Recorded Future solution package 1.0.1
This commit is contained in:
NikTripathi
Родитель
3cf57b1705
Коммит
d77d27d619
|
|
@ -13,16 +13,16 @@
|
|||
"Playbooks": [
|
||||
"Playbooks/RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor.json",
|
||||
"Playbooks/RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor.json",
|
||||
"Playbooks/RecordedFuture-ImportToSentinel.json",
|
||||
"Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash.json",
|
||||
"Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor.json",
|
||||
"Playbooks/RecordedFuture-ImportToSentinel.json",
|
||||
"Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor.json"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
|
||||
"Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future",
|
||||
"Version": "1.0.0",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\Recorded Future",
|
||||
"Version": "1.0.1",
|
||||
"Metadata": "SolutionMetadata.json"
|
||||
}
|
||||
|
|
|
|||
Двоичные данные
Solutions/Recorded Future/Package/1.0.1.zip
Двоичные данные
Solutions/Recorded Future/Package/1.0.1.zip
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Recorded Future](https://www.recordedfuture.com/) is the world<6C>s largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 2, **Analytic Rules:** 6, **Playbooks:** 6\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Recorded Future](https://www.recordedfuture.com/) is the world<6C>s largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 2, **Analytic Rules:** 6, **Playbooks:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
|
|
@ -64,7 +64,7 @@
|
|||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
|
|
@ -84,7 +84,7 @@
|
|||
"name": "workbook1-name",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Display Name",
|
||||
"defaultValue": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
|
||||
"defaultValue": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
|
||||
"toolTip": "Display name for the workbook.",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
|
|
@ -132,7 +132,7 @@
|
|||
"name": "analytics-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs analytic rules for Recorded Future that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
|
||||
"text": "This Microsoft Sentinel Solution installs analytic rules for Recorded Future that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
|
|
@ -238,7 +238,7 @@
|
|||
"name": "playbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
|
||||
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Microsoft Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
|
|
@ -248,7 +248,7 @@
|
|||
{
|
||||
"name": "playbook1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "RecordedFuture-ImportToSentinel",
|
||||
"label": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbook1-text",
|
||||
|
|
@ -261,6 +261,18 @@
|
|||
"name": "playbook1-PlaybookName",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
"regex": "[a-z0-9A-Z]{1,256}$",
|
||||
"validationMessage": "Please enter a playbook resource name"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbook1-PlaybookNameBatching",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-ImportToSentinel",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
|
|
@ -274,7 +286,7 @@
|
|||
{
|
||||
"name": "playbook2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
|
||||
"label": "RecordedFuture-HASH-Obs_in_Underground-IndicatorProcessor",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbook2-text",
|
||||
|
|
@ -287,7 +299,7 @@
|
|||
"name": "playbook2-PlaybookName",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
|
||||
"defaultValue": "RecordedFuture-HASH-Obs_in_Underground-IndicatorProcessor",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
|
|
@ -312,7 +324,7 @@
|
|||
{
|
||||
"name": "playbook3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "RecordedFuture-HASH-Obs_in_Underground-IndicatorProcessor",
|
||||
"label": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbook3-text",
|
||||
|
|
@ -325,44 +337,6 @@
|
|||
"name": "playbook3-PlaybookName",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-HASH-Obs_in_Underground-IndicatorProcessor",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
"regex": "[a-z0-9A-Z]{1,256}$",
|
||||
"validationMessage": "Please enter a playbook resource name"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbook3-PlaybookNameBatching",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-ImportToSentinel",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
"regex": "[a-z0-9A-Z]{1,256}$",
|
||||
"validationMessage": "Please enter a playbook resource name"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "playbook4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbook4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This playbook ingests events from Recorded Future into Log Analytics using the API."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbook4-PlaybookName",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
|
|
@ -374,19 +348,19 @@
|
|||
]
|
||||
},
|
||||
{
|
||||
"name": "playbook5",
|
||||
"name": "playbook4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbook5-text",
|
||||
"name": "playbook4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This playbook ingests events from Recorded Future into Log Analytics using the API."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbook5-PlaybookName",
|
||||
"name": "playbook4-PlaybookName",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
|
||||
|
|
@ -398,7 +372,33 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"name": "playbook5-PlaybookNameBatching",
|
||||
"name": "playbook4-PlaybookNameBatching",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-ImportToSentinel",
|
||||
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
"regex": "[a-z0-9A-Z]{1,256}$",
|
||||
"validationMessage": "Please enter a playbook resource name"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "playbook5",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "RecordedFuture-ImportToSentinel",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbook5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This playbook ingests events from Recorded Future into Log Analytics using the API."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbook5-PlaybookName",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Playbook Name",
|
||||
"defaultValue": "RecordedFuture-ImportToSentinel",
|
||||
|
|
@ -453,17 +453,17 @@
|
|||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[resourceGroup().location]",
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]",
|
||||
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
|
||||
"playbook1-PlaybookNameBatching": "[steps('playbooks').playbook1.playbook1-PlaybookNameBatching]",
|
||||
"playbook2-PlaybookName": "[steps('playbooks').playbook2.playbook2-PlaybookName]",
|
||||
