Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into solution/Threatconnect-1

This commit is contained in:
JP Bourget 2023-09-26 23:31:00 -04:00 коммит произвёл GitHub
Родитель c19bb89319 5f02895acb
Коммит e7ab1c2d11
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1176 изменённых файлов: 130510 добавлений и 19558 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
.azure-pipelines/callGithubWorkflow.yaml
Просмотреть файл

@ -56,11 +56,11 @@ jobs:
$branchName = "$(System.PullRequest.SourceBranch)"
$targetBranch = "$(System.PullRequest.TargetBranch)"
$pullRequestNumber = "$(System.PullRequest.PullRequestNumber)"
$isAutoGeneratedPR = [bool]($branchName -match "-automated-pr")
Write-Host "BranchName is $branchName, pullRequestNumber $pullRequestNumber, isAutoGeneratedPR $isAutoGeneratedPR"
$isAutoGeneratedOrDependabotPR = [bool]($branchName -match "dependabot/|-automated-pr")
Write-Host "BranchName is $branchName, pullRequestNumber $pullRequestNumber, isAutoGeneratedOrDependabotPR $isAutoGeneratedOrDependabotPR"
# NOT MAIN/MASTER OR AUTOMATED BRANCH
if ($branchName -ne 'master' -and $isAutoGeneratedPR -eq $false -and $targetBranch -eq 'master')
if ($branchName -ne 'master' -and $isAutoGeneratedOrDependabotPR -eq $false -and $targetBranch -eq 'master')
{
# INVOKE GITHUB WORKFLOW
$header = @{
@ -98,7 +98,7 @@ jobs:
}
else
{
Write-Host "Skipping Github Workflow from execution as current branch is a Master branch or is a automated PR or target branch is not master."
Write-Host "Skipping Github Workflow from execution as current branch is a Master branch/Automated PR/Dependabot or target branch is not master."
}
}
catch

51
.github/workflows/arm-ttk-validations.yaml поставляемый
Просмотреть файл

@ -17,54 +17,9 @@ jobs:
id: step1
name: Identify Changes in PR
run: |
$diff = git diff --diff-filter=d --name-only HEAD^ HEAD
Write-Host "List of files in PR: $diff"
$hasmainTemplateChanged = $false
$hasCreateUiDefinitionTemplateChanged = $false
$isChangeInSolutionsFolder = [bool]($diff | Where-Object {$_ -like 'Solutions/*'})
if (!$isChangeInSolutionsFolder)
{
Write-Host "Skipping as change is not in Solutions folder!"
exit 0
}
$requiredFiles = @("mainTemplate.json", "createUiDefinition.json")
$filteredFiles = $diff | Where-Object {$_ -match ($requiredFiles -Join "|")}
Write-Host "Filtered Files $filteredFiles"
if ($filteredFiles.Count -gt 0)
{
$mainTemplateValue = $filteredFiles -match "mainTemplate.json"
$createUiValue = $filteredFiles -match "createUiDefinition.json"
if ($mainTemplateValue)
{
$hasmainTemplateChanged = $true
}
if ($createUiValue)
{
$hasCreateUiDefinitionTemplateChanged = $true
}
if ($filteredFiles.Count -eq 1)
{
$packageIndex = $filteredFiles.IndexOf("/Package")
$sName = $filteredFiles.SubString(10, $packageIndex - 10)
}
else
{
$packageIndex = $filteredFiles[0].IndexOf("/Package")
$sName = $filteredFiles[0].SubString(10, $packageIndex - 10)
}
Write-Host "SolutionName: $sName"
}
Write-Output "::set-output name=solutionName::$sName"
Write-Output "::set-output name=mainTemplateChanged::$hasmainTemplateChanged"
Write-Output "::set-output name=createUiChanged::$hasCreateUiDefinitionTemplateChanged"
Set-PSRepository PSGallery -InstallationPolicy Trusted
Install-Module powershell-yaml
./.script/package-automation/arm-ttk-tests.ps1
- uses: docker/build-push-action@v2
id: publishGithubPackage

2
.github/workflows/checkAutomatedPR.yaml поставляемый
Просмотреть файл

@ -12,7 +12,7 @@ permissions:
pull-requests: read
env:
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BODY: ${{ github.event.issue.body }}
jobs:

2
.github/workflows/checkPRContentChange.yaml поставляемый
Просмотреть файл

@ -8,7 +8,7 @@ on:
- "Solutions/**"
env:
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
jobs:
solutionNameDetails:

2
.github/workflows/checkSkipPackagingInfo.yaml поставляемый
Просмотреть файл

@ -13,7 +13,7 @@ on:
value: ${{ jobs.checkPackagingInfoStatus.outputs.isPackagingRequired }}
env:
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
jobs:
checkPackagingInfoStatus:

2
.github/workflows/getSolutionName.yaml поставляемый
Просмотреть файл

@ -8,7 +8,7 @@ on:
value: ${{ jobs.currentPRSolutionName.outputs.sName }}
env:
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
jobs:
currentPRSolutionName:

2
.github/workflows/neworexistingsolution.yaml поставляемый
Просмотреть файл

@ -17,7 +17,7 @@ on:
value: ${{ jobs.masterDetails.outputs.solutionPublisherId }}
env:
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
jobs:
masterDetails:

6
.github/workflows/package-command.yaml поставляемый
Просмотреть файл

@ -4,7 +4,7 @@ env:
DEFAULTPACKAGEVERSION: "${{ vars.DEFAULTPACKAGEVERSION }}"
BLOB_CONN_STRING: "${{ secrets.BLOB_CONN_STRING }}"
BASE_FOLDER_PATH: "${{ vars.BASEFOLDERPATH }}"
BRANCH_NAME: "${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}"
BRANCH_NAME: "${{ github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}"
ADO_TOKEN: "${{ secrets.ADO_TOKEN }}"
ADO_BASE_URL: "${{ vars.ADO_BASE_URL }}"
ADO_AREAPATH: "${{ vars.ADO_AREAPATH }}"
@ -18,7 +18,7 @@ on:
types: [package-command, Package-command, PACKAGE-command]
jobs:
solutionNameDetails:
if: ${{ !github.event.pull_request.head.repo.fork }}
if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }}
uses: ./.github/workflows/getSolutionName.yaml
secrets: inherit
@ -34,7 +34,7 @@ jobs:
neworexistingsolution:
needs: [solutionNameDetails, checkSkipPackagingDetails]
uses: ./.github/workflows/neworexistingsolution.yaml
if: ${{ needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
if: ${{ needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
with:
solutionName: "${{ needs.solutionNameDetails.outputs.solutionName }}"
secrets: inherit

8
.github/workflows/package-on-merge.yaml поставляемый
Просмотреть файл

@ -21,17 +21,17 @@ on:
- closed
jobs:
checkAutomatedPR:
if: ${{ github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
uses: ./.github/workflows/checkAutomatedPR.yaml
solutionNameDetails:
if: ${{ github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
needs: checkAutomatedPR
uses: ./.github/workflows/getSolutionName.yaml
secrets: inherit
checkSkipPackagingDetails:
if: ${{ github.event.pull_request.merged && !github.event.pull_request.head.repo.fork && needs.solutionNameDetails.outputs.solutionName != '' }}
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.merged && !github.event.pull_request.head.repo.fork && needs.solutionNameDetails.outputs.solutionName != '' }}
uses: ./.github/workflows/checkSkipPackagingInfo.yaml
secrets: inherit
needs: solutionNameDetails
@ -41,7 +41,7 @@ jobs:
neworexistingsolution:
needs: [solutionNameDetails, checkSkipPackagingDetails]
uses: ./.github/workflows/neworexistingsolution.yaml
if: ${{ needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
if: ${{ github.actor != 'dependabot[bot]' && needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
with:
solutionName: "${{ needs.solutionNameDetails.outputs.solutionName }}"
secrets: inherit

44
.github/workflows/slash-command-armttk.yaml поставляемый Normal file
Просмотреть файл

@ -0,0 +1,44 @@
# THIS WORKFLOW WILL RUN WHEN WE ADD SLASH COMMAND LIKE '/arm-ttk', '/ARM-TTK', '/Arm-Ttk', 'armttk' or 'ARMTTK'
name: Slash Command ARM-TTK Tests
on:
issue_comment:
types: [created, edited]
jobs:
run-arm-ttk:
runs-on: ubuntu-latest
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork && github.event.issue.pull_request && contains(fromJson('["/armttk", "/Armttk", "/ARM-TTK", "/ARMTTK", "/arm-ttk", "/ArmTtk"]'), github.event.comment.body) }}
outputs:
solutionName: ${{ steps.step1.outputs.solutionName }}
mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }}
createUiChanged: ${{ steps.step1.outputs.createUiChanged }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 5
ref: refs/pull/${{ github.event.issue.number }}/head
- shell: pwsh
id: step1
name: Identify Changes in PR
run: |
Set-PSRepository PSGallery -InstallationPolicy Trusted
Install-Module powershell-yaml
./.script/package-automation/arm-ttk-tests.ps1
- uses: docker/build-push-action@v2
id: publishGithubPackage
name: Run ARM-TTK
if: ${{ success() && steps.step1.outcome == 'success' && steps.step1.outputs.solutionName != '' && (steps.step1.outputs.mainTemplateChanged == 'true' || steps.step1.outputs.createUiChanged == 'true') }}
env:
SolutionName: ${{ steps.step1.outputs.solutionName }}
mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }}
createUiChanged: ${{ steps.step1.outputs.createUiChanged }}
with:
context: .
file: ./.github/actions/Dockerfile
push: false
build-args: |
SolutionName
mainTemplateChanged
createUiChanged

8
.script/dataConnectorValidator.ts
Просмотреть файл

@ -104,6 +104,14 @@ function getConnectorCategory(dataTypes : any, instructionSteps:[])
{
return ConnectorCategory.BloodHoundEnterprise;
}
else if (dataTypes[0].name.includes("AwsS3"))
{
return ConnectorCategory.AwsS3;
}
else if (dataTypes[0].name.includes("AWS"))
{
return ConnectorCategory.AWS;
}
return "";
}
let fileTypeSuffixes = ["json"];

57
.script/package-automation/arm-ttk-tests.ps1 Normal file
Просмотреть файл

@ -0,0 +1,57 @@
try {
$diff = git diff --diff-filter=d --name-only HEAD^ HEAD
Write-Host "List of files in PR: $diff"
$hasmainTemplateChanged = $false
$hasCreateUiDefinitionTemplateChanged = $false
$isChangeInSolutionsFolder = [bool]($diff | Where-Object {$_ -like 'Solutions/*'})
if (!$isChangeInSolutionsFolder)
{
Write-Host "Skipping as change is not in Solutions folder!"
exit 0
}
$requiredFiles = @("mainTemplate.json", "createUiDefinition.json")
$filteredFiles = $diff | Where-Object {$_ -match ($requiredFiles -Join "|")}
Write-Host "Filtered Files $filteredFiles"
$sName = ''
$hasmainTemplateChanged = $false
$hasCreateUiDefinitionTemplateChanged = $false
if ($filteredFiles.Count -gt 0)
{
$mainTemplateValue = $filteredFiles -match "mainTemplate.json"
$createUiValue = $filteredFiles -match "createUiDefinition.json"
if ($mainTemplateValue -or $createUiValue)
{
$hasmainTemplateChanged = $true
$hasCreateUiDefinitionTemplateChanged = $true
}
if ($filteredFiles.Count -eq 1)
{
$packageIndex = $filteredFiles.IndexOf("/Package")
$sName = $filteredFiles.SubString(10, $packageIndex - 10)
}
else
{
$packageIndex = $filteredFiles[0].IndexOf("/Package")
$sName = $filteredFiles[0].SubString(10, $packageIndex - 10)
}
}
Write-Host "solutionName $sName, mainTemplateChanged $hasmainTemplateChanged, createUiChanged $hasCreateUiDefinitionTemplateChanged"
Write-Output "solutionName=$sName" >> $env:GITHUB_OUTPUT
Write-Output "mainTemplateChanged=$hasmainTemplateChanged" >> $env:GITHUB_OUTPUT
Write-Output "createUiChanged=$hasCreateUiDefinitionTemplateChanged" >> $env:GITHUB_OUTPUT
}
catch {
Write-Host "Skipping as exception has occured Error Details: $_"
Write-Output "solutionName=''" >> $env:GITHUB_OUTPUT
Write-Output "mainTemplateChanged=$false" >> $env:GITHUB_OUTPUT
Write-Output "createUiChanged=$false" >> $env:GITHUB_OUTPUT
}

12
.script/package-automation/getSolutionName.ps1
Просмотреть файл

@ -17,6 +17,18 @@ try
$filteredFiles = $diff | Where-Object {$_ -match "Solutions/"} | Where-Object {$_ -notlike "Solutions/Images/*"} | Where-Object {$_ -notlike "Solutions/*.md"} | Where-Object { $_ -notlike '*system_generated_metadata.json' }
Write-Host "Filtered Files $filteredFiles"
# IDENTIFY EXCLUSIONS AND IF THERE ARE NO FILES AFTER EXCLUSION THEN SKIP WORKFLOW RUN
$exclusionList = @(".py$",".png$",".jpg$",".jpeg$",".conf$", ".svg$", ".html$", ".ps1$", ".psd1$", "requirements.txt$", "host.json$", "proxies.json$", "/function.json$", ".xml$", ".zip$", ".md$")
$filterOutExclusionList = $filteredFiles | Where-Object { $_ -notmatch ($exclusionList -join '|') }
if ($filterOutExclusionList.Count -le 0)
{
Write-Host "Skipping GitHub Action as changes in PR are not valid and contains only excluded files!"
Write-Output "solutionName=" >> $env:GITHUB_OUTPUT
exit 0
}
if ($filteredFiles.Count -gt 0)
{
if ($instrumentationKey -ne '')

4
.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json
Просмотреть файл

@ -140,6 +140,10 @@
{
"name": "Type",
"type": "String"
},
{
"name": "PerformedByDisplayName",
"type": "String"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPAttachment_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name":"MimecastTTPAttachment_CL",
"Properties":[
{
"Name":"senderAddress_s",
"Type":"String"
},
{
"Name":"recipientAddress_s",
"Type":"String"
},
{
"Name":"fileName_s",
"Type":"String"
},
{
"Name":"fileType_s",
"Type":"String"
},
{
"Name":"result_s",
"Type":"String"
},
{
"Name":"actionTriggered_s",
"Type":"String"
},
{
"Name":"date_t",
"Type":"DateTime"
},
{
"Name":"details_s",
"Type":"String"
},
{
"Name":"route_s",
"Type":"String"
},
{
"Name":"messageId_s",
"Type":"String"
},
{
"Name":"subject_s",
"Type":"String"
},
{
"Name":"fileHash_s",
"Type":"String"
},
{
"Name":"definition_s",
"Type":"String"
},
{
"Name":"mimecastEventId_s",
"Type":"String"
},
{
"Name":"mimecastEventCategory_s",
"Type":"String"
},
{
"Name":"time_generated",
"Type":"DateTime"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

77
.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPImpersonation_CL.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"Name":"MimecastTTPImpersonation_CL",
"Properties":[
{
"Name":"id_s",
"Type":"String"
},
{
"Name":"senderAddress_s",
"Type":"String"
},
{
"Name":"recipientAddress_s",
"Type":"String"
},
{
"Name":"subject_s",
"Type":"String"
},
{
"Name":"definition_s",
"Type":"String"
},
{
"Name":"hits_s",
"Type":"String"
},
{
"Name":"identifiers_s",
"Type":"String"
},
{
"Name":"action_s",
"Type":"String"
},
{
"Name":"taggedExternal_b",
"Type":"Bool"
},
{
"Name":"taggedMalicious_b",
"Type":"Bool"
},
{
"Name":"senderIpAddress_s",
"Type":"String"
},
{
"Name":"eventTime_t",
"Type":"DateTime"
},
{
"Name":"impersonationResults_s",
"Type":"String"
},
{
"Name":"messageId_s",
"Type":"String"
},
{
"Name":"mimecastEventId_s",
"Type":"String"
},
{
"Name":"mimecastEventCategory_s",
"Type":"String"
},
{
"Name":"time_generated",
"Type":"DateTime"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

105
.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPUrl_CL.json Normal file
Просмотреть файл

@ -0,0 +1,105 @@
{
"Name": "MimecastTTPUrl_CL",
"Properties": [
{
"Name": "userEmailAddress_s",
"Type": "String"
},
{
"Name": "fromUserEmailAddress_s",
"Type": "String"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "ttpDefinition_s",
"Type": "String"
},
{
"Name": "subject_s",
"Type": "String"
},
{
"Name": "action_s",
"Type": "String"
},
{
"Name": "adminOverride_s",
"Type": "String"
},
{
"Name": "userOverride_s",
"Type": "String"
},
{
"Name": "scanResult_s",
"Type": "String"
},
{
"Name": "category_s",
"Type": "String"
},
{
"Name": "sendingIp_s",
"Type": "String"
},
{
"Name": "advancedPhishingResult_CredentialTheftBrands_s",
"Type": "String"
},
{
"Name": "advancedPhishingResult_CredentialTheftTags_s",
"Type": "String"
},
{
"Name": "advancedPhishingResult_CredentialTheftEvidence_s",
"Type": "String"
},
{
"Name": "userAwarenessAction_s",
"Type": "String"
},
{
"Name": "date_t",
"Type": "DateTime"
},
{
"Name": "actions_s",
"Type": "String"
},
{
"Name": "route_s",
"Type": "String"
},
{
"Name": "creationMethod_s",
"Type": "String"
},
{
"Name": "emailPartsDescription_s",
"Type": "String"
},
{
"Name": "messageId_s",
"Type": "String"
},
{
"Name": "mimecastEventId_s",
"Type": "String"
},
{
"Name": "mimecastEventCategory_s",
"Type": "String"
},
{
"Name": "time_generated",
"Type": "DateTime"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

904
.script/tests/KqlvalidationsTests/CustomTables/SentinelOne_CL.json
Просмотреть файл

@ -388,6 +388,910 @@
{
"Name": "_ResourceId",
"Type": "string"
},
{
"Name": "_ItemId",
"Type": "string"
},
{
"Name": "alertInfo_indicatorDescription_s",
"Type": "string"
},
{
"Name": "alertInfo_indicatorName_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileOldPath_s",
"Type": "string"
},
{
"Name": "alertInfo_indicatorCategory_s",
"Type": "string"
},
{
"Name": "alertInfo_registryOldValue_g",
"Type": "string"
},
{
"Name": "alertInfo_dstIp_s",
"Type": "string"
},
{
"Name": "alertInfo_dstPort_s",
"Type": "string"
},
{
"Name": "alertInfo_netEventDirection_s",
"Type": "string"
},
{
"Name": "alertInfo_srcIp_s",
"Type": "string"
},
{
"Name": "alertInfo_srcPort_s",
"Type": "string"
},
{
"Name": "containerInfo_id_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileId_g",
"Type": "string"
},
{
"Name": "alertInfo_registryOldValue_s",
"Type": "string"
},
{
"Name": "alertInfo_registryOldValueType_s",
"Type": "string"
},
{
"Name": "alertInfo_dnsRequest_s",
"Type": "string"
},
{
"Name": "alertInfo_dnsResponse_s",
"Type": "string"
},
{
"Name": "alertInfo_registryKeyPath_s",
"Type": "string"
},
{
"Name": "alertInfo_registryPath_s",
"Type": "string"
},
{
"Name": "alertInfo_registryValue_g",
"Type": "string"
},
{
"Name": "ruleInfo_description_s",
"Type": "string"
},
{
"Name": "alertInfo_registryValue_s",
"Type": "string"
},
{
"Name": "alertInfo_loginAccountDomain_s",
"Type": "string"
},
{
"Name": "alertInfo_loginAccountSid_s",
"Type": "string"
},
{
"Name": "alertInfo_loginIsAdministratorEquivalent_s",
"Type": "string"
},
{
"Name": "alertInfo_loginIsSuccessful_s",
"Type": "string"
},
{
"Name": "alertInfo_loginType_s",
"Type": "string"
},
{
"Name": "alertInfo_loginsUserName_s",
"Type": "string"
},
{
"Name": "alertInfo_srcMachineIp_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcCmdLine_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcImagePath_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcName_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcPid_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcSignedStatus_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcStorylineId_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcUid_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_storyline_g",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_uniqueId_g",
"Type": "string"
},
{
"Name": "sourceProcessInfo_storyline_g",
"Type": "string"
},
{
"Name": "sourceProcessInfo_uniqueId_g",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcStorylineId_g",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcUid_g",
"Type": "string"
},
{
"Name": "agentDetectionInfo_machineType_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_name_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_osFamily_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_osName_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_osRevision_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_uuid_g",
"Type": "string"
},
{
"Name": "agentDetectionInfo_version_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_id_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_infected_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_isActive_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_isDecommissioned_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_machineType_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_name_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_os_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_uuid_g",
"Type": "string"
},
{
"Name": "alertInfo_alertId_s",
"Type": "string"
},
{
"Name": "alertInfo_analystVerdict_s",
"Type": "string"
},
{
"Name": "alertInfo_createdAt_t",
"Type": "datetime"
},
{
"Name": "alertInfo_dvEventId_s",
"Type": "string"
},
{
"Name": "alertInfo_eventType_s",
"Type": "string"
},
{
"Name": "alertInfo_hitType_s",
"Type": "string"
},
{
"Name": "alertInfo_incidentStatus_s",
"Type": "string"
},
{
"Name": "alertInfo_isEdr_b",
"Type": "bool"
},
{
"Name": "alertInfo_reportedAt_t",
"Type": "datetime"
},
{
"Name": "alertInfo_source_s",
"Type": "string"
},
{
"Name": "alertInfo_updatedAt_t",
"Type": "datetime"
},
{
"Name": "ruleInfo_id_s",
"Type": "string"
},
{
"Name": "ruleInfo_name_s",
"Type": "string"
},
{
"Name": "ruleInfo_queryLang_s",
"Type": "string"
},
{
"Name": "ruleInfo_queryType_s",
"Type": "string"
},
{
"Name": "ruleInfo_s1ql_s",
"Type": "string"
},
{
"Name": "ruleInfo_scopeLevel_s",
"Type": "string"
},
{
"Name": "ruleInfo_severity_s",
"Type": "string"
},
{
"Name": "ruleInfo_treatAsThreat_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_commandline_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_fileHashMd5_g",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_fileHashSha1_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_fileHashSha256_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_filePath_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_fileSignerIdentity_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_integrityLevel_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_name_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_pid_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_pidStarttime_t",
"Type": "datetime"
},
{
"Name": "sourceParentProcessInfo_storyline_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_subsystem_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_uniqueId_s",
"Type": "string"
},
{
"Name": "sourceParentProcessInfo_user_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_commandline_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_fileHashMd5_g",
"Type": "string"
},
{
"Name": "sourceProcessInfo_fileHashSha1_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_fileHashSha256_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_filePath_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_fileSignerIdentity_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_integrityLevel_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_name_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_pid_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_pidStarttime_t",
"Type": "datetime"
},
{
"Name": "sourceProcessInfo_storyline_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_subsystem_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_uniqueId_s",
"Type": "string"
},
{
"Name": "sourceProcessInfo_user_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileCreatedAt_t",
"Type": "datetime"
},
{
"Name": "targetProcessInfo_tgtFileHashSha1_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileHashSha256_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileId_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileIsSigned_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtFileModifiedAt_t",
"Type": "datetime"
},
{
"Name": "targetProcessInfo_tgtFilePath_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcIntegrityLevel_s",
"Type": "string"
},
{
"Name": "targetProcessInfo_tgtProcessStartTime_t",
"Type": "datetime"
},
{
"Name": "agentUpdatedVersion_s",
"Type": "string"
},
{
"Name": "agentId_s",
"Type": "string"
},
{
"Name": "hash_s",
"Type": "string"
},
{
"Name": "osFamily_s",
"Type": "string"
},
{
"Name": "threatId_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_accountId_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_accountName_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentDetectionState_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentDomain_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentIpV4_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentIpV6_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentLastLoggedInUserName_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentMitigationMode_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentOsName_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentOsRevision_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentRegisteredAt_t",
"Type": "datetime"
},
{
"Name": "agentDetectionInfo_agentUuid_g",
"Type": "string"
},
{
"Name": "agentDetectionInfo_agentVersion_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_externalIp_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_groupId_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_groupName_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_siteId_s",
"Type": "string"
},
{
"Name": "agentDetectionInfo_siteName_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_accountId_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_accountName_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_activeThreats_d",
"Type": "real"
},
{
"Name": "agentRealtimeInfo_agentComputerName_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentDomain_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentId_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentInfected_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_agentIsActive_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_agentIsDecommissioned_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_agentMachineType_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentMitigationMode_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentNetworkStatus_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentOsName_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentOsRevision_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentOsType_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentUuid_g",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_agentVersion_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_groupId_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_groupName_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_networkInterfaces_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_operationalState_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_rebootRequired_b",
"Type": "bool"
},
{
"Name": "agentRealtimeInfo_scanFinishedAt_t",
"Type": "datetime"
},
{
"Name": "agentRealtimeInfo_scanStartedAt_t",
"Type": "datetime"
},
{
"Name": "agentRealtimeInfo_scanStatus_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_siteId_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_siteName_s",
"Type": "string"
},
{
"Name": "agentRealtimeInfo_userActionsNeeded_s",
"Type": "string"
},
{
"Name": "indicators_s",
"Type": "string"
},
{
"Name": "mitigationStatus_s",
"Type": "string"
},
{
"Name": "threatInfo_analystVerdict_s",
"Type": "string"
},
{
"Name": "threatInfo_analystVerdictDescription_s",
"Type": "string"
},
{
"Name": "threatInfo_automaticallyResolved_b",
"Type": "bool"
},
{
"Name": "threatInfo_certificateId_s",
"Type": "string"
},
{
"Name": "threatInfo_classification_s",
"Type": "string"
},
{
"Name": "threatInfo_classificationSource_s",
"Type": "string"
},
{
"Name": "threatInfo_cloudFilesHashVerdict_s",
"Type": "string"
},
{
"Name": "threatInfo_collectionId_s",
"Type": "string"
},
{
"Name": "threatInfo_confidenceLevel_s",
"Type": "string"
},
{
"Name": "threatInfo_createdAt_t",
"Type": "datetime"
},
{
"Name": "threatInfo_detectionEngines_s",
"Type": "string"
},
{
"Name": "threatInfo_detectionType_s",
"Type": "string"
},
{
"Name": "threatInfo_engines_s",
"Type": "string"
},
{
"Name": "threatInfo_externalTicketExists_b",
"Type": "bool"
},
{
"Name": "threatInfo_failedActions_b",
"Type": "bool"
},
{
"Name": "threatInfo_fileExtension_s",
"Type": "string"
},
{
"Name": "threatInfo_fileExtensionType_s",
"Type": "string"
},
{
"Name": "threatInfo_filePath_s",
"Type": "string"
},
{
"Name": "threatInfo_fileSize_d",
"Type": "real"
},
{
"Name": "threatInfo_fileVerificationType_s",
"Type": "string"
},
{
"Name": "threatInfo_identifiedAt_t",
"Type": "datetime"
},
{
"Name": "threatInfo_incidentStatus_s",
"Type": "string"
},
{
"Name": "threatInfo_incidentStatusDescription_s",
"Type": "string"
},
{
"Name": "threatInfo_initiatedBy_s",
"Type": "string"
},
{
"Name": "threatInfo_initiatedByDescription_s",
"Type": "string"
},
{
"Name": "threatInfo_isFileless_b",
"Type": "bool"
},
{
"Name": "threatInfo_isValidCertificate_b",
"Type": "bool"
},
{
"Name": "threatInfo_mitigatedPreemptively_b",
"Type": "bool"
},
{
"Name": "threatInfo_mitigationStatus_s",
"Type": "string"
},
{
"Name": "threatInfo_mitigationStatusDescription_s",
"Type": "string"
},
{
"Name": "threatInfo_originatorProcess_s",
"Type": "string"
},
{
"Name": "threatInfo_pendingActions_b",
"Type": "bool"
},
{
"Name": "threatInfo_processUser_s",
"Type": "string"
},
{
"Name": "threatInfo_publisherName_s",
"Type": "string"
},
{
"Name": "threatInfo_reachedEventsLimit_b",
"Type": "bool"
},
{
"Name": "threatInfo_rebootRequired_b",
"Type": "bool"
},
{
"Name": "threatInfo_sha1_s",
"Type": "string"
},
{
"Name": "threatInfo_storyline_s",
"Type": "string"
},
{
"Name": "threatInfo_threatId_s",
"Type": "string"
},
{
"Name": "threatInfo_threatName_s",
"Type": "string"
},
{
"Name": "threatInfo_updatedAt_t",
"Type": "datetime"
},
{
"Name": "whiteningOptions_s",
"Type": "string"
},
{
"Name": "threatInfo_maliciousProcessArguments_s",
"Type": "string"
},
{
"Name": "threatInfo_fileExtension_g",
"Type": "string"
},
{
"Name": "threatInfo_threatName_g",
"Type": "string"
},
{
"Name": "threatInfo_storyline_g",
"Type": "string"
},
{
"Name": "activityUuid_g",
"Type": "string"
},
{
"Name": "secondaryDescription_s",
"Type": "string"
},
{
"Name": "DataFields_s",
"Type": "string"
},
{
"Name": "description_s",
"Type": "string"
},
{
"Name": "comments_s",
"Type": "string"
},
{
"Name": "detectionState_s",
"Type": "string"
},
{
"Name": "firstFullModeTime_t",
"Type": "datetime"
},
{
"Name": "fullDiskScanLastUpdatedAt_t",
"Type": "datetime"
},
{
"Name": "serialNumber_s",
"Type": "string"
},
{
"Name": "showAlertIcon_b",
"Type": "bool"
},
{
"Name": "tags_sentinelone_s",
"Type": "string"
},
{
"Name": "osUsername_s",
"Type": "string"
},
{
"Name": "scanAbortedAt_t",
"Type": "datetime"
},
{
"Name": "_ItemId",
"Type": "string"
}
]
}

117
.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json Normal file
Просмотреть файл

@ -0,0 +1,117 @@
{
"Name": "SpyCloudBreachDataWatchlist_CL",
"Properties": [
{
"Name": "Document_Id_g",
"Type": "Guid"
},
{
"Name": "Domain_s",
"Type": "String"
},
{
"Name": "Email_s",
"Type": "String"
},
{
"Name": "IP_Address_s",
"Type": "String"
},
{
"Name": "Infected_Machine_Id",
"Type": "String"
},
{
"Name": "Infected_Machine_Id_g",
"Type": "Guid"
},
{
"Name": "Infected_Path_s",
"Type": "String"
},
{
"Name": "Infected_Time_t",
"Type": "DateTime"
},
{
"Name": "Password_s",
"Type": "String"
},
{
"Name": "Password_Plaintext_s",
"Type": "String"
},
{
"Name": "Severity_s",
"Type": "String"
},
{
"Name": "Source_Id_s",
"Type": "String"
},
{
"Name": "SpyCloud_Publish_Date_t",
"Type": "DateTime"
},
{
"Name": "Target_Domain_s",
"Type": "String"
},
{
"Name": "Target_SubDomain_s",
"Type": "String"
},
{
"Name": "Target_URL_s",
"Type": "String"
},
{
"Name": "User_Hostname_s",
"Type": "String"
},
{
"Name": "User_OS_s",
"Type": "String"
},
{
"Name": "Username_s",
"Type": "String"
},
{
"Name": "TenantID",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "ManagementGroupName",
"Type": "String"
},
{
"Name": "RawData",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
}
]
}

205
.script/tests/KqlvalidationsTests/CustomTables/ZeroFoxAlertPoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,205 @@
{
"Name": "ZeroFoxAlertPoller_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "alert_type_s",
"Type": "String"
},
{
"Name": "logs_s",
"Type": "String"
},
{
"Name": "offending_content_url_s",
"Type": "String"
},
{
"Name": "asset_term_s",
"Type": "String"
},
{
"Name": "assignee_s",
"Type": "String"
},
{
"Name": "entity_id_d",
"Type": "Double"
},
{
"Name": "entity_name_s",
"Type": "String"
},
{
"Name": "entity_image_s",
"Type": "String"
},
{
"Name": "entity_labels_s",
"Type": "String"
},
{
"Name": "entity_entity_group_id_d",
"Type": "Double"
},
{
"Name": "entity_entity_group_name_s",
"Type": "String"
},
{
"Name": "entity_term_s",
"Type": "String"
},
{
"Name": "content_created_at_t",
"Type": "DateTime"
},
{
"Name": "id_d",
"Type": "Double"
},
{
"Name": "Severity",
"Type": "Double"
},
{
"Name": "perpetrator_name_s",
"Type": "String"
},
{
"Name": "perpetrator_display_name_s",
"Type": "String"
},
{
"Name": "perpetrator_id_d",
"Type": "Double"
},
{
"Name": "perpetrator_url_s",
"Type": "String"
},
{
"Name": "perpetrator_content_s",
"Type": "String"
},
{
"Name": "perpetrator_type_s",
"Type": "String"
},
{
"Name": "perpetrator_timestamp_t",
"Type": "DateTime"
},
{
"Name": "perpetrator_network_s",
"Type": "String"
},
{
"Name": "rule_group_id_d",
"Type": "Double"
},
{
"Name": "asset_id_d",
"Type": "Double"
},
{
"Name": "asset_name_s",
"Type": "String"
},
{
"Name": "asset_image_s",
"Type": "String"
},
{
"Name": "asset_labels_s",
"Type": "String"
},
{
"Name": "asset_entity_group_id_d",
"Type": "Double"
},
{
"Name": "asset_entity_group_name_s",
"Type": "String"
},
{
"Name": "entered_by_s",
"Type": "String"
},
{
"Name": "metadata_s",
"Type": "String"
},
{
"Name": "status_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "rule_name_s",
"Type": "String"
},
{
"Name": "last_modified_t",
"Type": "DateTime"
},
{
"Name": "protected_locations_s",
"Type": "String"
},
{
"Name": "darkweb_term_s",
"Type": "String"
},
{
"Name": "business_network_s",
"Type": "String"
},
{
"Name": "reviewed_b",
"Type": "Boolean"
},
{
"Name": "escalated_b",
"Type": "Boolean"
},
{
"Name": "network_s",
"Type": "String"
},
{
"Name": "protected_social_object_s",
"Type": "String"
},
{
"Name": "notes_s",
"Type": "String"
},
{
"Name": "reviews_s",
"Type": "String"
},
{
"Name": "rule_id_d",
"Type": "Double"
},
{
"Name": "entity_account_s",
"Type": "String"
},
{
"Name": "entity_email_receiver_id_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

33
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_C2_CL.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"Name": "ZeroFox_CTI_C2_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "port_d",
"Type": "Double"
},
{
"Name": "tags_s",
"Type": "String"
},
{
"Name": "ip_addresses_s",
"Type": "String"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

78
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_advanced_dark_web_CL.json Normal file
Просмотреть файл

@ -0,0 +1,78 @@
{
"Name": "ZeroFox_CTI_advanced_dark_web_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_d",
"Type": "Double"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "title_s",
"Type": "String"
},
{
"Name": "confidence_s",
"Type": "String"
},
{
"Name": "reliability_s",
"Type": "String"
},
{
"Name": "tlp",
"Type": "String"
},
{
"Name": "contents_s",
"Type": "String"
},
{
"Name": "comments_s",
"Type": "String"
},
{
"Name": "threat_types_s",
"Type": "String"
},
{
"Name": "target_targets_s",
"Type": "String"
},
{
"Name": "target_regions_s",
"Type": "String"
},
{
"Name": "target_industries_s",
"Type": "String"
},
{
"Name": "languages_s",
"Type": "String"
},
{
"Name": "actors_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
,
{
"Name": "source_urls_s",
"Type": "String"
},
{
"Name": "source_names_s",
"Type": "String"
}
]
}

89
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_botnet_CL.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"Name": "ZeroFox_CTI_botnet_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "listed_at_t",
"Type": "DateTime"
},
{
"Name": "bot_name_s",
"Type": "String"
},
{
"Name": "c2_ip_address_s",
"Type": "String"
},
{
"Name": "c2_domain_s",
"Type": "String"
},
{
"Name": "is_common_domain_b",
"Type": "Boolean"
},
{
"Name": "file_location_s",
"Type": "String"
},
{
"Name": "operating_system_s",
"Type": "String"
},
{
"Name": "anti_viruses_s",
"Type": "String"
},
{
"Name": "country_code_s",
"Type": "String"
},
{
"Name": "zip_code_s",
"Type": "String"
},
{
"Name": "location_s",
"Type": "String"
},
{
"Name": "current_language_s",
"Type": "String"
},
{
"Name": "available_keyboards_s",
"Type": "String"
},
{
"Name": "uac_s",
"Type": "String"
},
{
"Name": "process_elevation_s",
"Type": "String"
},
{
"Name": "acquired_at_t",
"Type": "DateTime"
},
{
"Name": "logged_at_t",
"Type": "DateTime"
},
{
"Name": "estimated_infected_at_t",
"Type": "DateTime"
},
{
"Name": "breached_at",
"Type": "DateTime"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

85
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_breaches_CL.json Normal file
Просмотреть файл

@ -0,0 +1,85 @@
{
"Name": "ZeroFox_CTI_breaches_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_s",
"Type": "Double"
},
{
"Name": "name_s",
"Type": "String"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "breach_date_t",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "included_fields_s",
"Type": "String"
},
{
"Name": "record_count_d",
"Type": "Double"
},
{
"Name": "threat_type_s",
"Type": "String"
},
{
"Name": "geography_region_code_s",
"Type": "String"
},
{
"Name": "geography_sub_region_code_s",
"Type": "String"
},
{
"Name": "geography_country_code_s",
"Type": "String"
},
{
"Name": "geography_country_iso_alpha3_code_s",
"Type": "String"
},
{
"Name": "geography_region_s",
"Type": "String"
},
{
"Name": "geography_sub_region_s",
"Type": "String"
},
{
"Name": "geography_country_s",
"Type": "String"
},
{
"Name": "confidence_s",
"Type": "String"
},
{
"Name": "reliability_s",
"Type": "String"
},
{
"Name": "tlp_s",
"Type": "String"
},
{
"Name": "industry_s",
"Type": "String"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_compromised_credentials_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "ZeroFox_CTI_compromised_credentials_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "email_s",
"Type": "String"
},
{
"Name": "username_s",
"Type": "String"
},
{
"Name": "password_s",
"Type": "String"
},
{
"Name": "breach_name_s",
"Type": "String"
},
{
"Name": "breach_id_s",
"Type": "String"
},
{
"Name": "impacted_domain_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_credit_cards_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "ZeroFox_CTI_credit_cards_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "cc_num_s",
"Type": "String"
},
{
"Name": "month_s",
"Type": "String"
},
{
"Name": "year_s",
"Type": "String"
},
{
"Name": "cvv_s",
"Type": "Double"
},
{
"Name": "issuer_s",
"Type": "String"
},
{
"Name": "source_s",
"Type": "String"
},
{
"Name": "cc_bin_s",
"Type": "String"
},
{
"Name": "breach_name_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

82
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_dark_web_CL.json Normal file
Просмотреть файл

@ -0,0 +1,82 @@
{
"Name": "ZeroFox_CTI_dark_web_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "content_audience_s",
"Type": "String"
},
{
"Name": "forum_name_s",
"Type": "String"
},
{
"Name": "forum_uuid_g",
"Type": "GUID"
},
{
"Name": "general_topic_s",
"Type": "String"
},
{
"Name": "language_code_s",
"Type": "String"
},
{
"Name": "network_type_s",
"Type": "String"
},
{
"Name": "parent_uuid_g",
"Type": "GUID"
},
{
"Name": "post_body_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "post_member_name_s",
"Type": "String"
},
{
"Name": "post_type_s",
"Type": "String"
},
{
"Name": "post_uuid_g",
"Type": "GUID"
},
{
"Name": "sequence_number_d",
"Type": "Double"
},
{
"Name": "thread_name_s",
"Type": "String"
},
{
"Name": "thread_url_s",
"Type": "String"
},
{
"Name": "thread_uuid_g",
"Type": "GUID"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

33
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_discord_CL.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"Name": "ZeroFox_CTI_discord_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "author_id_s",
"Type": "String"
},
{
"Name": "author_username_s",
"Type": "String"
},
{
"Name": "channel_name_s",
"Type": "String"
},
{
"Name": "content_s",
"Type": "String"
},
{
"Name": "server_name_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
}
]
}

61
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_disruption_CL.json Normal file
Просмотреть файл

@ -0,0 +1,61 @@
{
"Name": "ZeroFox_CTI_disruption_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "fqdn_s",
"Type": "String"
},
{
"Name": "ip_s",
"Type": "String"
},
{
"Name": "host_s",
"Type": "String"
},
{
"Name": "registrar_s",
"Type": "String"
},
{
"Name": "threat_type_s",
"Type": "String"
},
{
"Name": "http_status_d",
"Type": "Double"
},
{
"Name": "asn_d",
"Type": "Double"
},
{
"Name": "iana_d",
"Type": "Double"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "category_s",
"Type": "String"
},
{
"Name": "network_s",
"Type": "String"
}
]
}

25
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_email_addresses_CL.json Normal file
Просмотреть файл

@ -0,0 +1,25 @@
{
"Name": "ZeroFox_CTI_email_addresses_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "email_s",
"Type": "String"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

25
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_exploits_CL.json Normal file
Просмотреть файл

@ -0,0 +1,25 @@
{
"Name": "ZeroFox_CTI_exploits_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "cve_s",
"Type": "String"
},
{
"Name": "urls_s",
"Type": "String"
},
{
"Name": "exploit_s",
"Type": "String"
}
]
}

69
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_identity_breach_CL.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"Name": "ZeroFox_CTI_identity_breach_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "cac_username_hash_s",
"Type": "String"
},
{
"Name": "cac_email_hash_s",
"Type": "String"
},
{
"Name": "cac_password_hash_s",
"Type": "String"
},
{
"Name": "ncid_id_hash_s",
"Type": "String"
},
{
"Name": "cc_num_hash_s",
"Type": "String"
},
{
"Name": "passport_id_hash_s",
"Type": "String"
},
{
"Name": "bank_account_id_hash_s",
"Type": "String"
},
{
"Name": "medical_account_id_hash_s",
"Type": "String"
},
{
"Name": "phone_number_e164_hash_s",
"Type": "String"
},
{
"Name": "dl_id_hash_s",
"Type": "String"
},
{
"Name": "ui_discovered_ts_s",
"Type": "String"
},
{
"Name": "ui_insertion_ts_s",
"Type": "String"
},
{
"Name": "ui_breach_id_d",
"Type": "Double"
},
{
"Name": "ui_breach_name_s",
"Type": "String"
},
{
"Name": "ui_breach_description_s",
"Type": "String"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_irc_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "ZeroFox_CTI_irc_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "channel_s",
"Type": "String"
},
{
"Name": "message_s",
"Type": "String"
},
{
"Name": "sender_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "username_s",
"Type": "String"
},
{
"Name": "hostname_s",
"Type": "String"
},
{
"Name": "real_name_s",
"Type": "String"
},
{
"Name": "server_s",
"Type": "String"
},
{
"Name": "server_info_s",
"Type": "String"
},
{
"Name": "secure_b",
"Type": "Boolean"
},
{
"Name": "account_s",
"Type": "String"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_malware_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "ZeroFox_CTI_malware_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "family_s",
"Type": "String"
},
{
"Name": "md5_s",
"Type": "String"
},
{
"Name": "sha1_s",
"Type": "String"
},
{
"Name": "sha256_s",
"Type": "String"
},
{
"Name": "sha512_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
},
{
"Name": "botnet_s",
"Type": "String"
},
{
"Name": "c2_s",
"Type": "String"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_national_ids_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "ZeroFox_CTI_national_ids_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "national_identifier_s",
"Type": "String"
},
{
"Name": "country_s",
"Type": "String"
},
{
"Name": "first_name_s",
"Type": "String"
},
{
"Name": "last_name_s",
"Type": "String"
},
{
"Name": "person_name_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "source_s",
"Type": "String"
},
{
"Name": "breach_name_s",
"Type": "String"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_phishing_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "ZeroFox_CTI_phishing_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "scanned_t",
"Type": "DateTime"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "cert_authority_s",
"Type": "String"
},
{
"Name": "cert_fingerprint_s",
"Type": "String"
},
{
"Name": "cert_issued_s",
"Type": "String"
},
{
"Name": "host_ip_s",
"Type": "String"
},
{
"Name": "host_asn_d",
"Type": "Double"
},
{
"Name": "host_geo_s",
"Type": "String"
}
]
}

17
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_phone_numbers_CL.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "ZeroFox_CTI_phone_numbers_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "phone_number_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_ransomware_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "ZeroFox_CTI_ransomware_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "md5_s",
"Type": "String"
},
{
"Name": "sha1_s",
"Type": "String"
},
{
"Name": "sha256_s",
"Type": "String"
},
{
"Name": "sha512_s",
"Type": "String"
},
{
"Name": "emails_s",
"Type": "String"
},
{
"Name": "ransom_note_s",
"Type": "String"
},
{
"Name": "note_urls_s",
"Type": "String"
},
{
"Name": "crypto_wallets_s",
"Type": "String"
},
{
"Name": "ransomware_name_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

37
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_telegram_CL.json Normal file
Просмотреть файл

@ -0,0 +1,37 @@
{
"Name": "ZeroFox_CTI_telegram_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "channel_name_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "first_name_s",
"Type": "String"
},
{
"Name": "last_name_s",
"Type": "String"
},
{
"Name": "message_s",
"Type": "String"
},
{
"Name": "user_s",
"Type": "String"
},
{
"Name": "message_url_s",
"Type": "String"
}
]
}

57
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_threat_actors_CL.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"Name": "ZeroFox_CTI_threat_actors_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_d",
"Type": "Double"
},
{
"Name": "mitre_id_s",
"Type": "String"
},
{
"Name": "name_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "references_s",
"Type": "String"
},
{
"Name": "software_s",
"Type": "String"
},
{
"Name": "associated_groups_s",
"Type": "String"
},
{
"Name": "target_geo_s",
"Type": "String"
},
{
"Name": "target_industries_s",
"Type": "String"
},
{
"Name": "mitre_ttps_s",
"Type": "String"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_vulnerabilities_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "ZeroFox_CTI_vulnerabilities_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "base_score_d",
"Type": "Double"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "exploitability_score_d",
"Type": "Double"
},
{
"Name": "impact_score_d",
"Type": "Double"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "vector_string_s",
"Type": "String"
},
{
"Name": "cve_s",
"Type": "String"
},
{
"Name": "summary_s",
"Type": "String"
},
{
"Name": "remediation_s",
"Type": "String"
},
{
"Name": "products_s",
"Type": "String"
}
]
}

6
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -197,10 +197,14 @@
"DynatraceAuditLogs",
"DynatraceProblems",
"MicrosoftDefenderThreatIntelligence",
"ZeroFox_Alert_Polling",
"CortexXDR",
"MimecastTTPAPI",
"MimecastAuditAPI",
"PingFederateAma",
"vArmourACAma",
"ContrastProtectAma",
"ClarotyAma"
"ClarotyAma",
"illusiveAttackManagementSystemAma",
"TrendMicroApexOneAma"
]

4
.script/utils/dataConnector.ts
Просмотреть файл

@ -200,5 +200,7 @@ export enum ConnectorCategory {
MicrosoftPurviewInformationProtection="MicrosoftPurviewInformationProtection",
Dynamics365Activity="Dynamics365Activity",
CrowdstrikeReplicatorV2="CrowdstrikeReplicatorV2",
BloodHoundEnterprise="BloodHoundEnterprise"
BloodHoundEnterprise="BloodHoundEnterprise",
AwsS3="AwsS3",
AWS="AWS"
}

71
.script/utils/schemas/AWS_ConnectorSchema.json Normal file
Просмотреть файл

@ -0,0 +1,71 @@
{
"id": "string",
"title": "string",
"publisher": "string",
"descriptionMarkdown": "string",
"logo": "string",
"graphQueries": [
{
"metricName": "string",
"legend": "string",
"baseQuery": "string"
}
],
"sampleQueries": [
{
"description": "string",
"query": "string"
}
],
"connectivityCriterias": [
{
"type": "string",
"value": ["string"]
}
],
"dataTypes": [
{
"name": "string",
"lastDataReceivedQuery": "string"
}
],
"availability": {
"status": 0,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "string",
"permissionsDisplayText": "string",
"providerDisplayName": "string",
"scope": "string",
"requiredPermissions": {
"write": false,
"delete": false
}
}
],
"customs": [
{
"name": "string",
"description": "string"
}
]
},
"instructionSteps": [
{
"title": "string",
"description": "string",
"instructions": [
{
"parameters": {
"fillWith": ["string"],
"label": "string"
},
"type": "CopyableLabel"
}
]
}
]
}

71
.script/utils/schemas/AwsS3_ConnectorSchema.json Normal file
Просмотреть файл

@ -0,0 +1,71 @@
{
"id": "string",
"title": "string",
"publisher": "string",
"descriptionMarkdown": "string",
"logo": "string",
"graphQueries": [
{
"metricName": "string",
"legend": "string",
"baseQuery": "string"
}
],
"sampleQueries": [
{
"description": "string",
"query": "string"
}
],
"connectivityCriterias": [
{
"type": "string",
"value": ["string"]
}
],
"dataTypes": [
{
"name": "string",
"lastDataReceivedQuery": "string"
}
],
"availability": {
"status": 0,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "string",
"permissionsDisplayText": "string",
"providerDisplayName": "string",
"scope": "string",
"requiredPermissions": {
"write": false,
"delete": false
}
}
],
"customs": [
{
"name": "string",
"description": "string"
}
]
},
"instructionSteps": [
{
"title": "string",
"description": "string",
"instructions": [
{
"parameters": {
"fillWith": ["string"],
"label": "string"
},
"type": "CopyableLabel"
}
]
}
]
}

24
ASIM/dev/ASimTester/ASimTester.csv
Просмотреть файл

@ -535,15 +535,15 @@ EventOwner,string,Optional,RegistryEvent,,,
EventOwner,string,Optional,UserManagement,,,
EventOwner,string,Optional,WebSession,,,
EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|Windows|Exchange 365|Dataminr Pulse|Vectra Cloud,
EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|Azure Defender for IoT|M365 Defender for Endpoint|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra Cloud,
EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|Azure Defender for IoT|M365 Defender for Endpoint|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra Cloud|SentinelOne,
EventProduct,string,Mandatory,Common,,,
EventProduct,string,Mandatory,Dhcp,,,
EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream,
EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive,
EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio,
EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne,
EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne,
EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event,
EventProduct,string,Mandatory,UserManagement,,,
EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne,
EventProduct,string,Mandatory,UserManagement,Enumerated,SentinelOne,
EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki MX|Web Security Gateway|Zeek|Dataminr Pulse,
EventProductVersion,string,Optional,AuditEvent,,,
EventProductVersion,string,Optional,Authentication,,,
@ -663,15 +663,19 @@ EventUid,string,Recommended,RegistryEvent,,,
EventUid,string,Recommended,UserManagement,,,
EventUid,string,Recommended,WebSession,,,
EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Dataminr|Vectra,
EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra,
EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne,
EventVendor,string,Mandatory,Common,,,
EventVendor,string,Mandatory,Dhcp,,,
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI,
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne,
EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI,
EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio,
EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
EventVendor,string,Mandatory,UserManagement,,,
EventVendor,string,Mandatory,UserManagement,Enumerated,SentinelOne,
EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
EventVendor,string,Mandatory,RegistryEvent,Enumerated,SentinelOne,
FileContentType,string,Optional,WebSession,Enumerated,,
FileMD5,string,Optional,WebSession,MD5,,
FileName,string,Alias,FileEvent,,,TargetFileName
@ -701,7 +705,7 @@ Hostname,string,Alias,WebSession,Hostname,,DstHostname
HttpContentFormat,string,Optional,WebSession,,,
HttpContentType,string,Optional,WebSession,,,
HttpCookie,string,Optional,WebSession,,,
HttpHost,string,Optional,WebSession,Hostname,,
HttpHost,string,Optional,WebSession,,,
HttpIsProxied,bool,Optional,WebSession,,,
HttpReferrer,string,Optional,WebSession,,,
HttpRequestBodyBytes,long,Optional,WebSession,,,

1 ColumnName ColumnType Class Schema LogicalType ListOfValues Aliased
535 EventOwner string Optional UserManagement
536 EventOwner string Optional WebSession
537 EventProduct string Mandatory AuditEvent Enumerated Azure|Windows|Exchange 365|Dataminr Pulse|Vectra Cloud
538 EventProduct string Mandatory Authentication Enumerated Service Cloud|Auth0|CloudTrail|AAD|Azure Defender for IoT|M365 Defender for Endpoint|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra Cloud Service Cloud|Auth0|CloudTrail|AAD|Azure Defender for IoT|M365 Defender for Endpoint|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra Cloud|SentinelOne
539 EventProduct string Mandatory Common
540 EventProduct string Mandatory Dhcp
541 EventProduct string Mandatory Dns Enumerated Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne
542 EventProduct string Mandatory FileEvent Enumerated Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne
543 EventProduct string Mandatory NetworkSession Enumerated Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne
544 EventProduct string Mandatory ProcessEvent Enumerated M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events
545 EventProduct string Mandatory RegistryEvent Enumerated M365 Defender for Endpoint|Security Events|Sysmon|Windows Event M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne
546 EventProduct string Mandatory UserManagement Enumerated SentinelOne
547 EventProduct string Mandatory WebSession Enumerated IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki MX|Web Security Gateway|Zeek|Dataminr Pulse
548 EventProductVersion string Optional AuditEvent
549 EventProductVersion string Optional Authentication
663 EventUid string Recommended UserManagement
664 EventUid string Recommended WebSession
665 EventVendor string Mandatory AuditEvent Enumerated Microsoft|AWS|Dataminr|Vectra
666 EventVendor string Mandatory Authentication Enumerated Salesforce|AWS|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra Salesforce|AWS|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne
667 EventVendor string Mandatory Common
668 EventVendor string Mandatory Dhcp
669 EventVendor string Mandatory Dns Enumerated Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne
670 EventVendor string Mandatory FileEvent Enumerated Microsoft
671 EventVendor string Mandatory NetworkSession Enumerated Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne
672 EventVendor string Mandatory Dns Enumerated Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI
673 EventVendor string Mandatory FileEvent Enumerated Microsoft|SentinelOne
674 EventVendor string Mandatory NetworkSession Enumerated Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio
675 EventVendor string Mandatory ProcessEvent Enumerated Microsoft
676 EventVendor string Mandatory UserManagement Enumerated SentinelOne
677 EventVendor string Mandatory WebSession Enumerated Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr
678 EventVendor string Mandatory RegistryEvent Enumerated SentinelOne
679 FileContentType string Optional WebSession Enumerated
680 FileMD5 string Optional WebSession MD5
681 FileName string Alias FileEvent TargetFileName
705 HttpContentFormat string Optional WebSession
706 HttpContentType string Optional WebSession
707 HttpCookie string Optional WebSession
708 HttpHost string Optional WebSession Hostname
709 HttpIsProxied bool Optional WebSession
710 HttpReferrer string Optional WebSession
711 HttpRequestBodyBytes long Optional WebSession

2
ASIM/schemas/ASimAuthentication.yaml
Просмотреть файл

@ -117,7 +117,7 @@ Fields:
- Name: LogonMethod
Class: Optional
Type: string
Type: string
Description: The method used to perform authentication.
Example: Username & Password

40
ASIM/schemas/ASimDHCPEvent.yaml
Просмотреть файл

@ -22,7 +22,7 @@ Include:
# Entities
- Name: Dvc
File: common/ASimDvc.yaml
File: entities/ASimDvc.yaml
- Name: Source user entity
File: entities/ASimUser.yaml
Role: Src
@ -69,7 +69,7 @@ Fields:
# DHCP event fields
- Name: RequestedIpAddr
Class: Optional
Type: string
Type: string
Description: The IP address requested by the DHCP client, when available.
Example: '192.168.12.3'
@ -81,7 +81,7 @@ Fields:
- Name: DhcpSessionId
Class: Optional
Type: string
Description: The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.
Description: The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.
Example: '2099570186'
- Name: SessionId
@ -92,53 +92,47 @@ Fields:
- Name: DhcpSessionDuration
Class: Optional
Type: Integer
Type: integer
Description: The amount of time, in milliseconds, for the completion of the DHCP session.
Example: 1500
- Name: Duration
Class: Alias
Type: Integer
Type: integer
Description: Alias to DhcpSessionDuration
Aliases: DhcpSessionDuration
- Name: DhcpSrcDHCId
Class: Optional
Type: string
Description: The DHCP client ID, as defined by RFC4701.
Type: string
Description: The DHCP client ID, as defined by RFC4701.
- Name: DhcpCircuitId
Class: Recommended
Type: string
Description: The DHCP circuit ID, as defined by RFC3046.
Class: Recommended
Type: string
Description: The DHCP circuit ID, as defined by RFC3046.
- Name: DhcpSubscriberId
Class: Optional
Type: string
Description: The DHCP subscriber ID, as defined by RFC3993.
- Name: DhcpVendorClassId
- Name: DhcpVendorClassId
Class: Optional
Type: string
Description: The DHCP Vendor Class Id, as defined by RFC3925.
Description: The DHCP Vendor Class Id, as defined by RFC3925.
- Name: DhcpVendorClass
- Name: DhcpVendorClass
Class: Optional
Type: string
Type: string
Description: The DHCP Vendor Class, as defined by RFC3925.
- Name: DhcpUserClassId
- Name: DhcpUserClassId
Class: Optional
Type: string
Type: string
Description: The DHCP User Class Id, as defined by RFC3004.
- Name: DhcpUserClass
Class: Optional
Type: string
Description: The DHCP User Class, as defined by RFC3004.
- Name: SrcMacAddr
Class: Optional
Type: string
Description: The MAC address of the network interface from which the connection or session originated.
Example: '06:10:9f:eb:8f:14'
Description: The DHCP User Class, as defined by RFC3004.

40
ASIM/schemas/ASimDns.yaml
Просмотреть файл

@ -51,7 +51,7 @@ Fields:
Type: string
Class: Mandatory
Logical type: Enumerated
List of values: [ request response ]
List of values: [ request, response ]
Notes: For most sources, only the responses are logged, and therefore the value is often response.
- Name: EventResultDetails
@ -74,7 +74,7 @@ Fields:
Type: string
Logical type: Enumerated
Description: The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName..
List of values: [SrcIpAddr DstIpAddr Domain DnsResponseName]
List of values: [SrcIpAddr, DstIpAddr, Domain, DnsResponseName]
- Name: ThreatIpAddr
Class: Optional
@ -111,7 +111,7 @@ Fields:
# DNS event fields
- Name: DnsQuery
Class: Mandatory
Type: string
Type: string
Description: The domain that the request tries to resolve.
Notes: |
- Some sources send valid FQDN queries in a different format. For example, in the DNS protocol itself, the query includes a dot (.) at the end, which must be removed.
@ -134,7 +134,7 @@ Fields:
- Name: DnsQueryTypeName
Class: Recommended
Type: string
Logical type: Enumerated
Logical type: Enumerated
List of values: TBD
Description: The DNS Resource Record Type names.
Notes: |
@ -146,7 +146,7 @@ Fields:
- Name: DnsResponseName
Class: Optional
Type: string
Type: string
Description: The content of the response, as included in the record.
Notes: The DNS response data is inconsistent across reporting devices, is complex to parse, and has less value for source-agnostic analytics. Therefore the information model doesn't require parsing and normalization, and Microsoft Sentinel uses an auxiliary function to provide response information. For more information, see Handling DNS response.
@ -158,37 +158,37 @@ Fields:
- Name: DnsResponseCode
Class: Optional
Type: integer
Type: integer
Description: The DNS numerical response code.
Example: 3
- Name: TransactionIdHex
Class: Recommended
Type: string
Description: The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from DnsSessionId, the network layer session ID, typically assigned by the reporting device.
Class: Recommended
Type: string
Description: The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from DnsSessionId, the network layer session ID, typically assigned by the reporting device.
- Name: NetworkProtocol
Class: Optional
Type: string
Logical type: Enumerated
List of values: [TCP UDP]
Logical type: Enumerated
List of values: [TCP, UDP]
Description: The transport protocol used by the network resolution event. The value can be UDP or TCP, and is most commonly set to UDP for DNS.
Example: UDP
- Name: NetworkProtocolVersion
Class: Optional
Type: string
Logical type: Enumerated
Logical type: Enumerated
List of values: TBD
- Name: DnsQueryClass
Class: Optional
Type: integer
Type: integer
Description: The DNS class ID. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.
- Name: DnsQueryClassName
Class: Optional
Type: string
Type: string
Logical type: Enumerated
List of values: TBD
Description: The DNS class name. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.
@ -203,8 +203,8 @@ Fields:
- Name: DnsNetworkDuration
Class: Optional
Type: integer
Description: The amount of time, in milliseconds, for the completion of DNS request.
Type: integer
Description: The amount of time, in milliseconds, for the completion of DNS request.
Example: 1500
- Name: Duration
@ -216,7 +216,7 @@ Fields:
- Name: DnsFlagsAuthenticated
Class: Optional
Type: bool
Description: The DNS AD flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see RFC 3655 Section 6.1 for more information.
Description: The DNS AD flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see RFC 3655 Section 6.1 for more information.
- Name: DnsFlagsAuthoritative
Class: Optional
@ -251,7 +251,7 @@ Fields:
- Name: DnsSessionId
Class: Optional
Type: string
Description: The DNS session identifier as reported by the reporting device. This value is different from TransactionIdHex, the DNS query unique ID as assigned by the DNS client.
Description: The DNS session identifier as reported by the reporting device. This value is different from TransactionIdHex, the DNS query unique ID as assigned by the DNS client.
Example: EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55
- Name: SessionId
@ -284,14 +284,14 @@ Fields:
- Name: DnsResponseIpLatitude
Class: Optional
Type: float
Logical type: Latitude
Logical type: Latitude
Description: The latitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types.
Example: 44.475833
- Name: DnsResponseIpLongitude
Class: Optional
Type: float
Logical type: Longitude
Logical type: Longitude
Description: The longitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types.
Example: 73.211944

