Documentation links should not include locale - fix and add validations (#678)
* Documentation links should not include locale - fix and add validations
This commit is contained in:
Igal
GitHub
Родитель
376680405e
Коммит
d8321c70a5
|
|
@ -0,0 +1,11 @@
|
|||
jobs:
|
||||
- job: "DocumentsLinkValidation"
|
||||
pool:
|
||||
vmImage: 'Ubuntu 16.04'
|
||||
steps:
|
||||
- task: Npm@1
|
||||
displayName: 'npm install'
|
||||
inputs:
|
||||
verbose: false
|
||||
- script: 'npm run tsc && node .script/documentsLinkValidator.js'
|
||||
displayName: 'Documents links locale validation'
|
||||
|
|
@ -4,7 +4,7 @@ At the time of submitting your Pull Request, automatic GitHub validations using
|
|||
|
||||
## What is Azure Pipelines
|
||||
|
||||
[Azure Pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/get-started/what-is-azure-pipelines?view=azure-devops) is a cloud service that you can use to automatically build and test your code project and make it available to other users. It works with just about any language or project type.
|
||||
[Azure Pipelines](https://docs.microsoft.com/azure/devops/pipelines/get-started/what-is-azure-pipelines?view=azure-devops) is a cloud service that you can use to automatically build and test your code project and make it available to other users. It works with just about any language or project type.
|
||||
|
||||
|
||||
## How to add new PR validation:
|
||||
|
|
@ -18,7 +18,7 @@ The libraries are defined in package.json
|
|||
3. Create an Azure Pipeline job for the new validation.
|
||||
Add new yaml file under [.azure-pipelines](https://github.com/Azure/Azure-Sentinel/blob/master/.azure-pipelines/) folder, see example in [yamlFileValidator.yaml](https://github.com/Azure/Azure-Sentinel/blob/master/.azure-pipelines/yamlFileValidator.yaml) file (note - the script code should be added on another file for clearer code, see in step #5).
|
||||
* Add scripts those are relevant to the specific folder under one yaml file in the same job. The validation infrastructure and the examples are in TypeScript, but you can use other languages if you prefer
|
||||
* Azure Pipelines work with many languages such as Python, Java,JavaScript, PHP, Ruby, C#, C++, and Go. Refer to [Azure Pipelines documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/?view=azure-devops) for further information on this.
|
||||
* Azure Pipelines work with many languages such as Python, Java,JavaScript, PHP, Ruby, C#, C++, and Go. Refer to [Azure Pipelines documentation](https://docs.microsoft.com/azure/devops/pipelines/?view=azure-devops) for further information on this.
|
||||
|
||||
4. Add the new job to [azure-pipelines.yml](https://github.com/Azure/Azure-Sentinel/blob/master/azure-pipelines.yml) file as a new template under jobs property
|
||||
|
||||
|
|
@ -30,7 +30,7 @@ Add new yaml file under [.azure-pipelines](https://github.com/Azure/Azure-Sentin
|
|||
### How to add scipt validation
|
||||
|
||||
**Note**: All script logs are public and display in DevOps pipeline.
|
||||
By default, the logs color is white. In case you want another color you can use [logging commands](https://docs.microsoft.com/en-us/azure/devops/pipelines/scripts/logging-commands?view=azure-devops&tabs=bash)
|
||||
By default, the logs color is white. In case you want another color you can use [logging commands](https://docs.microsoft.com/azure/devops/pipelines/scripts/logging-commands?view=azure-devops&tabs=bash)
|
||||
|
||||
1. Create script file under [.script](https://github.com/Azure/Azure-Sentinel/tree/master/.script) folder
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
import { runCheckOverChangedFiles } from "./utils/changedFilesValidator";
|
||||
import { ExitCode } from "./utils/exitCode";
|
||||
import fs from "fs";
|
||||
import * as logger from "./utils/logger";
|
||||
|
||||
export async function IsFileContainsLinkWithLocale(filePath: string): Promise<ExitCode> {
|
||||
const content = fs.readFileSync(filePath, "utf8");
|
||||
if (/(https:\/\/docs.microsoft.com|https:\/\/azure.microsoft.com)(\/[a-z]{2}-[a-z]{2})/i.test(content)) {
|
||||
throw new Error();
|
||||
}
|
||||
return ExitCode.SUCCESS;
|
||||
}
|
||||
|
||||
let fileKinds = ["Added", "Modified"];
|
||||
let CheckOptions = {
|
||||
onCheckFile: (filePath: string) => {
|
||||
return IsFileContainsLinkWithLocale(filePath);
|
||||
},
|
||||
onExecError: async (e: any, filePath: string) => {
|
||||
console.log(`Documentation links should not include locale: ${filePath}, ${e.message}`);
|
||||
},
|
||||
onFinalFailed: async () => {
|
||||
logger.logError("An error occurred, please open an issue");
|
||||
}
|
||||
};
|
||||
|
||||
runCheckOverChangedFiles(CheckOptions, fileKinds);
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# This is another dummy file