"playbook2-PlaybookNameBatching": "[steps('playbooks').playbook2.playbook2-PlaybookNameBatching]",
|
||||
"playbook3-PlaybookName": "[steps('playbooks').playbook3.playbook3-PlaybookName]",
|
||||
"playbook3-PlaybookNameBatching": "[steps('playbooks').playbook3.playbook3-PlaybookNameBatching]",
|
||||
"playbook4-PlaybookName": "[steps('playbooks').playbook4.playbook4-PlaybookName]",
|
||||
"playbook4-PlaybookNameBatching": "[steps('playbooks').playbook4.playbook4-PlaybookNameBatching]",
|
||||
"playbook5-PlaybookName": "[steps('playbooks').playbook5.playbook5-PlaybookName]",
|
||||
"playbook5-PlaybookNameBatching": "[steps('playbooks').playbook5.playbook5-PlaybookNameBatching]",
|
||||
"playbook6-PlaybookName": "[steps('playbooks').playbook6.playbook6-PlaybookName]",
|
||||
"playbook6-PlaybookNameBatching": "[steps('playbooks').playbook6.playbook6-PlaybookNameBatching]",
|
||||
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,15 +1,15 @@
|
|||
{
|
||||
"publisherId": "publisherId_test",
|
||||
"offerId": "planId_test",
|
||||
"firstPublishDate": "2021-10-19",
|
||||
"providers": [ "Recorded Future" ],
|
||||
"publisherId": "recordedfuture1605638642586",
|
||||
"offerId": "recorded_future_sentinel_solution",
|
||||
"firstPublishDate": "2021-11-01",
|
||||
"providers": ["Recorded Future"],
|
||||
"categories": {
|
||||
"domains": [ "Security - Threat Intelligence" ]
|
||||
"domains": ["Security - Threat Intelligence"]
|
||||
},
|
||||
"support": {
|
||||
"name": "name_test",
|
||||
"email": "email_test",
|
||||
"tier": "Partner",
|
||||
"link": "link_test"
|
||||
"name": "Recorded Future Support Team",
|
||||
"email": "support@recordedfuture.com",
|
||||
"tier": "Partner",
|
||||
"link": "http://support.recordedfuture.com/"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
"Name": "IoTOTThreatMonitoringwithDefenderforIoT",
|
||||
"Author": "Eli Forbes - v-eliforbes@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
|
||||
"Description": "There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.",
|
||||
"Workbooks": [
|
||||
"Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/IoTDenialofService.yaml",
|
||||
"Analytic Rules/IoTExcessiveLoginAttempts.yaml",
|
||||
"Analytic Rules/IoTFirmwareUpdates.yaml",
|
||||
"Analytic Rules/IoTHighBandwidth.yaml",
|
||||
"Analytic Rules/IoTIllegalFunctionCodes.yaml",
|
||||
"Analytic Rules/IoTInsecurePLC.yaml",
|
||||
"Analytic Rules/IoTInternetAccess.yaml",
|
||||
"Analytic Rules/IoTMalware.yaml",
|
||||
"Analytic Rules/IoTNetworkScanning.yaml",
|
||||
"Analytic Rules/IoTPLCStopCommand.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedDevice.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedNetworkConfiguration.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedPLCModifications.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedRemoteAccess.yaml"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/AutoCloseIncidents.json",
|
||||
"Playbooks/MailBySensor.json",
|
||||
"Playbooks/NewAssetServiceNowTicket.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT",
|
||||
"Version": "1.0.11"
|
||||
}
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
|
||||
{
|
||||
"Name": "MaturityModelForEventLogManagementM2131",
|
||||
"Author": "TJ Banasik - thomas.banasik@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].",
|
||||
"Workbooks": [
|
||||
"Workbooks/MaturityModelForEventLogManagement_M2131.json"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/Notify_LogManagementTeam.json",
|
||||
"Playbooks/Open_DevOpsTaskRecommendation.json",
|
||||
"Playbooks/Open_JIRATicketRecommendation.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/M2131AssetStoppedLogging.yaml",
|
||||
"Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL0.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL1.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL2.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL3.yaml",
|
||||
"Analytic Rules/M2131LogRetentionLessThan1Year.yaml",
|
||||
"Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL2.yaml",
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
|
||||
"Version": "1.0.3"
|
||||
}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
{
|
||||
"Name": "Recorded Future",
|
||||
"Author": "Ruchita Dubey - v-rucdu@microsoft.com",
|
||||
"Description": "[Recorded Future](https://www.recordedfuture.com/) is the world’s largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.",
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml",
|
||||
"Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml",
|
||||
"Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml",
|
||||
"Analytic Rules/RecordedFutureIPMalwareC2inAzureActivityEvents.yaml",
|
||||
"Analytic Rules/RecordedFutureIPMalwareC2inDNSEvents.yaml",
|
||||
"Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor.json",
|
||||
"Playbooks/RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor.json",
|
||||
"Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash.json",
|
||||
"Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor.json",
|
||||
"Playbooks/RecordedFuture-ImportToSentinel.json",
|
||||
"Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor.json"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
|
||||
"Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\Recorded Future",
|
||||
"Version": "1.0.1",
|
||||
"Metadata": "SolutionMetadata.json"
|
||||
}
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
"Name": "ThreatAnalysis&Response",
|
||||
"Author": "Sanmit Biraj - v-sabiraj@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 [MITRE ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)",
|
||||
"WorkbookDescription": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
|
||||
"Workbooks": [
|
||||
"Workbooks/ThreatAnalysis&Response.json",
|
||||
"Workbooks/DynamicThreatModeling&Response.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\ThreatAnalysis&Response",
|
||||
"Version": "1.0.14"
|
||||
}
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
|
||||
{
|
||||
"Name": "ZeroTrust(TIC3.0)",
|
||||
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Microsoft Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. Compliance isn’t just an annual requirement, and organizations must monitor configurations over time like a muscle. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads' security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.",
|
||||
"WorkbookDescription": "Gain insights into ZeroTrust logs.",
|
||||
"Workbooks": [
|
||||
"Workbooks/ZeroTrust(TIC3.0).json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/Notify_GovernanceComplianceTeam.json",
|
||||
"Playbooks/Open_DevOpsTaskRecommendation.json",
|
||||
"Playbooks/Open_JIRATicketRecommendation.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)",
|
||||
"Version": "2.0.1"
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче