Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3374 from Azure/v-ntripathi/CMMCPlaybookSolution 

update
This commit is contained in:
v-jayakal 2021-11-03 06:01:32 -07:00 коммит произвёл GitHub
Родитель 76b74c6033 ed0f6c6b18
Коммит e4b7cc4142
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
12 изменённых файлов: 636 добавлений и 52 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/1.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

92
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 10\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 10, **Playbooks:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -260,13 +260,101 @@
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "Notify-GovernanceComplianceTeam",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook ingests events from CybersecurityMaturityModelCertification(CMMC) into Log Analytics using the API."
}
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Notify-GovernanceComplianceTeam",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook1-Email",
"type": "Microsoft.Common.TextBox",
"label": "Email",
"defaultValue": "GovernanceComplianceTeam@example.com",
"toolTip": "Please enter Email",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Email"
}
},
{
"name": "playbook1-TeamschannelId",
"type": "Microsoft.Common.TextBox",
"label": "Teamschannel Id",
"defaultValue": "GovernanceComplianceTeam",
"toolTip": "Please enter Teamschannel Id",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Teamschannel Id"
}
},
{
"name": "playbook1-TeamsgroupId",
"type": "Microsoft.Common.TextBox",
"label": "Teamsgroup Id",
"defaultValue": "GovernanceComplianceTeam",
"toolTip": "Please enter Teamsgroup Id",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Teamsgroup Id"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook1-Email": "[steps('playbooks').playbook1.playbook1-Email]",
"playbook1-TeamschannelId": "[steps('playbooks').playbook1.playbook1-TeamschannelId]",
"playbook1-TeamsgroupId": "[steps('playbooks').playbook1.playbook1-TeamsgroupId]"
}
}
}

229
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

5
Solutions/CybersecurityMaturityModelCertification(CMMC)/data/Solution_CybersecurityMaturityModelCertification(CMMC).json
Просмотреть файл

@ -8,6 +8,9 @@
"Workbooks": [
"Workbooks/CybersecurityMaturityModelCertification(CMMC).json"
],
"Playbooks": [
"Playbooks/Notify_GovernanceComplianceTeam.json"
],
"Analytic Rules": [
"Analytic Rules/AccessControlControlFamilyMonitoring.yaml",
"Analytic Rules/Audit&AccountabilityControlFamilyMonitoring.yaml",
@ -22,5 +25,5 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\CybersecurityMaturityModelCertification(CMMC)",
"Version": "1.0.0"
"Version": "1.0.1"
}

Двоичные данные
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Package/1.0.1.zip → Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Package/1.0.2.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThere has been a long-standing split between SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Azure Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes (1) Workbook and (10) Analytics rules and provides a guided investigation for security operations teams. The workbook features IT/OT filtering for Security Alerts, Incidents, and Asset Inventory. The workbook also features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to IOT-based threats. This solution is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture. This solution is enhanced when integrated with complimentary Microsoft Offerings such as ✳️ Azure Defender for IoT, ✳️ Azure Sentinel, and ✳️ Azure Security Center. This workbook augments staffing through automation, artificial intelligence, machine learning, query/alerting generation and visualizations.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 14, **Playbooks:** 3\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThere has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 14, **Playbooks:** 3\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

Двоичные данные
Solutions/MicrosoftInsiderRiskManagement/Package/1.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

110
Solutions/MicrosoftInsiderRiskManagement/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Sentinel: Insider Risk Management Solution (https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/InsiderRiskManagement/readme.md) demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Azure Sentinel: Insider Risk Management Solution (https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/InsiderRiskManagement/readme.md) demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5, **Playbooks:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -74,7 +74,7 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "InsiderRiskManagement",
"label": "MicrosoftInsiderRiskManagement",
"elements": [
{
"name": "workbook1-text",
@ -87,7 +87,7 @@
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "InsiderRiskManagement",
"defaultValue": "MicrosoftInsiderRiskManagement",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
@ -112,7 +112,7 @@
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for InsiderRiskManagement that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"text": "This Azure Sentinel Solution installs analytic rules for MicrosoftInsiderRiskManagement that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@ -200,7 +200,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for InsiderRiskManagement that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"text": "This Azure Sentinel Solution installs hunting queries for MicrosoftInsiderRiskManagement that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
@ -216,7 +216,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Sentinel UEBA (Behavior Analytics) with Microsoft 365 Insider Risk Management Alerts (SecurityAlerts) for correlation of an M365 IRM Alert to Behavioral Anomalies. Resuls include UserPrincipalName, Entity Anomalies, Start/End Time, Alert Link, and Previous Alert Links. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics OfficeATP data connector and BehaviorAnalytics SecurityAlert (Office 365) data type and BehaviorAnalytics OfficeATP parser."
"text": "This query joins Azure Sentinel UEBA with Microsoft 365 Insider Risk Management Alerts. There is also an option for configuration of correlations against watchlists. For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the BehaviorAnalytics OfficeATP data connector and BehaviorAnalytics SecurityAlert (Office 365) data type and BehaviorAnalytics OfficeATP parser."
}
}
]
@ -230,7 +230,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Sentinel UEBA (BehaviorAnalytics) to Security Alerts from Microsoft products for a correlation of Internet Service Provider anomalies to data exfiltration. Data exfiltration is categorized by the MITRE ATT&CK Tactic in the SecurityAlerts table. Results include UserPrincipalName, ISPAnomalies, AlertName, Previous Alert Links, and Time Generated. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP data connector and BehaviorAnalytics SecurityAlert (MDATP) SecurityAlert (IPC) SecurityAlert (ASC) SecurityAlert (ASC for IoT) SecurityAlert (ASC for IoT) SecurityAlert (MCAS) SecurityAlert (Office 365) data type and BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP parser."
"text": "This query joins UEBA to Security Alerts from Microsoft products for a correlation of Internet Service Provider anomalies to data exfiltration (watchlist options). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP data connector and BehaviorAnalytics SecurityAlert (MDATP) SecurityAlert (IPC) SecurityAlert (ASC) SecurityAlert (ASC for IoT) SecurityAlert (ASC for IoT) SecurityAlert (MCAS) SecurityAlert (Office 365) data type and BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP parser."
}
}
]
@ -244,7 +244,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert leverages Azure Sentinel User Entity Behavior Analytics (UEBA) via the BehaviorAnalytics table. Entity insights including uncommon action, uncommon action volume, first time device logon, and first time user action are summarized by entity. The alert returns entity counts by anomaly and user principal name including ranges for start/end time observed. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics AzureActiveDirectory data connector and BehaviorAnalytics SigninLogs data type and BehaviorAnalytics AzureActiveDirectory parser."
"text": "This query returns entity counts by anomaly and user principal name including ranges for start/end time observed (watchlists configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the BehaviorAnalytics AzureActiveDirectory data connector and BehaviorAnalytics SigninLogs data type and BehaviorAnalytics AzureActiveDirectory parser."
}
}
]
@ -258,7 +258,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Sentinel UEBA (BehaviorAnalytics) to Security Alerts to Azure Activity. This alert is designed to correlate users with entity anomalies, security alerts, and delete/remove actions for identification of possible sabotage activities. Results include User Principal Name, Alert Name, Previous Security Alert Links, Anomalies, and Time Generated. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP AzureActivity data connector and BehaviorAnalytics SecurityAlert (MDATP) SecurityAlert (IPC) SecurityAlert (ASC) SecurityAlert (ASC for IoT) SecurityAlert (ASC for IoT) SecurityAlert (MCAS) SecurityAlert (Office 365) AzureActivity data type and BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP AzureActivity parser."
"text": "This query correlates users with entity anomalies, security alerts, and delete/remove actions for identification of possible sabotage activities (watchlists configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP AzureActivity data connector and BehaviorAnalytics SecurityAlert (MDATP) SecurityAlert (IPC) SecurityAlert (ASC) SecurityAlert (ASC for IoT) SecurityAlert (ASC for IoT) SecurityAlert (MCAS) SecurityAlert (Office 365) AzureActivity data type and BehaviorAnalytics MicrosoftDefenderAdvancedThreatProtection AzureActiveDirectoryIdentityProtection AzureSecurityCenter IoT MicrosoftCloudAppSecurity IoT OfficeATP AzureActivity parser."
}
}
]
@ -272,7 +272,91 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Active Directory Sign In Risk (SigninLogs) with Azure Information Protection (InformationProtectionLogs_CL) to correlate a risky user sign in (high or medium) with access to sensitive data classified by data loss prevention capabilities. There are optional configurations for correlations against geolocations and Azure Sentinel watchlists. For more information, see [Use Azure Sentinel watchlists](https://docs.microsoft.com/azure/sentinel/watchlists) It depends on the AzureInformationProtection AzureActiveDirectory data connector and InformationProtectionLogs_CL SigninLogs data type and AzureInformationProtection AzureActiveDirectory parser."
"text": "This query correlates a risky user sign ins with access to sensitive data classified by data loss prevention capabilities (watchlist configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the AzureInformationProtection AzureActiveDirectory data connector and InformationProtectionLogs_CL SigninLogs data type and AzureInformationProtection AzureActiveDirectory parser."
}
}
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "Notify-InsiderRiskTeam",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook ingests events from MicrosoftInsiderRiskManagement into Log Analytics using the API."
}
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Notify-InsiderRiskTeam",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook1-Email",
"type": "Microsoft.Common.TextBox",
"label": "Email",
"defaultValue": "InsiderRiskTeam@example.com",
"toolTip": "Please enter Email",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Email"
}
},
{
"name": "playbook1-TeamschannelId",
"type": "Microsoft.Common.TextBox",
"label": "Teamschannel Id",
"defaultValue": "InsiderRiskTeam",
"toolTip": "Please enter Teamschannel Id",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Teamschannel Id"
}
},
{
"name": "playbook1-TeamsgroupId",
"type": "Microsoft.Common.TextBox",
"label": "Teamsgroup Id",
"defaultValue": "InsiderRiskTeam",
"toolTip": "Please enter Teamsgroup Id",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Teamsgroup Id"
}
}
]
@ -284,7 +368,11 @@
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook1-Email": "[steps('playbooks').playbook1.playbook1-Email]",
"playbook1-TeamschannelId": "[steps('playbooks').playbook1.playbook1-TeamschannelId]",
"playbook1-TeamsgroupId": "[steps('playbooks').playbook1.playbook1-TeamsgroupId]"
}
}
}

