Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

updated package Multi Cloud Attack

This commit is contained in:
v-rusraut 2024-02-23 14:51:12 +05:30
Родитель fa130dd92f
Коммит dfa826f812
5 изменённых файлов: 239 добавлений и 182 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Multi%20Cloud%20Attack%20Coverage%20Essentials%20-%20Resource%20Abuse/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse\n\n**Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Multi%20Cloud%20Attack%20Coverage%20Essentials%20-%20Resource%20Abuse/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\nMicrosoft Defender XDR\n\n Microsoft Entra ID\r\r\nAmazon Web Services\n\nGoogle Cloud Platform IAM\n\n \n\nGoogle Cloud Platform Audit Logs \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse\n\n**Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

392
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/mainTemplate.json
Просмотреть файл

@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"_solutionVersion": "3.0.0",
"_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-multicloudattackcoverage",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@ -119,7 +119,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -179,33 +179,33 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
]
],
"entityType": "IP"
}
],
"customDetails": {
"UserAgent": "UserAgent",
"AzureClientAppUsed": "ClientAppUsed",
"AwsUser": "UserIdentityUserName",
"AzureUser": "UserPrincipalName",
"AwsUser": "UserIdentityUserName"
"UserAgent": "UserAgent"
}
}
},
@ -260,7 +260,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Cross-CloudSuspiciousComputeResourcecreationinGCP_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "Cross-CloudSuspiciousComputeResourcecreationinGCP_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -320,59 +320,59 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
"identifier": "Address",
"columnName": "GCPUserIp"
}
]
],
"entityType": "IP"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
}
],
"customDetails": {
"AWSAlertUserName": "AWSAlertUserNameEntity",
"AWSresourceType": "AWSresourceType",
"GCPVMType": "VMType",
"AWSAPICallCount": "APICallCount",
"AWSArn": "Arn",
"AWSInstanceType": "InstanceType",
"CorrelationWith": "GCPAuditLogs",
"AWSAPICallName": "APICallName",
"GCPVMName": "VMName",
"GCPProjectId": "[variables('_ProjectId')]",
"GCPUserAgent": "GCPUserUA"
"AWSresourceType": "AWSresourceType",
"AWSArn": "Arn",
"GCPUserAgent": "GCPUserUA",
"GCPVMType": "VMType",
"GCPVMName": "VMName",
"CorrelationWith": "GCPAuditLogs",
"AWSInstanceType": "InstanceType",
"AWSAlertUserName": "AWSAlertUserNameEntity"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
"alertDynamicProperties": [
{
"value": "AWSAlertLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "AWSAlertLink"
},
{
"value": "AWS",
"alertProperty": "ProviderName"
"alertProperty": "ProviderName",
"value": "AWS"
},
{
"value": "AWSGuarduty",
"alertProperty": "ProductComponentName"
"alertProperty": "ProductComponentName",
"value": "AWSGuarduty"
}
]
],
"alertSeverityColumnName": "Severity"
}
}
},
@ -427,7 +427,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CrossCloudSuspiciousUserActivityObservedInGCPEnvourment_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "CrossCloudSuspiciousUserActivityObservedInGCPEnvourment_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -505,61 +505,61 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
"identifier": "Address",
"columnName": "GCPUserIp"
}
]
],
"entityType": "IP"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
}
],
"customDetails": {
"TimeDiff": "TimeDiff",
"AlertName": "AlertName",
"SystemAlertId": "[variables('_SystemAlertId')]",
"CorrelationWith": "GCPAuditLogs",
"GCPProjctId": "[variables('_GCPProjctId')]",
"MethodName": "MethodName",
"ServiceName": "ServiceName",
"LastAlert": "LastAlert",
"AlertUserUPN": "AlertUserUPN",
"FirstAlert": "FirstAlert",
"GCPCallerUA": "GCPCallerUA",
"Request": "Request",
"Tactics": "Tactics"
"MethodName": "MethodName",
"Tactics": "Tactics",
"AlertUserUPN": "AlertUserUPN",
"SystemAlertId": "[variables('_SystemAlertId')]",
"GCPProjctId": "[variables('_GCPProjctId')]",
"TimeDiff": "TimeDiff",
"FirstAlert": "FirstAlert",
"LastAlert": "LastAlert",
"CorrelationWith": "GCPAuditLogs",
"ServiceName": "ServiceName",
"GCPCallerUA": "GCPCallerUA",
"AlertName": "AlertName"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "AlertSeverity",
"alertDisplayNameFormat": "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description '{{Description}}' observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \n\n Microsoft Security ALert Link : '{{AlertLink}}'",
"alertDisplayNameFormat": "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.",