42
ASIM/schemas/ASimFileEvent.yaml
Просмотреть файл

@ -1,6 +1,6 @@
Schema:
Schema: FileEvent
Version: '0.2.2'
Version: '0.2.3'
Last Updated: Sept 12 2023
References:
- Title: ASIM File Event Schema
@ -127,7 +127,7 @@ Fields:
- Name: TargetFileName
Class: Recommended
Type: string
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the TargetFilePath field.
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the TargetFilePath field.
- Name: FileName
Type: string
@ -135,7 +135,7 @@ Fields:
Aliases: TargetFileName
- Name: TargetFilePath
Class: Mandatory
Class: Mandatory
Type: String
Description: The full, normalized path of the target file, including the folder or location, the file name, and the extension. If the record does not include folder or location information, store the filename only here.
Example: C:\Windows\System32\notepad.exe
@ -143,7 +143,7 @@ Fields:
- Name: TargetFilePathType
Class: Conditional
Type: string
Logical type: Enumerated
Logical type: Enumerated
Description: The type of TargetFilePath. For more information.
List of values: [ Windows Local, Windows Share, Unix, URL ]
Follows: TargetFilePath
@ -157,21 +157,21 @@ Fields:
- Name: TargetFileMD5
Class: Optional
Type: string
Logical type: MD5
Logical type: MD5
Description: The MD5 hash of the target file.
Example: 75a599802f1fa166cdadb360960b1dd0
- Name: TargetFileSHA1
Class: Optional
Type: string
Logical type: SHA1
Logical type: SHA1
Description: The SHA-1 hash of the target file.
Example: d55c5a4df19b46db8c54c801c4665d3338acdab0
- Name: TargetFileSHA256
Class: Optional
Type: string
Logical type: SHA256
Logical type: SHA256
Description: The SHA-256 hash of the target file.
Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274
@ -183,9 +183,9 @@ Fields:
- Name: Hash
Type: string
Class: Conditional
Class: Alias
Description: Alias to the best available Target File hash.
Follows: [TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512]
Aliases: [TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512]
- Name: HashType
Class: Conditional
@ -196,7 +196,7 @@ Fields:
- Name: TargetFileSize
Class: Optional
Type: long
Type: long
Description: The size of the target file in bytes.
# Source file fields
@ -225,10 +225,10 @@ Fields:
- Name: SrcFileName
Class: Recommended
Type: string
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the SrcFilePath field.
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the SrcFilePath field.
- Name: SrcFilePath
Class: Mandatory
Class: Mandatory
Type: String
Description: The full, normalized path of the target file, including the folder or location, the file name, and the extension. If the record does not include folder or location information, store the filename only here.
Example: C:\Windows\System32\notepad.exe
@ -236,7 +236,7 @@ Fields:
- Name: SrcFilePathType
Class: Conditional
Type: string
Logical type: Enumerated
Logical type: Enumerated
Description: The type of SrcFilePath. For more information.
List of values: [ Windows Local, Windows Share, Unix, URL ]
Follows: SrcFilePath
@ -244,21 +244,21 @@ Fields:
- Name: SrcFileMD5
Class: Optional
Type: string
Logical type: MD5
Logical type: MD5
Description: The MD5 hash of the target file.
Example: 75a599802f1fa166cdadb360960b1dd0
- Name: SrcFileSHA1
Class: Optional
Type: string
Logical type: SHA1
Logical type: SHA1
Description: The SHA-1 hash of the target file.
Example: d55c5a4df19b46db8c54c801c4665d3338acdab0
- Name: SrcFileSHA256
Class: Optional
Type: string
Logical type: SHA256
Logical type: SHA256
Description: The SHA-256 hash of the target file.
Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274
@ -270,17 +270,17 @@ Fields:
- Name: SrcFileSize
Class: Optional
Type: long
Type: long
Description: The size of the target file in bytes.
# Additional fields
- Name: HttpUserAgent
Class: Optional
Type: string
Description: When the operation is initiated by a remote system using HTTP or HTTPS, the user agent used.
Type: string
Description: When the operation is initiated by a remote system using HTTP or HTTPS, the user agent used.
Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
- Name: NetworkApplicationProtocol
Class: Optional
Type: string
Description: When the operation is initiated by a remote system, this value is the application layer protocol used in the OSI model. While this field is not enumerated, and any value is accepted, preferable values include HTTP, HTTPS, SMB,FTP, and SSH.
Type: string
Description: When the operation is initiated by a remote system, this value is the application layer protocol used in the OSI model. While this field is not enumerated, and any value is accepted, preferable values include HTTP, HTTPS, SMB,FTP, and SSH.

4
ASIM/schemas/ASimProcessEvent.yaml
Просмотреть файл

@ -1,6 +1,6 @@
Schema:
Schema: ProcessEvent
Version: '0.1.4'
Version: '0.1.5'
Last Updated: Mar 06, 2023
References:
- Title: ASIM Process Event Schema
@ -17,6 +17,8 @@ Include:
# Common fields
- Name: Event Fields
File: common/ASimEventFields.yaml
- Name: Inspection fields
File: common/ASimInspectionFields.yaml
# Entities
- Name: Dvc

16
ASIM/schemas/ASimRegistryEvent.yaml
Просмотреть файл

@ -63,7 +63,7 @@ Fields:
# Registry event fields
- Name: RegistryKey
Class: Mandatory
Type: string
Type: string
Description: The registry key associated with the operation, normalized to standard root key naming conventions.
Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG'
@ -87,8 +87,8 @@ Fields:
- Name: RegistryPreviousKey
Class: Recommended
Type: string
Description: For operations that modify the registry, the original registry key, normalized to standard root key naming.
Type: string
Description: For operations that modify the registry, the original registry key, normalized to standard root key naming.
Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG'
- Name: RegistryPreviousValue
@ -99,12 +99,12 @@ Fields:
- Name: RegistryPreviousValueType
Class: Recommended
Type: string
Description: For operations that modify the registry, the original value type.
Type: string
Description: For operations that modify the registry, the original value type.
Example: 'Reg_Expand_Sz'
- Name: RegistryPreviousValueData
Class: Recommended
Type: string
Description: The original registry data, for operations that modify the registry.
Class: Recommended
Type: string
Description: The original registry data, for operations that modify the registry.
Example: 'C:\Windows\system32;C:\Windows;'

2
ASIM/schemas/entities/ASimApp.yaml
Просмотреть файл

@ -28,4 +28,4 @@ Fields:
Type: string
Class: Optional
Description: The user agent header accosiated with the application, when communicating using HTTP or HTTPS.
For roles: [ Actor, Src ]
For roles: [ Actor, Src, Acting ]

6
ASIM/schemas/entities/ASimSystem.yaml
Просмотреть файл

@ -34,6 +34,12 @@ Fields:
Logical type: Hostname
Description: The device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.
- Name: <<Role>>MacAddr
Type: string
Class: Optional
Logical type: MAC address
Description: The MAC address of the device.
- Name: <<Role>>Domain
Type: string
Class: Optional

Двоичные данные
DataConnectors/AWS-SecurityHubFindings/AzFunAWSSecurityHubIngestion.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/AWS-SecurityHubFindings/requirements.txt
Просмотреть файл

@ -11,7 +11,7 @@ asn1crypto==0.24.0
azure-common==1.1.24
azure-core==1.21.0
botocore==1.12.10
cryptography==41.0.3
cryptography==41.0.4
pyasn1==0.4.2
pyasn1-modules==0.2.1
cffi==1.14.6

54
DataConnectors/M365Defender-VulnerabilityManagement/azureDeploy.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "565765809013731276"
"templateHash": "11347846636968529735"
}
},
"parameters": {
@ -46,14 +46,14 @@
},
"FunctionAppPackageUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"metadata": {
"description": "Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else."
}
},
"DeploymentScriptUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"metadata": {
"description": "Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else."
}
@ -392,9 +392,9 @@
}
},
"properties": {
"azPowerShellVersion": "8.3",
"azPowerShellVersion": "10.0",
"retentionInterval": "PT1H",
"timeout": "PT5M",
"timeout": "PT15M",
"cleanupPreference": "Always",
"primaryScriptUri": "[parameters('DeploymentScriptUri')]",
"arguments": "[format('-PackageUri {0} -SubscriptionId {1} -ResourceGroupName {2} -FunctionAppName {3} -FAScope {4} -UAMIPrincipalId {5}', parameters('FunctionAppPackageUri'), split(subscription().id, '/')[2], resourceGroup().name, parameters('FunctionAppName'), resourceId('Microsoft.Web/sites', parameters('FunctionAppName')), reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('UserAssignedManagedIdentityName')), '2022-01-31-preview').principalId)]"
@ -554,7 +554,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "18108567286443164898"
"templateHash": "6267106311640858417"
}
},
"parameters": {
@ -681,7 +681,7 @@
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"apiVersion": "2022-06-01",
"name": "[parameters('DataCollectionRuleName')]",
"location": "[parameters('LogAnalyticsWorkspaceLocation')]",
"properties": {
@ -817,10 +817,6 @@
},
"Custom-MDVMRecommendations_CL": {
"columns": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -916,6 +912,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
},
@ -1141,10 +1141,6 @@
},
"Custom-MDVMNISTConfigurations_CL": {
"columns": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1200,6 +1196,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1306,7 +1306,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1437,7 +1437,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1588,14 +1588,10 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1651,6 +1647,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1724,10 +1724,6 @@
},
"columns": {
"value": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -1823,6 +1819,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
}
@ -2221,7 +2221,7 @@
"outputs": {
"DcrImmutableId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2021-09-01-preview').immutableId]"
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2022-06-01').immutableId]"
},
"DceUri": {
"type": "string",