|
||||
|
||||
This time with bad link to [docs](https://docs.microsoft.com/en-us/windows/)
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
import { IsFileContainsLinkWithLocale } from "../../documentsLinkValidator";
|
||||
import { ExitCode } from "../../utils/exitCode";
|
||||
import chai from "chai";
|
||||
import { expect } from "chai";
|
||||
import chaiAsPromised from "chai-as-promised";
|
||||
|
||||
chai.use(chaiAsPromised);
|
||||
|
||||
describe("documentsLinkValidator", () => {
|
||||
it("should pass when no links", async () => {
|
||||
let result = await IsFileContainsLinkWithLocale(".script/tests/documentsLinkValidatorTest/nodoclinks.md");
|
||||
expect(result).to.equal(ExitCode.SUCCESS);
|
||||
});
|
||||
|
||||
it("should pass when link is valid", async () => {
|
||||
let result = await IsFileContainsLinkWithLocale(".script/tests/documentsLinkValidatorTest/validlink.md");
|
||||
expect(result).to.equal(ExitCode.SUCCESS);
|
||||
});
|
||||
|
||||
it("should fail when link contains locale", async () => {
|
||||
let result = await IsFileContainsLinkWithLocale(".script/tests/documentsLinkValidatorTest/badlink.md");
|
||||
expect(result).eventually.rejectedWith(Error)
|
||||
});
|
||||
});
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
# This is just a dummy file
|
||||
|
||||
it has nothing here
|
||||
[maybe some link](https://www.microsoft.com) which is harmless
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# This is another dummy file
|
||||
|
||||
This time with valid link to [docs](https://docs.microsoft.com/windows/)
|
||||
|
|
@ -37,7 +37,7 @@ Once you have decided on the type of data connector you plan to support, set the
|
|||
|
||||
### REST API Connectors
|
||||
|
||||
1. Use the [Azure Monitor Data Collector API](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api) to send data to Azure Log Analytics. [This blog](https://zimmergren.net/building-custom-data-collectors-for-azure-log-analytics/) covers step by step instructions with screenshots to do so. If on prem, open port 443 (HTTPS/TLS) on your environment to talk to Azure Sentinel.
|
||||
1. Use the [Azure Monitor Data Collector API](https://docs.microsoft.com/azure/azure-monitor/platform/data-collector-api) to send data to Azure Log Analytics. [This blog](https://zimmergren.net/building-custom-data-collectors-for-azure-log-analytics/) covers step by step instructions with screenshots to do so. If on prem, open port 443 (HTTPS/TLS) on your environment to talk to Azure Sentinel.
|
||||
2. Ensure the schema used for structuring the data in Log Analytics is locked. Any changes to the schema after the data connector is published will have a compatibility impact, hence need to have a new name for the connector data type.
|
||||
3. Design a configuration mechanism in your product experience via product settings or via your product website, where your customers can go and enter the following information to send their logs into Log Analytics for Azure Sentinel.
|
||||
1. [**Required**] Azure Sentinel workspace ID
|
||||
|
|
@ -125,9 +125,9 @@ To use TLS communication between the security solution and the Syslog machine, y
|
|||
|
||||
### Syslog Connector
|
||||
|
||||
**Note:** If your product supports CEF, the connection is more complete and you should choose CEF and follow the instructions in [Connecting data from CEF](https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format) and data connector building steps detailed in the CEF connector section.
|
||||
**Note:** If your product supports CEF, the connection is more complete and you should choose CEF and follow the instructions in [Connecting data from CEF](https://docs.microsoft.com/azure/sentinel/connect-common-event-format) and data connector building steps detailed in the CEF connector section.
|
||||
|
||||
1. Follow the steps outlined in the [Connecting data from Syslog](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog) to use the Azure Sentinel syslog connector to connect your product.
|
||||
1. Follow the steps outlined in the [Connecting data from Syslog](https://docs.microsoft.com/azure/sentinel/connect-syslog) to use the Azure Sentinel syslog connector to connect your product.
|
||||
2. Set your security solution to send Syslog messages to the proxy machine. This varies from product to product and follow the process for your product.
|
||||
3. Outline specific steps custom for sending your product logs along with link to your (partner) product documentation on how customers should configure their agent to send Syslog logs from the respective product into Azure Sentinel.
|
||||
4. Design and validate a few key queries that lands the value of the data stream using Kusto Query Language. Share these as sample queries in the data connector.
