zinc open source solution package

2022-10-04 12:46:24 +05:30 · 2022-10-04 12:46:24 +05:30 · e593916d4e
--- a/Rules/ZincOctober2022_AVHits_IOC.yaml
+++ b/Rules/ZincOctober2022_AVHits_IOC.yaml
@ -6,6 +6,7 @@ description: |
   This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
   Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
 severity: High
+status: Available
 requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
--- a/Rules/ZincOctober2022_Filename_Commandline_IOC.yaml
+++ b/Rules/ZincOctober2022_Filename_Commandline_IOC.yaml
@ -4,6 +4,7 @@ description: |
  'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc.
  Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
 severity: High 
+status: Available
 requiredDataConnectors:                
  - connectorId: MicrosoftThreatProtection
    dataTypes:
--- a/Rules/ZincOctober2022_IP_Domain_Hash_IOC.yaml
+++ b/Rules/ZincOctober2022_IP_Domain_Hash_IOC.yaml
@ -4,6 +4,7 @@ description: |
  'Identifies a match across domainname, IP, hash and useragent IOCs related to an actor tracked by Microsoft as Zinc.
  Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
 severity: High 
+status: Available
 requiredDataConnectors: 
  - connectorId: DNS
    dataTypes:
--- a/Source/Data/Solution_ZINC.json
+++ b/Source/Data/Solution_ZINC.json
@ -0,0 +1,30 @@
+{
+  "Name": "Zinc Open Source",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "Microsoft security research teams have detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor tracked as ZINC.  ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn, followed by communication over WhatsApp, which acted as the means of delivery for their malicious payloads. ZINC was found weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader etc. For more technical and in-depth information about the attack, please read the [Microsoft Security blog post](https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/).This solution provides content to detect and investigate signals related to the attack in Microsoft Sentinel.\n\n**Pre-requisites:**\n\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
+  \n\n  1.[Windows Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) 
+  \n\n  2.[Microsoft 365 Defender ](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  3.[Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)
+  \n\n  4.[F5 Advanced WAF](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  5.[Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  6.[Palo Alto Networks](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  7.[Common Event Format](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  8.[Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  9.[Check Point](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  10.[Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  11.[Azure Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  12.[Microsoft Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n  13.[Microsoft 365 Defender ](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)
+  \n\n**Keywords:** Zinc, Open Source, ZetaNile , Putty, Kitty, TightVNC , EventHorizon, FoggyBrass, PhantomStar, threat actor, Adversary.",
+  "Analytic Rules": [
+    "Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_AVHits_IOC.yaml",
+    "Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_Filename_Commandline_IOC.yaml",
+    "Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_IP_Domain_Hash_IOC.yaml"
+  ],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel",
+  "Version": "2.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": false
+}
--- a/Source/Package/2.0.0.zip
+++ b/Source/Package/2.0.0.zip
--- a/Source/Package/createUiDefinition.json
+++ b/Source/Package/createUiDefinition.json
@ -0,0 +1,131 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nMicrosoft security research teams have detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor tracked as ZINC.  ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn, followed by communication over WhatsApp, which acted as the means of delivery for their malicious payloads. ZINC was found weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader etc. For more technical and in-depth information about the attack, please read the [Microsoft Security blog post](https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/).This solution provides content to detect and investigate signals related to the attack in Microsoft Sentinel.\n\n**Pre-requisites:**\n\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\r\n  \n\n  1.[Windows Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \r\n  \n\n  2.[Microsoft 365 Defender ](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  3.[Microsoft Windows DNS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\r\n  \n\n  4.[F5 Advanced WAF](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  5.[Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  6.[Palo Alto Networks](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  7.[Common Event Format](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  8.[Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  9.[Check Point](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  10.[Microsoft 365](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  11.[Azure Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  12.[Microsoft Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n  13.[Microsoft 365 Defender ](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\r\n  \n\n**Keywords:** Zinc, Open Source, ZetaNile , Putty, Kitty, TightVNC , EventHorizon, FoggyBrass, PhantomStar, threat actor, Adversary.\n\n**Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "AV detections related to Zinc actors",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query looks for Microsoft Defender AV detections related to  Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. \n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\n Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic2",
+            "type": "Microsoft.Common.Section",
+            "label": "Zinc Actor IOCs files - October 2022",
+            "elements": [
+              {
+                "name": "analytic2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc.\nReference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "Zinc Actor IOCs domains hashes IPs and useragent - October 2022",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies a match across domainname, IP, hash and useragent IOCs related to an actor tracked by Microsoft as Zinc.\nReference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/"
+                }
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}
--- a/Source/Package/mainTemplate.json
+++ b/Source/Package/mainTemplate.json
--- a/Source/SolutionMetadata.json
+++ b/Source/SolutionMetadata.json
@ -0,0 +1,16 @@
+{
+	"publisherId": "azuresentinel",
+	"offerId": "azure-sentinel-solution-zincopensource",
+	"firstPublishDate": "2022-10-03",
+	"providers": ["Microsoft"],
+	"categories": {
+		"domains" : ["Security - Threat Intelligence"],
+		"verticals": []
+	},
+	"support": {
+		"tier": "Microsoft",
+		"name": "Microsoft Corporation",
+		"email": "support@microsoft.com",
+		"link": "https://support.microsoft.com/"
+	}
+}