"alertDynamicProperties": [
{
"value": "AlertLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "AlertLink"
},
{
"value": "ProductName",
"alertProperty": "ProviderName"
"alertProperty": "ProviderName",
"value": "ProductName"
},
{
"value": "Microsoft Security",
"alertProperty": "ProductComponentName"
"alertProperty": "ProductComponentName",
"value": "Microsoft Security"
}
]
],
"alertSeverityColumnName": "AlertSeverity"
}
}
},
@ -614,7 +614,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CrossCloudUnauthorizedCredentialsAccessDetection_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "CrossCloudUnauthorizedCredentialsAccessDetection_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -658,6 +658,10 @@
"CredentialAccess",
"InitialAccess"
],
"subTechniques": [
"T1110.003",
"T1110.004"
],
"techniques": [
"T1557",
"T1110",
@ -669,66 +673,66 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPAddress"
}
]
],
"entityType": "IP"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
}
],
"customDetails": {
"AWSArn": "Arn",
"AzureUserAgent": "UserAgent",
"AWSAplicationName": "RDSApplication",
"AzureUser": "UserPrincipalName",
"AWSInstanceId": "[variables('_RDSInstanceId')]",
"AWSInstanceType": "RDSactionType",
"AWSresourceType": "AWSresourceType",
"AzConditionalAccess": "ConditionalAccessStatus",
"AzureClientAppUsed": "ClientAppUsed",
"AzureRiskDetail": "RiskDetail",
"AzAuthRequirement": "AuthenticationRequirement",
"AzConditionalAccess": "ConditionalAccessStatus",
"AWSInstanceId": "[variables('_RDSInstanceId')]",
"AzureClientAppUsed": "ClientAppUsed",
"alertSeverity": "Severity",
"AWSAlertUserName": "RDSUser",
"AWSAplicationName": "RDSApplication",
"AWSInstanceType": "RDSactionType",
"AzureUserAgent": "UserAgent",
"AzureUser": "UserPrincipalName",
"AzureOperationName": "OperationName",
"AzAuthRequirement": "AuthenticationRequirement"
"AWSAlertUserName": "RDSUser",
"AWSArn": "Arn"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}",
"alertDescriptionFormat": "This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDisplayNameFormat": "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}",
"alertDynamicProperties": [
{
"value": "AWSAlertLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "AWSAlertLink"
},
{
"value": "AWS",
"alertProperty": "ProviderName"
"alertProperty": "ProviderName",
"value": "AWS"
},
{
"value": "AWSGuardDuty",
"alertProperty": "ProductName"
"alertProperty": "ProductName",
"value": "AWSGuardDuty"
},
{
"value": "AWSGuardDuty",
"alertProperty": "ProductComponentName"
"alertProperty": "ProductComponentName",
"value": "AWSGuardDuty"
}
]
],
"alertSeverityColumnName": "Severity"
}
}
},
@ -783,7 +787,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -851,32 +855,32 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
]
],
"entityType": "IP"
}
],
"customDetails": {
"UserAgent": "UserAgent",
"AWSUserUPN": "CTUPN",
"AWSUser": "UserIdentityArn"
"AWSUser": "UserIdentityArn",
"UserAgent": "UserAgent"
}
}
},
@ -931,7 +935,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuspiciousAWSConsolLoginByCredentialAceessAlerts_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "SuspiciousAWSConsolLoginByCredentialAceessAlerts_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -1004,33 +1008,33 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
]
],
"entityType": "IP"
}
],
"customDetails": {
"UserAgent": "UserAgent",
"AWSUSerUPN": "CTUPN",
"AzureUserUPN": "AccountUPN",
"ComonIp": "SourceIpAddress"
"UserAgent": "UserAgent",
"ComonIp": "SourceIpAddress",
"AzureUserUPN": "AccountUPN"
}
}
},
@ -1085,7 +1089,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Unauthorized_user_access_across_AWS_and_Azure_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "Unauthorized_user_access_across_AWS_and_Azure_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -1130,6 +1134,10 @@
"Exfiltration",
"Discovery"
],
"subTechniques": [
"T1110.003",
"T1110.004"
],
"techniques": [
"T1557",
"T1110",
@ -1142,66 +1150,66 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPAddress"
}
]
],
"entityType": "IP"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
}
],
"customDetails": {
"AWSAPICallName": "APICallName",
"AzureUserAgent": "UserAgent",
"AzureUser": "UserPrincipalName",
"AWSresourceType": "AWSresourceType",
"AWSInstanceType": "InstanceType",
"AWSArn": "Arn",
"AWSAPICallCount": "APICallCount",
"AWSresourceType": "AWSresourceType",
"AzureRiskDetail": "RiskDetail",
"AzAuthRequirement": "AuthenticationRequirement",
"AzConditionalAccess": "ConditionalAccessStatus",
"AzureClientAppUsed": "ClientAppUsed",
"AzureRiskDetail": "RiskDetail",
"alertSeverity": "Severity",
"AWSAlertUserName": "AWSAlertUserNameEntity",