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ description: |
|
|||
This could indicate that permissions to access the listed Azure App were provided to a malicious actor.
|
||||
Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.
|
||||
This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth
|
||||
For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities.'
|
||||
For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: Office policy tampering
|
|||
description: |
|
||||
'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
|
||||
An adversary may use this technique to evade detection or avoid other policy based defenses.
|
||||
References: https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'
|
||||
References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: Group added to built in domain local or global group
|
|||
description: |
|
||||
'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the
|
||||
Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.
|
||||
References: For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups.'
|
||||
References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: SecurityEvents
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ relevantTechniques:
|
|||
query: |
|
||||
|
||||
let timeframe = 1d;
|
||||
// For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
|
||||
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
|
||||
SecurityEvent
|
||||
|
|
|
|||
|
|
@ -5,9 +5,9 @@ description: |
|
|||
The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access
|
||||
or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).
|
||||
References:
|
||||
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
|
||||
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
|
||||
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
https://docs.microsoft.com/azure/active-directory/conditional-access/overview
|
||||
https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins
|
||||
https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
ConditionalAccessStatus == 0 // Success
|
||||
ConditionalAccessStatus == 1 // Failure
|
||||
ConditionalAccessStatus == 2 // Not Applied
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: Attempts to sign in to disabled accounts
|
|||
description: |
|
||||
'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.
|
||||
Default threshold for Azure Applications attempted to sign in to is 3.
|
||||
References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
50057 - User account is disabled. The account has been disabled by an administrator.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: Distributed Password cracking attempts in AzureAD
|
|||
description: |
|
||||
'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.
|
||||
The query looks for unusually high number of failed password attempts coming from multiple locations for a user account.
|
||||
References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.
|
||||
50055 Invalid password, entered expired password.
|
||||
50056 Invalid or null password - Password does not exist in store for this user.
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ description: |
|
|||
'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon
|
||||
attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.
|
||||
The following are excluded due to success and non-failure results:
|
||||
References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
0 - successful logon
|
||||
50125 - Sign-in was interrupted due to a password reset or password registration entry.
|
||||
50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.'
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
name: Sign-ins from IPs that attempt sign-ins to disabled accounts
|
||||
description: |
|
||||
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
|
||||
References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
|
||||
50057 - User account is disabled. The account has been disabled by an administrator.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ description: |
|
|||
and by a successful authentication within a given time window.
|
||||
(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)
|
||||
Default Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.
|
||||
References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.'
|
||||
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ description: |
|
|||
This can be an indicator that an attack was successful.
|
||||
The default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days
|
||||
Note: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.
|
||||
References: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.'
|
||||
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ description: |
|
|||
from the AuditLogs based on CorrleationId from the same account that performed "Consent to
|
||||
application".
|
||||
For further information on AuditLogs please see
|
||||
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
|
||||
https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities
|
||||
This may help detect the Oauth2 attack that can be initiated by this publicly available tool
|
||||
https://github.com/fireeye/PwnAuth'
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ name: Azure Resources assigned Public IP Addresses
|
|||
description: |
|
||||
'Identifies when public IP addresses are assigned to Azure Resources. Additionally, shows connections to those resources.
|
||||
Resources:
|
||||
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/azure-networking-analytics
|
||||
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema'
|
||||
https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics
|
||||
https://docs.microsoft.com/azure/network-watcher/traffic-analytics-schema'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActivity
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ description: |
|
|||
currency mining, command and control, exfiltration, distributed attacks and propagation of malware, among others. Verify that this resource creation
|
||||
is expected.
|
||||
Resources:
|
||||
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/azure-networking-analytics
|
||||
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema'
|
||||
https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics
|
||||
https://docs.microsoft.com/azure/network-watcher/traffic-analytics-schema'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActivity
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ description: |
|
|||
'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9' file extensions.
|
||||
Additionally, identifies when a given user is uploading these files to another users workspace.
|
||||
This may be indication of a staging location for malware or other malicious activity.
|
||||
References: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file'
|
||||
References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ description: |
|
|||
'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9' file extensions.
|
||||
Additionally, identifies when a given user is uploading these files to another users workspace.
|
||||
This may be indication of a staging location for malware or other malicious activity.