241
Solutions/MicrosoftInsiderRiskManagement/Package/mainTemplate.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for InsiderRiskManagement"
"comments": "Solution template for MicrosoftInsiderRiskManagement"
},
"parameters": {
"location": {
@ -46,7 +46,7 @@
},
"workbook1-name": {
"type": "string",
"defaultValue": "InsiderRiskManagement",
"defaultValue": "MicrosoftInsiderRiskManagement",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
@ -91,6 +91,29 @@
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"playbook1-PlaybookName": {
"defaultValue": "Notify-InsiderRiskTeam",
"type": "string",
"minLength": 1,
"metadata": {
"description": "Resource name for the logic app playbook. No spaces are allowed"
}
},
"playbook1-Email": {
"defaultValue": "InsiderRiskTeam@example.com",
"type": "string",
"minLength": 1
},
"playbook1-TeamschannelId": {
"defaultValue": "InsiderRiskTeam",
"type": "string",
"minLength": 1
},
"playbook1-TeamsgroupId": {
"defaultValue": "InsiderRiskTeam",
"type": "string",
"minLength": 1
}
},
"variables": {
@ -108,6 +131,17 @@
"_InsiderRiskSensitiveDataAccessOutsideOrgGeo_AnalyticalRules": "[variables('InsiderRiskSensitiveDataAccessOutsideOrgGeo_AnalyticalRules')]",
"InsiderRiskyAccessByApplication_AnalyticalRules": "InsiderRiskyAccessByApplication_AnalyticalRules",
"_InsiderRiskyAccessByApplication_AnalyticalRules": "[variables('InsiderRiskyAccessByApplication_AnalyticalRules')]",
"playbook1-Playbooks": "playbook1-Playbooks",
"_playbook1-Playbooks": "[variables('playbook1-Playbooks')]",
"playbook1-teamsConnectionName": "[concat('teams-', parameters('playbook1-PlaybookName'))]",
"playbook1-azuresentinelConnectionName": "[concat('azuresentinel-', parameters('playbook1-PlaybookName'))]",
"playbook1-office365ConnectionName": "[concat('office365-', parameters('playbook1-PlaybookName'))]",
"playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]",
"_playbook-1-connection-2": "[variables('playbook-1-connection-2')]",
"playbook-1-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/office365')]",
"_playbook-1-connection-3": "[variables('playbook-1-connection-3')]",
"playbook-1-connection-4": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/teams')]",
"_playbook-1-connection-4": "[variables('playbook-1-connection-4')]",
"InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries": "InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries",
"_InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries": "[variables('InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries')]",
"workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]",
@ -252,6 +286,168 @@
]
}
},
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"For_each": {
"foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"actions": {
"Post_message_in_a_chat_or_channel": {
"type": "ApiConnection",
"inputs": {
"body": {
"messageBody": "<p>Insider Risk Team,<br> <br> An Insider Risk Management Alert was observed per the details below:<br> <br> Severity of Alert: @{items('For_each')?['properties']?['severity']}<br> <br> <u><strong>Azure Sentinel Incident</strong></u><br> TItle: @{triggerBody()?['object']?['properties']?['title']}<br> Status: @{triggerBody()?['object']?['properties']?['status']}<br> Number: @{triggerBody()?['object']?['properties']?['incidentNumber']}<br> Created Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}<br> Incident Link: &nbsp;@{triggerBody()?['object']?['properties']?['incidentUrl']}<br> <br> <u><strong>Alert Details</strong></u><br> Alert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}<br> Alert Type: @{items('For_each')?['properties']?['alertType']}<br> Subscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}<br> Provider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}<br> Alert Link: @{items('For_each')?['properties']?['alertLink']}</p>",
"recipient": {
"channelId": "[parameters('playbook1-TeamschannelId')]",
"groupId": "[parameters('playbook1-TeamsgroupId')]"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"method": "post",
"path": "/beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')}"
}
},
"Send_an_email_(V2)_2": {
"runAfter": {
"Post_message_in_a_chat_or_channel": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "<p>Insider Risk Team,<br> <br> An Insider Risk Management Alert was observed per the details below:<br> <br> <br> <u><strong>Azure Sentinel Incident</strong></u><br> TItle: @{triggerBody()?['object']?['properties']?['title']}<br> Status: @{triggerBody()?['object']?['properties']?['status']}<br> Number: @{triggerBody()?['object']?['properties']?['incidentNumber']}<br> Incident Severity: @{triggerBody()?['object']?['properties']?['severity']}<br> Created Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}<br> Incident Link: &nbsp;@{triggerBody()?['object']?['properties']?['incidentUrl']}<br> <br> <u><strong>Alert Details</strong></u><br> Alert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}<br> Alert Product Name: @{items('For_each')?['properties']?['productName']}<br> Alert Severity: @{items('For_each')?['properties']?['severity']}<br> Alert Type: @{items('For_each')?['properties']?['alertType']}<br> Subscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}<br> Provider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}<br> Alert Link: @{items('For_each')?['properties']?['alertLink']}</p>",
"Subject": "Insider Risk Management Alert",
"To": "[parameters('playbook1-Email')]"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"type": "Foreach"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionName": "[variables('playbook1-azuresentinelConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-azuresentinelConnectionName'))]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionName": "[variables('playbook1-office365ConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-office365ConnectionName'))]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/office365')]"
},
"teams": {
"connectionName": "[variables('playbook1-teamsConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-teamsConnectionName'))]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/teams')]"
}
}
}
}
},
"name": "[parameters('playbook1-PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-SentinelTemplateName": "Notify-InsiderRiskTeam",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2019-05-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('playbook1-azuresentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('playbook1-office365ConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('playbook1-teamsConnectionName'))]"
]
},
{
"name": "[variables('playbook1-azuresentinelConnectionName')]",
"properties": {
"parameterValueType": "Alternative",
"displayName": "[variables('playbook1-azuresentinelConnectionName')]",
"api": {
"id": "[variables('_playbook-1-connection-2')]"
}
},
"type": "Microsoft.Web/connections",
"kind": "V1",
"apiVersion": "2016-06-01",
"location": "[parameters('workspace-location')]"
},
{
"name": "[variables('playbook1-office365ConnectionName')]",
"properties": {
"displayName": "[variables('playbook1-office365ConnectionName')]",
"api": {
"id": "[variables('_playbook-1-connection-3')]"
}
},
"type": "Microsoft.Web/connections",
"kind": "V1",
"apiVersion": "2016-06-01",
"location": "[parameters('workspace-location')]"
},
{
"name": "[variables('playbook1-teamsConnectionName')]",
"properties": {
"displayName": "[variables('playbook1-teamsConnectionName')]",
"api": {
"id": "[variables('_playbook-1-connection-4')]"
}
},
"type": "Microsoft.Web/connections",
"kind": "V1",
"apiVersion": "2016-06-01",
"location": "[parameters('workspace-location')]"
},
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2020-08-01",
@ -261,7 +457,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "InsiderRiskManagement Hunting Query 1",
"name": "MicrosoftInsiderRiskManagement Hunting Query 1",
"dependsOn": [
"[variables('workspace-dependency')]"
],
@ -286,7 +482,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "InsiderRiskManagement Hunting Query 2",
"name": "MicrosoftInsiderRiskManagement Hunting Query 2",
"dependsOn": [
"[variables('workspace-dependency')]"
],
@ -311,7 +507,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "InsiderRiskManagement Hunting Query 3",
"name": "MicrosoftInsiderRiskManagement Hunting Query 3",
"dependsOn": [
"[variables('workspace-dependency')]"
],
@ -336,7 +532,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "InsiderRiskManagement Hunting Query 4",
"name": "MicrosoftInsiderRiskManagement Hunting Query 4",
"dependsOn": [
"[variables('workspace-dependency')]"
],
@ -361,7 +557,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "InsiderRiskManagement Hunting Query 5",
"name": "MicrosoftInsiderRiskManagement Hunting Query 5",
"dependsOn": [
"[variables('workspace-dependency')]"
],
@ -389,13 +585,13 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.0.2",
"version": "1.0.3",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "InsiderRiskManagement",
"name": "MicrosoftInsiderRiskManagement",
"sourceId": "[variables('_sourceId')]"
},
"author": {
@ -414,57 +610,62 @@
{
"kind": "Workbook",
"contentId": "[variables('_InsiderRiskManagement_workbook')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_InsiderRiskHighUserAlertsCorrelation_AnalyticalRules')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_InsiderRiskHighUserIncidentsCorrelation_AnalyticalRules')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_InsiderRiskM365IRMAlertObserved_AnalyticalRules')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_InsiderRiskSensitiveDataAccessOutsideOrgGeo_AnalyticalRules')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_InsiderRiskyAccessByApplication_AnalyticalRules')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "Playbook",
"contentId": "[variables('_playbook1-Playbooks')]",
"version": "1.0.3"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_InsiderEntityAnomalyFollowedByIRMAlert_HuntingQueries')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_InsiderISPAnomalyCorrelatedToExfiltrationAlert_HuntingQueries')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_InsiderMultipleEntityAnomalies_HuntingQueries')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_InsiderPossibleSabotage_HuntingQueries')]",
"version": "1.0.2"
"version": "1.0.3"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_InsiderSignInRiskFollowedBySensitiveDataAccessyaml_HuntingQueries')]",
"version": "1.0.2"
"version": "1.0.3"
}
]
},