"AWSAPICallName": "APICallName",
"AWSInstanceType": "InstanceType",
"AzureUserAgent": "UserAgent",
"AzureUser": "UserPrincipalName",
"AzureOperationName": "OperationName",
"AzAuthRequirement": "AuthenticationRequirement"
"AWSAlertUserName": "AWSAlertUserNameEntity",
"AWSArn": "Arn"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}",
"alertDynamicProperties": [
{
"value": "AWSAlertLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "AWSAlertLink"
},
{
"value": "AWS",
"alertProperty": "ProviderName"
"alertProperty": "ProviderName",
"value": "AWS"
},
{
"value": "AWSGuardDuty",
"alertProperty": "ProductName"
"alertProperty": "ProductName",
"value": "AWSGuardDuty"
},
{
"value": "AWSGuardDuty",
"alertProperty": "ProductComponentName"
"alertProperty": "ProductComponentName",
"value": "AWSGuardDuty"
}
]
],
"alertSeverityColumnName": "Severity"
}
}
},
@ -1256,7 +1264,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserImpersonateByAAID_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "UserImpersonateByAAID_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@ -1304,19 +1312,19 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
]
],
"entityType": "IP"
}
],
"customDetails": {
"AlertIp": "ipAddress",
"AlertName": "AlertName",
"AWSUser": "UserIdentityArn"
"AWSUser": "UserIdentityArn",
"AlertIp": "ipAddress"
}
}
},
@ -1371,7 +1379,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserImpersonateByRiskyUser_AnalyticalRules Analytics Rule with template version 3.0.0",
"description": "UserImpersonateByRiskyUser_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@ -1414,6 +1422,10 @@
"tactics": [
"PrivilegeEscalation"
],
"subTechniques": [
"T1078.002",
"T1078.004"
],
"techniques": [
"T1134",
"T1078",
@ -1421,20 +1433,20 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
]
],
"entityType": "IP"
}
],
"customDetails": {
"RiskEventTypes": "RiskEventTypes",
"AWSEventName": "EventName",
"AwsUser": "UserIdentityArn",
"AzureUser": "UserPrincipalName",
"AwsUser": "UserIdentityArn"
"RiskEventTypes": "RiskEventTypes"
}
}
},
@ -1485,12 +1497,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&amp;data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&amp;reserved=0\">domain solution</a> and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution.</p>\n<p><a href=\"https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender\">Microsoft Defender XDR</a></p>\n<p><a href=\"https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory\">Microsoft Entra ID</a></p>\n<p><a href=\"https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices\">Amazon Web Services</a></p>\n<p><a href=\"https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam\">Google Cloud Platform IAM</a></p>\n<p><a href=\"https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api\">Google Cloud Platform Audit Logs</a></p>\n<p>This content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: <a href=\"https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\">https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption</a></p>\n<p><strong>Keywords:</strong> Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse</p>\n<p><strong>Analytic Rules:</strong> 9</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> <p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.</p>\n<p><strong>Pre-requisites:</strong></p>\n<p>This is a <a href=\"https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&amp;data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&amp;reserved=0\">domain solution</a> and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution.</p>\n<p>Microsoft Defender XDR</p>\n<p>Microsoft Entra ID</p>\n<p>Amazon Web Services</p>\n<p>Google Cloud Platform IAM</p>\n<p>Google Cloud Platform Audit Logs</p>\n<p>This content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: <a href=\"https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\">https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption</a></p>\n<p><strong>Keywords:</strong> Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse</p>\n<p><strong>Analytic Rules:</strong> 9</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -1559,6 +1571,26 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-gcpiam"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-gcpauditlogs-api"
}
]
},

24
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,24 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
}

3
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/ReleaseNotes.md
Просмотреть файл

@ -1,3 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 22-11-2023 | Initial Release |
| 3.0.1 | 23-02-2024 | Tagged for dependent solutions for deployment |
| 3.0.0 | 22-11-2023 | Initial Release |