|
||||
References: https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file'
|
||||
References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ description: |
|
|||
The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin
|
||||
and delegate permissions to access other user's inbox.
|
||||
If your organization has valid admin, delegate access given to users, you can whitelist those and investigate other results.
|
||||
References: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#logontype'
|
||||
References: https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-schema#logontype'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ description: |
|
|||
By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell.
|
||||
Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell.
|
||||
Whitelist any benign scheduled activities using exchange powershell if applicable in your environment.
|
||||
References: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps'
|
||||
References: https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps'
|
||||
requiredDataConnectors:
|
||||
- connectorId: Office365
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: 892cd37e-f9e1-49c3-b0b2-d74f52ac7b71
|
|||
name: VIP account more than 6 failed logons in 10
|
||||
description: |
|
||||
'VIP Account with more than 6 failed logon attempts in 10 minutes, include your own VIP list in the table below
|
||||
NTSTATUS codes - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55'
|
||||
NTSTATUS codes - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55'
|
||||
requiredDataConnectors:
|
||||
- connectorId: SecurityEvents
|
||||
dataTypes:
|
||||
|
|
@ -48,7 +48,7 @@ query: |
|
|||
Status =~ "0xC0000224", "STATUS_PASSWORD_MUST_CHANGE",
|
||||
Status =~ "0xC0000234", "STATUS_ACCOUNT_LOCKED_OUT",
|
||||
Status =~ "0xC00002EE", "STATUS_UNFINISHED_CONTEXT_DELETED",
|
||||
"See - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55"
|
||||
"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55"
|
||||
)
|
||||
| extend SubStatusDesc = case(
|
||||
SubStatus =~ "0x80090325", "SEC_E_UNTRUSTED_ROOT",
|
||||
|
|
@ -77,7 +77,7 @@ query: |
|
|||
SubStatus =~ "0xC0000387", "STATUS_SMARTCARD_IO_ERROR",
|
||||
SubStatus =~ "0xC0000388", "STATUS_DOWNGRADE_DETECTED",
|
||||
SubStatus =~ "0xC0000389", "STATUS_SMARTCARD_CERT_REVOKED",
|
||||
"See - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55"
|
||||
"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55"
|
||||
)
|
||||
| project StartTimeUtc, EndTimeUtc, FailedVIPLogons, EventID, Activity, WorkstationName, Account, TargetAccount, TargetUserName, TargetDomainName, LogonType, LogonTypeName, LogonProcessName, Status, StatusDesc, SubStatus, SubStatusDesc
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ relevantTechniques:
|
|||
query: |
|
||||
|
||||
let timeframe = 7d;
|
||||
// For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
|
||||
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$";
|
||||
let GroupAddition = SecurityEvent
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ relevantTechniques:
|
|||
query: |
|
||||
|
||||
let timeframe = 10d;
|
||||
// For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups
|
||||
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
|
||||
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$";
|
||||
SecurityEvent
|
||||
|
|
|
|||
|
|
@ -12,3 +12,4 @@ jobs:
|
|||
- template: .azure-pipelines/detectionsValidations.yaml
|
||||
- template: .azure-pipelines/yamlFileValidator.yaml
|
||||
- template: .azure-pipelines/jsonFileValidator.yaml
|
||||
- template: .azure-pipelines/documentsLinkValidator.yaml
|
||||
|
|
|
|||
|
|
@ -956,6 +956,24 @@
|
|||
"resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
|
||||
"integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc="
|
||||
},
|
||||
"simple-git": {
|
||||
"version": "1.132.0",
|
||||
"resolved": "https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz",
|
||||
"integrity": "sha512-xauHm1YqCTom1sC9eOjfq3/9RKiUA9iPnxBbrY2DdL8l4ADMu0jjM5l5lphQP5YWNqAL2aXC/OeuQ76vHtW5fg==",
|
||||
"requires": {
|
||||
"debug": "^4.0.1"
|
||||
},
|
||||
"dependencies": {
|
||||
"debug": {
|
||||
"version": "4.1.1",
|
||||
"resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
|
||||
"integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
|
||||
"requires": {
|
||||
"ms": "^2.1.1"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"source-map": {
|
||||
"version": "0.6.1",
|
||||
"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@
|
|||
"url": "git+https://github.com/Azure-Sentinel.git"
|
||||
},
|
||||
"author": "",
|
||||
"license": "",
|
||||
"license": "MIT",
|
||||
"bugs": {
|
||||
"url": "https://github.com/Azure/Azure-Sentinel/issues"
|
||||
},
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче