Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

New Microsoft Sentinel Workbook for Windows Firewall via AMA connector.

This commit is contained in:
John Joyner 2024-09-06 10:10:56 -05:00
Родитель 7f64e7df7e
Коммит d8ecf786e2
7 изменённых файлов: 488 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
Workbooks/Images/Logos/WindowsFirewallViaAMA.svg Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Workbooks/Images/Preview/WindowsFirewallviaAMABlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 113 KiB

Двоичные данные
Workbooks/Images/Preview/WindowsFirewallviaAMABlack2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 173 KiB

Двоичные данные
Workbooks/Images/Preview/WindowsFirewallviaAMAWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 90 KiB

Двоичные данные
Workbooks/Images/Preview/WindowsFirewallviaAMAWhite2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 191 KiB

452
Workbooks/WindowsFirewallViaAMA.json Normal file
Просмотреть файл

@ -0,0 +1,452 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Firewall\n---\nThis workbook requires the following data connectors:\n\n| Log | Requirements | Steps |\n|:------------- |:-------------|:-----|\n| Windows Firewall | Sentinel connector, DCR, Agent, Firewall log| Install Windows Firewall via AMA connector, Create Windows Firewall DCR, install Azure Monitor Agent (AMA), Enable firewall logging on host|\n| Windows Security Events | Sentinel connector, DCR, Agent | Install Security Events via AMA connector, Create Windows Security Log DCR, install Azure Monitor Agent (AMA) |\n| Azure Signin | Sentinel connector, Diagnostics setting| Create Diagnostics setting for signinlogs|\n\n"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "24bfb86e-cf14-4585-a8fc-21f1f7f2227a",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
}
},
{
"id": "7a206eb7-2655-42d5-a7d7-2e42bd04709b",
"version": "KqlParameterItem/1.0",
"name": "Computers",
"type": 2,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "ASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| distinct Computer",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "33",
"name": "parameters "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| summarize arg_max(TimeGenerated, *) by Computer\r\n| project Computer, ['Last update'] = TimeGenerated\r\n| top 10 by ['Last update'] desc \r\n",
"size": 4,
"title": "Active connected computers (10 most recent firewall log uploads)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Computer",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"subtitleContent": {
"columnMatch": "OSInfo",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"dateFormat": {
"formatName": "shortDateTimePattern"
}
},
"secondaryContent": {
"columnMatch": "Last update",
"formatter": 6,
"formatOptions": {
"showIcon": true
},
"dateFormat": {
"formatName": "shortDateTimePattern"
}
},
"showBorder": true,
"sortCriteriaField": "Last update",
"sortOrderField": 2
}
},
"customWidth": "33",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| summarize dcount(Computer), ActiveComputers = makeset(Computer) by bin(TimeGenerated, 15m)",
"size": 4,
"title": "Active connected computers timeline",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"ySettings": {
"min": 0
}
}
},
"customWidth": "33",
"name": "query - 4"
},
{
"type": 1,
"content": {
"json": "----\r\n## Firewall events\r\n\r\nGeneral information about firewall port, IP's, protocols and actions"
},
"name": "text - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let commonPorts = dynamic({\"443\": \"HTTPS\", \"80\":\"HTTP\", \"3389\":\"RDP\", \"53\":\"DNS\", \"389\":\"LDAP\", \"445\":\"SMB\", \"135\":\"RPC\", \"47001\":\"WinRM\",\"22\":\"ssh\", \"21\": \"ftp\"}); // Set of common portnames\r\nlet param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where isnotempty(DstPortNumber) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers)) // Filter given computers from parameter\r\n| summarize Dropped = countif(DvcAction =~ \"Drop\"), Allowed = countif(DvcAction =~ \"Allow\"), Total = count() by tostring(DstPortNumber), NetworkProtocol\r\n| extend portName = iff(commonPorts contains DstPortNumber, commonPorts[DstPortNumber],DstPortNumber)\r\n| sort by Total desc\r\n| project [\"Destination Port\"] = DstPortNumber,['Core Protocol'] = NetworkProtocol , [\"Default Protocol\"] = portName, Total, Allowed, Dropped",
"size": 0,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Allowed",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Dropped",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"customWidth": "60",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where isnotempty(DstPortNumber) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))// Filter giver computers from parameter\r\n| summarize Allowed = count() by tostring(DstPortNumber)\r\n| sort by Allowed desc\r\n| project DstPortNumber, Allowed",
"size": 0,
"title": "Allowed Connections by Port",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "40",
"name": "query - 11 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let commonPorts = dynamic({\"443\": \"HTTPS\", \"80\":\"HTTP\", \"3389\":\"RDP\", \"53\":\"DNS\", \"389\":\"LDAP\", \"445\":\"SMB\", \"135\":\"RPC\", \"47001\":\"WinRM\",\"22\":\"ssh\", \"21\": \"ftp\"}); // Set of common portnames\r\nlet param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where isnotempty(DstPortNumber) and isnotempty(DstPortNumber) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))// Filter giver computers from parameter\r\n| summarize Allowed = count() by tostring(DstPortNumber)\r\n| extend portName = iff(commonPorts contains DstPortNumber, commonPorts[DstPortNumber],DstPortNumber)\r\n| sort by Allowed desc\r\n| project portName, Allowed",
"size": 0,
"title": "Piechart by protocol",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let commonPorts = dynamic({\"443\": \"HTTPS\", \"80\":\"HTTP\", \"3389\":\"RDP\", \"53\":\"DNS\", \"389\":\"LDAP\", \"445\":\"SMB\", \"135\":\"RPC\", \"47001\":\"WinRM\",\"22\":\"ssh\", \"21\": \"ftp\"}); // Set of common portnames\r\nlet param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where isnotempty(DstPortNumber) and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))\r\n| extend DstPortNumber = tostring(DstPortNumber)\r\n| extend protocolName = iff(commonPorts has DstPortNumber, commonPorts[DstPortNumber],NetworkProtocol)\r\n| summarize Events = count() by bin(TimeGenerated,30m), protocolName",
"size": 0,
"title": "Timechart by protocol",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "66",
"name": "query - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where (Computer == param_Computers or param_Computers contains Computer or param_Computers == \"\")\r\n| summarize Events = count() by DvcAction\r\n",
"size": 0,
"title": "Piechart by firewall action",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where (Computer == param_Computers or param_Computers contains Computer or param_Computers == \"\")\r\n| summarize Events = count() by bin(TimeGenerated,30m), DvcAction",
"size": 0,
"title": "Timechart by firewall action",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"customWidth": "66",
"name": "query - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nSecurityEvent\r\n| extend ComputerName = split(Computer, \".\", 0)\r\n| extend ComputerName = tostring (ComputerName[0])\r\n| where AccountType == \"User\" and isnotempty(IpAddress) and (ComputerName == param_Computers or param_Computers contains ComputerName or param_Computers == \"\")\r\n| summarize EventCount = count(), DistinctIPCount = dcount(IpAddress),IPAddresses = makeset(IpAddress) by Account, Computer, ComputerName\r\n| top 10 by DistinctIPCount desc\r\n| extend machineAccount = strcat(Account,\" - \",ComputerName)\r\n| project Account, Computer, ['Distinct IP Count'] = DistinctIPCount, ['Event Count'] = EventCount, IPAddresses",
"size": 0,
"title": "Windows Security Events by Account",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Distinct IP Count",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Event Count",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
]
},
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Account",
"formatter": 1
},
"leftContent": {
"columnMatch": "Tries",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"createOtherGroup": 8
}
},
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "----\r\n## Correlation\r\n\r\nThese visuals give a representation of the Windows firewall, security log and Azure signins events.\r\n\r\nResults below could mean a targeted attack to an organization's private and public cloud. <br>\r\nThis can also be used to monitor the organization's most used IP's "
},
"name": "text - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))\r\n| extend SourceIP = tostring (SrcIpAddr)\r\n| summarize FirewallEvents = count() by SourceIP\r\n| join kind = inner(\r\n SigninLogs\r\n | summarize\r\n SuccessAzureLogin = countif(ResultType == 0),\r\n FailedAzureLogin = countif(ResultType != 0)\r\n by SourceIP = IPAddress\r\n )\r\n on SourceIP\r\n| join kind = inner(\r\n SecurityEvent\r\n | extend ComputerName = split(Computer, \".\", 0)\r\n | extend ComputerName = tostring (ComputerName[0])\r\n | where LogonType == 10 \r\n | summarize\r\n SuccessRDPLogin = countif(EventID == 4624),\r\n FailedRDPlogin = countif(EventID == 4625)\r\n by SourceIP = IpAddress, ComputerName\r\n )\r\n on SourceIP\r\n| project\r\n SourceIP,\r\n ComputerName,\r\n ['Firewall events']=FirewallEvents,\r\n ['Success Azure logins']=SuccessAzureLogin,\r\n ['Failed Azure logins']=FailedAzureLogin,\r\n ['Success RDP logins']=SuccessRDPLogin,\r\n ['Failed RDP logins']=FailedRDPlogin\r\n| sort by ['Failed RDP logins'], ['Failed Azure logins'] desc",
"size": 1,
"title": "Correlating events between Windows firewall, security logs and Azure signins",
"noDataMessage": "No links between Windows firewall and Azure logins (positive)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nSecurityEvent\r\n| extend ComputerName = split(Computer, \".\", 0)\r\n| extend ComputerName = tostring (ComputerName[0])\r\n| where AccountType == \"User\" and LogonType == 10 and (ComputerName == param_Computers or param_Computers contains ComputerName or isempty(param_Computers))\r\n| summarize FailedRDPLogins = countif(EventID == 4625), SuccessRDPLogins = countif(EventID == 4624) by IpAddress, Computer, ComputerName\r\n| join kind= inner (\r\n ASimNetworkSessionLogs\r\n | where EventProduct == \"Windows Firewall\"\r\n | extend Computer = split(_ResourceId, \"/\", 8)\r\n | extend Computer = tostring (Computer[0])\r\n | where DstPortNumber == 3389 and (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers))\r\n | summarize FirewallDropped = countif(DvcAction =~ \"Drop\"), FirewallAllowed = countif(DvcAction =~ \"Allow\") by SrcIpAddr\r\n) on $left.IpAddress == $right.SrcIpAddr\r\n| extend SourceIpAddress = IpAddress \r\n| project Computer, SourceIpAddress, FailedRDPLogins, SuccessRDPLogins, FirewallDropped, FirewallAllowed\r\n| sort by SuccessRDPLogins, FailedRDPLogins desc",
"size": 0,
"title": "Correlating RDP events between Windows firewall and security logs",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "FailedRDPLogins",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SuccessRDPLogins",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "FirewallDropped",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "FirewallAllowed",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let param_Computers = \"{Computers}\";\r\nASimNetworkSessionLogs\r\n| where EventProduct == \"Windows Firewall\"\r\n| extend Computer = split(_ResourceId, \"/\", 8)\r\n| extend Computer = tostring (Computer[0])\r\n| where (Computer == param_Computers or param_Computers contains Computer or isempty(param_Computers)) and SrcIpAddr !in (\"::1\",\"-\")\r\n| summarize FirewallEvents = count() by SrcIpAddr\r\n| join(\r\nSecurityEvent\r\n| extend ComputerName = split(Computer, \".\", 0)\r\n| extend ComputerName = tostring (ComputerName[0])\r\n| where isnotempty(IpAddress) and (ComputerName == param_Computers or param_Computers contains ComputerName or isempty(param_Computers))\r\n| summarize SecurityEvents = count() by SrcIpAddr = IpAddress\r\n) on SrcIpAddr\r\n| top 15 by FirewallEvents desc\r\n| project SrcIpAddr, SecurityEvents, FirewallEvents",
"size": 0,
"title": "Correlating IPs between Windows firewall and security logs",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SecurityEvents",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "FirewallEvents",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
]
}
},
"customWidth": "50",
"name": "query - 13"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-WindowsFirewallViaAMA",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

35
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -7923,5 +7923,40 @@
"title": "Microsoft Global Secure Access Enriched M365 Logs",
"templateRelativePath": "GSAM365EnrichedEvents.json",
"provider": "Microsoft"
},
{
"workbookKey": "WindowsFirewallViaAMA",
"logoFileName": "WindowsFirewallViaAMA.svg",
"description": "Gain insights into Windows Firewall logs via AMA in combination with security and Azure signin logs.",
"dataTypesDependencies": [
"ASimNetworkSessionLogs",
"SecurityEvent",
"SigninLogs"
],
"dataConnectorsDependencies": [
"SecurityEvents",
"WindowsFirewall",
"WindowsSecurityEvents"
],
"previewImagesFileNames": [ "WindowsFirewallViaAMAWhite1.png", "WindowsFirewallViaAMABlack1.png", "WindowsFirewallViaAMAWhite2.png", "WindowsFirewallViaAMABlack2.png" ],
"version": "1.0",
"title": "Windows Firewall via AMA",
"templateRelativePath": "WindowsFirewallViaAMA.json",
"subtitle": "",
"provider": "Microsoft Sentinel community",
"support": {
"tier": "Community"
},
"author": {
"name": "John Joyner"
},
"source": {
"kind": "Community"
},
"categories": {
"domains": [
"Security"
]
}
}
]