EventModifier": "",
"EventTime": "2021-01-06 21:23:43",
"SubjectAuditID": "ruser2",
"SubjectUID": "ruser2",
"SubjectGID": "staff",
"SubjectRealUID": "ruser2",
"SubjectRealGID": "staff",
"SubjectPID": "1045",
"SubjectSID": "100061",
"SubjectTerminal": "",
"SubjectTerminal.Port": "0:2740",
"SubjectTerminal.Host": "0.0.0.0",
"Text": "system.services.systemconfiguration.network",
"ReturnErrno": "success",
"ReturnRetval": "0",
"Identity": "",
"Identity.SignerType": "1",
"Identity.SignerId": "com.apple.authd",
"Identity.SignerIdTruncated": "0",
"Identity.TeamId": "",
"Identity.TeamIdTruncated": "0",
"Identity.CDHash": "0x9120b9dcb969ee1e8fbdb63bd428e263111e9e9c",
"TrailerCount": "212",
"EventReceivedTime": "2021-01-06T21:23:43.509730-08:00",
"SourceModuleName": "BSMmacOS",
"SourceModuleType": "im_bsm"
}
]

232
Sample Data/Custom/CyberpionActionItems_CL.json Normal file
Просмотреть файл

@ -0,0 +1,232 @@
[
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.959Z",
"Computer": "",
"RawData": "",
"id_s": "36028",
"host_s": "sd7.domain-78.com",
"Category": "DNS",
"title_s": "Fix DNS issue: The domain is resolved to reserved IP.",
"urgency_d": 8,
"is_open_b": true,
"impact_s": "The use of reserved IPs might expose private information and open opportunities for hackers.",
"summary_s": "The domain sd7.domain-78.com is resolved to reserved IP Address",
"solution_s": "Avoid using reserved IPs in public DNS records.",
"description_s": "DNS is the basis for every online communication, misconfiguration issues might expose the organization to critical security risks.\nReserved IPs, are IP addresses that were defined for specific purpose (e.g., localhost, private networks, broadcast) and cannot be used as a public IPs.the ip addresses of the domain are reserved. xx.xx.xx.xx is reserved ip of type \"loopback (local) addresses\"; Having ips of this type in a public DNS record might expose users of this domain to attacks (e.g., information leakage to programs that runs on the same machine). ",
"technical_details_s": "{}",
"opening_datetime_t": "2020-12-10T15:26:45.49Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.959Z",
"Computer": "",
"RawData": "",
"id_s": "35985",
"host_s": "sd2.domain-14.com",
"Category": "Cloud",
"title_s": "Fix Cloud issue: Azure Cloud Service without ip",
"urgency_d": 5,
"is_open_b": true,
"impact_s": "1) The cloud instance does not work properly. Relying on inactive cloud instances is dangerous, as inactive cloud instances might not properly maintained and might be taken-over or abused by hackers.\n2) The error message that is returned due to the cloud misconfiguration, is publicly indicating on misconfiguration and lack of maintenance.\n3) The current state of the cloud might indicate that it is already controlled by hackers, or could be controlled by them.",
"summary_s": "The domain sd2.domain-14.com Azure Cloud Service (Cloudapp) instance points at 0.0.0.0 IP address.",
"solution_s": "Fix cloudapp configurations if you control it, else remove the cname record from the domain to cloudapp.",
"description_s": "The domain operates over Azure Cloud Service (Cloudapp) instance that has no IP address (might indicate on misconfiguration and possibility to take over the Cloudapp instance).",
"technical_details_s": "{}",
"opening_datetime_t": "2020-12-10T15:26:45.302Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.959Z",
"Computer": "",
"RawData": "",
"id_s": "35976",
"host_s": "sd2.domain-589.com",
"Category": "Vulnerabilities",
"title_s": "Dangerous script inclusion (Magecart)",
"urgency_d": 9,
"is_open_b": true,
"impact_s": "",
"summary_s": " The domain sd2.domain-589.com loads script files from sd1.ext-domain-1451.com that is a cloud instance that can be taken over",
"solution_s": "Discard the dangerous connection: do not load resources from insecure domains.",
"description_s": "Websites can load scripts from other domains, and those scripts run under the origin of the loading website. Attacker who either compromises the website/server from which the script is loaded or somehow succeeds to control the loaded script, can also run script in the context (under the origin of) every website who loads this script. For the website that loads the malicious script, the effect of such an attack is the same as cross-site scripting. Hence, it is very important to make sure that scripts are loaded only from well-secured websites.\nThe domain sd1.ext-domain-1451.com operates over cloud instance that can be taken over.",
"technical_details_s": "[\"Loading page url: https://sd2.domain-589.com/agegate?destination=/&token=0.050275731580862404\", \"Resource url: https://sd1.ext-domain-1451.com/onetrust/webcore-ot-sdk.min.js\", \"Request redirection chain: -\"]",
"opening_datetime_t": "2020-12-10T15:26:45.265Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.959Z",
"Computer": "",
"RawData": "",
"id_s": "35860",
"host_s": "sd3.domain-159.com",
"Category": "Vulnerabilities",
"title_s": "Domain takeover due to bad Heroku configuration",
"urgency_d": 10,
"is_open_b": true,
"impact_s": "",
"summary_s": " Attacker can take over domain sd3.domain-159.com due to bad Heroku configuration (domain takeover).",
"solution_s": "Either make sure that there is a mapping from your domain to your Heroku application, or remove the DNS records that point the domain to Heroku.",
"description_s": "Heroku is a cloud platform that lets companies build, deliver, monitor and scale applications. Heroku holds a map from host values to the application instance, and responds accordingly. While the DNS records of the domain sd3.domain-159.com point at Heroku, no mapping is configured between the domain and the application. Hence, it is possible for any Heroku user to create such a mapping and to hijack the domain. \nAttacker who takes over this domain can: (1) Run script in the scope of this domain (persistent XSS), (2) Access web requests that are sent to this domain, (3) Bypass security mechanisms that verify that the request was sent from some subdomain (e.g., CSP, CORS, blocking CSRF by referer/origin validation), (4) Access cookies that are shared between subdomains (e.g., *.domain.com), (5) Conduct phishing attacks from domain of the organization, (6) Perform any other malicious activity under this subdomain and hurt the reputation of organization, (7) Cause public embarrassment (e.g., \"Hacked by ISIS\").",
"technical_details_s": "[\"A records: xx.xx.xx.xx, yy.yy.yy.yy, zz.zz.zz.zz\", \"CNAME chain (if any): sd3.domain-159.com->sd1.ext-domain-964.com->sd2.ext-domain-964.com\"]",
"opening_datetime_t": "2020-12-10T15:26:44.782Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.964Z",
"Computer": "",
"RawData": "",
"id_s": "35859",
"host_s": "sd619.domain-2.com",
"Category": "Vulnerabilities",
"title_s": "Login only over HTTP (credentials are sent in plaintext)",
"urgency_d": 7,
"is_open_b": true,
"impact_s": "",
"summary_s": " Login page can be loaded only over HTTP",
"solution_s": "Load login pages only over HTTPS. Consider using HTTP Strict-Transport-Security (HSTS).",
"description_s": "The login page in url http://sd619.domain-2.com/#/login can be loaded only using HTTP, while login pages should be loaded only using HTTPS. Pages that are delivered over HTTP are vulnerable to network level, off-path, injection attacks. Such attacks are easy to launch over Wi-Fi networks. By abusing advanced browser features (e.g., application cache), attacker can control the page even in future sessions with the vulnerable website in the same browser (persistency).",
"technical_details_s": "[\"Vulnerable url: http://sd619.domain-2.com/#/login\"]",
"opening_datetime_t": "2020-12-10T15:26:44.777Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.964Z",
"Computer": "",
"RawData": "",
"id_s": "35683",
"host_s": "domain-640.com",
"Category": "Vulnerabilities",
"title_s": "Vulnerable application: Apache version 2.4.43",
"urgency_d": 4.9,
"is_open_b": true,
"impact_s": "",
"summary_s": " domain-640.com uses vulnerable software. Apache version 2.4.43 has 3 known vulnerabilities.",
"solution_s": "Upgrade/replace the vulnerable software",
"description_s": "The domain uses application that suffers from several known vulnerabilities: CVE-2020-11984 (CVSS 9.8), CVE-2020-9490 (CVSS 7.5), CVE-2020-11993 (CVSS 7.5)",
"technical_details_s": "[\"Detected on url: http://domain-640.com/\"]",
"opening_datetime_t": "2020-12-10T15:26:44.056Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.969Z",
"Computer": "",
"RawData": "",
"id_s": "35872",
"host_s": "sd2.domain-98.com",
"Category": "Vulnerabilities",
"title_s": "Login over HTTP is possible",
"urgency_d": 4,
"is_open_b": true,
"impact_s": "",
"summary_s": " Login page can be loaded over HTTP",
"solution_s": "Load login pages only over HTTPS. Consider using HTTP Strict-Transport-Security (HSTS).",
"description_s": "The login page in url http://sd2.domain-98.com/media/ can be loaded using HTTP, while login pages should be loaded only using HTTPS. Pages that are delivered over HTTP are vulnerable to network level, off-path, injection attacks. Such attacks are easy to launch over Wi-Fi networks. By abusing advanced browser features (e.g., application cache), attacker can control the page even in future sessions with the vulnerable website in the same browser (persistency).",
"technical_details_s": "[\"Vulnerable url: http://sd2.domain-98.com/media/\"]",
"opening_datetime_t": "2020-12-10T15:26:44.83Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.969Z",
"Computer": "",
"RawData": "",
"id_s": "35044",
"host_s": "sd5.domain-375.com",
"Category": "PKI",
"title_s": "Fix PKI issue: Certificate will expire within 7 days",
"urgency_d": 8,
"is_open_b": true,
"impact_s": "1) Establishing secure HTTPS connection with the host will not be possible.\n2) Access to the host over secure channel (HTTPS) using common clients (e.g., browsers) will be blocked, and security warning will be presented to the users.",
"summary_s": "The domain sd5.domain-375.com uses certificate that will expire within a week",
"solution_s": "Issue a new certificate for the domain",
"description_s": "Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because the certificate will be expired within 7 days.",
"technical_details_s": "{\"Expiration date\": \"2020-11-23\"}",
"opening_datetime_t": "2020-12-10T15:26:41.591Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.969Z",
"Computer": "",
"RawData": "",
"id_s": "35043",
"host_s": "sd483.domain-2.com",
"Category": "PKI",
"title_s": "Fix PKI issue: Certificate will expire within 30 days",
"urgency_d": 7,
"is_open_b": true,
"impact_s": "1) Establishing secure HTTPS connection with the host will not be possible.\n2) Access to the host over secure channel (HTTPS) using common clients (e.g., browsers) will be blocked, and security warning will be presented to the users.",
"summary_s": "The domain sd483.domain-2.com uses certificate that will expire within a month",
"solution_s": "Issue a new certificate for the domain",
"description_s": "Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because the certificate will be expired within 30 days.",
"technical_details_s": "{\"Expiration date\": \"2020-12-08\"}",
"opening_datetime_t": "2020-12-10T15:26:41.587Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
},
{
"TenantId": "93fc153b-9eb9-4c04-9e00-b9bbdcb4ae32",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-12-10T15:37:45.969Z",
"Computer": "",
"RawData": "",
"id_s": "35627",
"host_s": "sd1.domain-675.com",
"Category": "Vulnerabilities",
"title_s": "Vulnerable application: PHP version 5.2.17",
"urgency_d": 5,
"is_open_b": true,
"impact_s": "",
"summary_s": " sd1.domain-675.com uses vulnerable software. PHP version 5.2.17 has 45 known vulnerabilities.",
"solution_s": "Upgrade/replace the vulnerable software",
"description_s": "The domain uses application that suffers from several known vulnerabilities: CVE-2012-2311 (CVSS 7.5), CVE-2010-3870 (CVSS 6.8), CVE-2012-1171 (CVSS 5.0), CVE-2014-9427 (CVSS 7.5), CVE-2018-19396 (CVSS 7.5), CVE-2014-5459 (CVSS 3.6), CVE-2010-4657 (CVSS 5.0), CVE-2012-2376 (CVSS 10.0), CVE-2012-0789 (CVSS 5.0), CVE-2012-2143 (CVSS 4.3), CVE-2018-19395 (CVSS 7.5), CVE-2012-2336 (CVSS 5.0), CVE-2012-0788 (CVSS 5.0), CVE-2015-8994 (CVSS 7.5), CVE-2011-4885 (CVSS 5.0), CVE-2014-0237 (CVSS 5.0), CVE-2018-19520 (CVSS 8.8), CVE-2013-2110 (CVSS 5.0), CVE-2011-0421 (CVSS 4.3), CVE-2013-1643 (CVSS 5.0), CVE-2013-1635 (CVSS 7.5), CVE-2011-1092 (CVSS 7.5), CVE-2011-1467 (CVSS 5.0), CVE-2011-1464 (CVSS 4.3), CVE-2011-1466 (CVSS 5.0), CVE-2012-0057 (CVSS 6.4), CVE-2018-19935 (CVSS 7.5), CVE-2011-1468 (CVSS 4.3), CVE-2012-2688 (CVSS 10.0), CVE-2011-0708 (CVSS 4.3), CVE-2013-4635 (CVSS 5.0), CVE-2012-3365 (CVSS 5.0), CVE-2011-4718 (CVSS 6.8), CVE-2011-1470 (CVSS 4.3), CVE-2011-1469 (CVSS 4.3), CVE-2012-1823 (CVSS 7.5), CVE-2013-4248 (CVSS 4.3), CVE-2012-1172 (CVSS 5.8), CVE-2012-2386 (CVSS 7.5), CVE-2014-0238 (CVSS 5.0), CVE-2010-4699 (CVSS 5.0), CVE-2011-0755 (CVSS 5.0), CVE-2016-7478 (CVSS 7.5), CVE-2006-7243 (CVSS 5.0), CVE-2014-2497 (CVSS 4.3)",
"technical_details_s": "[\"Detected on url: http://sd1.domain-675.com/\"]",
"opening_datetime_t": "2020-12-10T15:26:43.835Z",
"Type": "CyberpionActionItems_CL",
"_ResourceId": ""
}
]

187
Workbooks/CyberpionOverviewWorkbook.json Normal file
Просмотреть файл

@ -0,0 +1,187 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Cyberpion Action Items"
},
"name": "text - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Current Open Action Items",
"expandable": true,
"expanded": true,
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lookbackTime = 14d;\nlet bucketTimeSpan = 1h;\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\nCyberpionActionItems_CL\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\n | summarize count() by Category\n | render barchart\n\n",
"size": 0,
"title": "Action Items by Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "action-items-by-category"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lookbackTime = 14d;\nlet bucketTimeSpan = 1h;\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\nCyberpionActionItems_CL\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\n | summarize count() by solution_s\n | render piechart",
"size": 0,
"title": "Most Common Solutions",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "most-common-solution"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lookbackTime = 14d;\nlet bucketTimeSpan = 1h;\nlet maxTimeGeneratedBucket = toscalar(CyberpionActionItems_CL | where TimeGenerated > ago(lookbackTime)| summarize max(bin(TimeGenerated, bucketTimeSpan)));\nCyberpionActionItems_CL\n | where TimeGenerated > ago(lookbackTime) and is_open_b == true\n | extend TimeGeneratedBucket = bin(TimeGenerated, bucketTimeSpan)\n | where TimeGeneratedBucket == maxTimeGeneratedBucket\n | extend Urgency = bin(urgency_d, 1)\n | summarize count() by Urgency\n | join kind=rightouter (range Urgency from 1.0 to 10.0 step 1) on Urgency\n | project Urgency = Urgency1, Count = iff(isnotempty(count_), count_, 0)\n | sort by Urgency asc\n | extend Urgency = tostring(Urgency)\n | render barchart\n\n",
"size": 0,
"title": "Action Items Count by Urgency",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar",
"chartSettings": {
"group": null,
"createOtherGroup": 0,
"xSettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "50",
"name": "open-ai-urgency-bars"
}
]
},
"name": "current-ais"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Historical Info",
"expandable": true,
"expanded": true,
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "e8bb48b6-6706-48bd-b8a1-94de288bcb4c",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let lookbackTime = now(-{TimeRange:seconds}s);\nlet bucketTimeSpan = 1h;\nCyberpionActionItems_CL\n | where TimeGenerated > lookbackTime and is_open_b == true\n | project id_s, TimeGenerated\n | make-series count() default=long(null) on TimeGenerated from bin(lookbackTime, bucketTimeSpan) to now() step bucketTimeSpan\n | extend open_action_items=series_fill_forward(count_, long(null))\n | project TimeGenerated, open_action_items\n | mv-expand TimeGenerated to typeof(datetime), open_action_items to typeof(int)\n | where isnotnull(open_action_items)\n | render timechart",
"size": 0,
"aggregation": 5,
"title": "Open Action Items over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"sortBy": []
},
"name": "action-items-over-time"
}
]
},
"name": "historical-data"
}
],
"fallbackResourceIds": [
"/subscriptions/48187a35-8547-43d1-a317-9e1f22408abd/resourcegroups/sentineltest/providers/microsoft.operationalinsights/workspaces/s-test"
],
"fromTemplateId": "sentinel-CyberpionOverviewWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

9
Workbooks/Images/Logos/cyberpion_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,9 @@
<svg xmlns="http://www.w3.org/2000/svg" width="40" height="40" viewBox="0 4 40 40">
<g>
<g>
<path d="M38.121,28.7a3.565,3.565,0,0,0-5.033-.147A3.627,3.627,0,0,0,32,30.7a7.4,7.4,0,0,1-.576.62,10.823,10.823,0,0,1-7.768,3.24,10.981,10.981,0,0,1-7.809-3.247,11.169,11.169,0,0,1-1.164-1.4l-.449-.635H8.083l1.2,2.214a16.739,16.739,0,0,0,2.75,3.669,16.46,16.46,0,0,0,23.218,0c.139-.141.271-.28.4-.42V34.7l.042.044v-.051l.023-.022a3.63,3.63,0,0,0,2.236-.966A3.547,3.547,0,0,0,38.121,28.7Z" fill="#3b1c34"/>
<path d="M14.683,17.157a13.4,13.4,0,0,1,1.155-1.39,11.087,11.087,0,0,1,7.818-3.223,10.925,10.925,0,0,1,7.776,3.215c.1.1.192.212.289.318a3.635,3.635,0,0,0,.994,2.19A3.543,3.543,0,1,0,37.8,13.328a3.631,3.631,0,0,0-2.173-1.06l-.022.021c-.116-.12-.233-.24-.348-.339a16.378,16.378,0,0,0-23.221-.007,15.782,15.782,0,0,0-2.751,3.635l-1.2,2.214h6.151Z" fill="#3b1c34"/>
</g>
<path d="M18.656,20.475a2.978,2.978,0,0,0-2.125.864H5.15a2.973,2.973,0,0,0-2.123-.864,3.06,3.06,0,1,0,2.107,5.289H16.55a3.078,3.078,0,0,0,2.106.83,3.06,3.06,0,0,0,0-6.119Z" fill="#5dcfca"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.1 KiB

Двоичные данные
Workbooks/Images/Preview/CyberpionActionItemsBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 113 KiB

Двоичные данные
Workbooks/Images/Preview/CyberpionActionItemsWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 97 KiB

184
Workbooks/SolarWindsPostCompromiseHunting.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

19
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -298,7 +298,7 @@
"templateRelativePath": "AzDDoSStandardWorkbook.json",
"subtitle": "",
"provider": "Microsoft"
},
},
{
"workbookKey": "MicrosoftCloudAppSecurityWorkbook",
"logoFileName": "Microsoft_logo.svg",
@ -1137,7 +1137,7 @@
"previewImagesFileNames": [ "DarktraceSummaryWhite.png", "DarktraceSummaryBlack.png" ],
"version": "1.0",
"title": "Darktrace Model Breach Summary",
"templateRelativePath": "Darktrace.json",
"templateRelativePath": "Darktrace.json",
"subtitle": "",
"provider": "Darktrace"
},
@ -1154,6 +1154,19 @@
"subtitle": "",
"provider": "Trend Micro"
},
{
"workbookKey": "CyberpionOverviewWorkbook",
"logoFileName": "cyberpion_logo.svg",
"description": "Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem.",
"dataTypesDependencies": [ "CyberpionActionItems" ],
"dataConnectorsDependencies": [ "CyberpionSecurityLogs" ],
"previewImagesFileNames": [ "CyberpionActionItemsBlack.png", "CyberpionActionItemsWhite.png" ],
"version": "1.0",
"title": "Cyberpion Overview",
"templateRelativePath": "CyberpionOverviewWorkbook.json",
"subtitle": "",
"provider": "Cyberpion"
},
{
"workbookKey": "SolarWindsPostCompromiseHuntingWorkbook",
"logoFileName": "MSTIC-Logo.svg",
@ -1161,7 +1174,7 @@
"dataTypesDependencies": [ "CommonSecurityLog", "SigninLogs", "AuditLogs", "AADServicePrincipalSignInLogs", "OfficeActivity", "BehaviorAnalytics", "SecurityEvent", "DeviceProcessEvents", "SecurityAlert", "DnsEvents"],
"dataConnectorsDependencies": [ "AzureActiveDirectory", "SecurityEvents", "Office365", "MicrosoftThreatProtection", "DNS"],
"previewImagesFileNames": [ "SolarWindsPostCompromiseHuntingWhite.png", "SolarWindsPostCompromiseHuntingBlack.png" ],
"version": "1.4",
"version": "1.5",
"title": "SolarWinds Post Compromise Hunting",
"templateRelativePath": "SolarWindsPostCompromiseHunting.json",
"subtitle": "",