7
Solutions/MicrosoftInsiderRiskManagement/data/Solution_InsiderRiskManagement.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Name": "InsiderRiskManagement",
"Name": "MicrosoftInsiderRiskManagement",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Azure Sentinel: Insider Risk Management Solution (https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/InsiderRiskManagement/readme.md) demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.",
@ -14,6 +14,9 @@
"Analytic Rules/InsiderRiskSensitiveDataAccessOutsideOrgGeo.yaml",
"Analytic Rules/InsiderRiskyAccessByApplication.yaml"
],
"Playbooks": [
"Playbooks/Notify_InsiderRiskTeam.json"
],
"Hunting Queries": [
"Hunting Queries/InsiderEntityAnomalyFollowedByIRMAlert.yaml",
"Hunting Queries/InsiderISPAnomalyCorrelatedToExfiltrationAlert.yaml",
@ -23,5 +26,5 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\MicrosoftInsiderRiskManagement",
"Version": "1.0.2"
"Version": "1.0.3"
}

Двоичные данные
Solutions/ZeroTrust(TIC3.0)/Package/1.0.5.zip → Solutions/ZeroTrust(TIC3.0)/Package/1.0.6.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
Просмотреть файл

@ -46,7 +46,7 @@
},
"workbook1-name": {
"type": "string",
"defaultValue": "ZeroTrust(TIC3.0)",
"defaultValue": "ZeroTrustTIC3.0",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"