56
DataConnectors/M365Defender-VulnerabilityManagement/azureDeployNetworkRestricted.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "8888576794211067773"
"templateHash": "8260351119578024976"
}
},
"parameters": {
@ -53,14 +53,14 @@
},
"FunctionAppPackageUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"metadata": {
"description": "Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else."
}
},
"DeploymentScriptUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"metadata": {
"description": "Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else."
}
@ -192,7 +192,7 @@
},
"VirtualNetworkName": {
"type": "string",
"defaultValue": "[format('vnet-mdvm-{0}', uniqueString(resourceGroup().id))]",
"defaultValue": "vnet-mdvm",
"metadata": {
"description": "Name for Virtual Network resource that will be deployed."
}
@ -736,9 +736,9 @@
}
},
"properties": {
"azPowerShellVersion": "8.3",
"azPowerShellVersion": "10.0",
"retentionInterval": "PT1H",
"timeout": "PT5M",
"timeout": "PT15M",
"cleanupPreference": "Always",
"primaryScriptUri": "[parameters('DeploymentScriptUri')]",
"arguments": "[format('-PackageUri {0} -SubscriptionId {1} -ResourceGroupName {2} -FunctionAppName {3} -FAScope {4} -VnetScope {5} -UAMIPrincipalId {6} -RestrictedIPs {7}', parameters('FunctionAppPackageUri'), split(subscription().id, '/')[2], resourceGroup().name, parameters('FunctionAppName'), resourceId('Microsoft.Web/sites', parameters('FunctionAppName')), resourceId('Microsoft.Network/virtualNetworks', parameters('VirtualNetworkName')), reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('UserAssignedManagedIdentityName')), '2022-01-31-preview').principalId, parameters('TrustedIPAddressRanges'))]"
@ -782,7 +782,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "18108567286443164898"
"templateHash": "6267106311640858417"
}
},
"parameters": {
@ -909,7 +909,7 @@
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"apiVersion": "2022-06-01",
"name": "[parameters('DataCollectionRuleName')]",
"location": "[parameters('LogAnalyticsWorkspaceLocation')]",
"properties": {
@ -1045,10 +1045,6 @@
},
"Custom-MDVMRecommendations_CL": {
"columns": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -1144,6 +1140,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
},
@ -1369,10 +1369,6 @@
},
"Custom-MDVMNISTConfigurations_CL": {
"columns": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1428,6 +1424,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1534,7 +1534,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1665,7 +1665,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1816,14 +1816,10 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1879,6 +1875,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1952,10 +1952,6 @@
},
"columns": {
"value": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -2051,6 +2047,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
}
@ -2449,7 +2449,7 @@
"outputs": {
"DcrImmutableId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2021-09-01-preview').immutableId]"
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2022-06-01').immutableId]"
},
"DceUri": {
"type": "string",

8
DataConnectors/M365Defender-VulnerabilityManagement/main.bicep
Просмотреть файл

@ -9,9 +9,9 @@ param DeployApplicationInsights bool = true
@description('Name for the Applications Insights resource that will be used by the Function App if enabled in the DeployApplicationInsights parameter.')
param AppInsightsName string = 'ai-mdvm-${uniqueString(resourceGroup().id)}'
@description('Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else.')
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
@description('Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else.')
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
@description('Name for App Service Plan resource that will be deployed. This is where the Function App will run.')
param AppServicePlanName string = 'asp-mdvm-${uniqueString(resourceGroup().id)}'
@description('Globally unique name for the Storage Account used by the Function App.')
@ -325,9 +325,9 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
}
}
properties: {
azPowerShellVersion: '8.3'
azPowerShellVersion: '10.0'
retentionInterval: 'PT1H'
timeout: 'PT5M'
timeout: 'PT15M'
cleanupPreference: 'Always'
primaryScriptUri: DeploymentScriptUri
arguments: '-PackageUri ${FunctionAppPackageUri} -SubscriptionId ${split(subscription().id, '/')[2]} -ResourceGroupName ${resourceGroup().name} -FunctionAppName ${functionApp.name} -FAScope ${functionApp.id} -UAMIPrincipalId ${userAssignedMi.properties.principalId}'

10
DataConnectors/M365Defender-VulnerabilityManagement/mainNetworkRestricted.bicep
Просмотреть файл

@ -11,9 +11,9 @@ param DeployApplicationInsights bool = true
@description('Name for the Applications Insights resource that will be used by the Function App if enabled in the DeployApplicationInsights parameter.')
param AppInsightsName string = 'ai-mdvm-${uniqueString(resourceGroup().id)}'
@description('Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else.')
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
@description('Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else.')
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
@description('Name for App Service Plan resource that will be deployed. This is where the Function App will run.')
param AppServicePlanName string = 'asp-mdvm-${uniqueString(resourceGroup().id)}'
@description('Globally unique name for the Storage Account used by the Function App.')
@ -99,7 +99,7 @@ param LogAnalyticsWorkspaceLocation string
@description('Specify a comma separated list of CIDR formatted IP address ranges to restrict connecting to the Function App from (i.e. 192.168.1.0/24,172.16.2.5/32).')
param TrustedIPAddressRanges string = '0.0.0.0/0'
@description('Name for Virtual Network resource that will be deployed.')
param VirtualNetworkName string = 'vnet-mdvm-${uniqueString(resourceGroup().id)}'
param VirtualNetworkName string = 'vnet-mdvm'
@description('Name for Virtual Network resource that will be deployed.')
param VirtualNetworkIPAddressPrefix string = '10.0.0.0/16'
@description('Azure Resource Id of the Virtual Network to place private endpoints and Function App VNet integration.')
@ -563,9 +563,9 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
}
}
properties: {
azPowerShellVersion: '8.3'
azPowerShellVersion: '10.0'
retentionInterval: 'PT1H'
timeout: 'PT5M'
timeout: 'PT15M'
cleanupPreference: 'Always'
primaryScriptUri: DeploymentScriptUri
arguments: '-PackageUri ${FunctionAppPackageUri} -SubscriptionId ${split(subscription().id, '/')[2]} -ResourceGroupName ${resourceGroup().name} -FunctionAppName ${functionApp.name} -FAScope ${functionApp.id} -VnetScope ${virtualNetwork.id} -UAMIPrincipalId ${userAssignedMi.properties.principalId} -RestrictedIPs ${TrustedIPAddressRanges}'

44
DataConnectors/M365Defender-VulnerabilityManagement/maintenance/customDcrTables.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "18108567286443164898"
"templateHash": "6267106311640858417"
}
},
"parameters": {
@ -132,7 +132,7 @@
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"apiVersion": "2022-06-01",
"name": "[parameters('DataCollectionRuleName')]",
"location": "[parameters('LogAnalyticsWorkspaceLocation')]",
"properties": {
@ -268,10 +268,6 @@
},
"Custom-MDVMRecommendations_CL": {
"columns": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -367,6 +363,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
},
@ -592,10 +592,6 @@
},
"Custom-MDVMNISTConfigurations_CL": {
"columns": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -651,6 +647,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -757,7 +757,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -888,7 +888,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1039,14 +1039,10 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1102,6 +1098,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1175,10 +1175,6 @@
},
"columns": {
"value": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -1274,6 +1270,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
}
@ -1672,7 +1672,7 @@
"outputs": {
"DcrImmutableId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2021-09-01-preview').immutableId]"
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2022-06-01').immutableId]"
},
"DceUri": {
"type": "string",

40
DataConnectors/M365Defender-VulnerabilityManagement/modules/customDcrTables.bicep
Просмотреть файл

@ -91,7 +91,7 @@ resource roleAssignmentDcr 'Microsoft.Authorization/roleAssignments@2020-10-01-p
}
}
resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
resource dcr 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
dependsOn: [
tableMDVMCveKb
tableMDVMRecommendations
@ -234,10 +234,6 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
}
'Custom-MDVMRecommendations_CL': {
columns: [
{
name: 'activeAlert'
type: 'boolean'
}
{
name: 'associatedThreats'
type: 'dynamic'
@ -334,6 +330,10 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
name: 'transactionId'
type: 'string'
}
{
name: 'activeAlert'
type: 'boolean'
}
]
}
'Custom-MDVMSecureConfigurationsByDevice_CL': {
@ -558,10 +558,6 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
}
'Custom-MDVMNISTConfigurations_CL': {
columns: [
{
name: 'configurationNumber'
type: 'int'
}
{
name: 'configurationOperator'
type: 'string'
@ -618,6 +614,10 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
name: 'transactionId'
type: 'string'
}
{
name: 'configurationNumber'
type: 'int'
}
]
}
}
@ -701,7 +701,7 @@ module tableMDVMCveKb 'lawCustomTable.bicep' = {
lawName: split(LogAnalyticsWorkspaceResourceId, '/')[8]
tableName: 'MDVMCVEKB_CL'
plan: 'Analytics'
retention: 730
retention: 90
columns: [
{
name: 'cvssV3'
@ -770,7 +770,7 @@ module tableMDVMNistCveKb 'lawCustomTable.bicep' = {
lawName: split(LogAnalyticsWorkspaceResourceId, '/')[8]
tableName: 'MDVMNISTCVEKB_CL'
plan: 'Analytics'
retention: 730
retention: 90
columns: [
{
name: 'cveId'
@ -859,12 +859,8 @@ module tableMDVMNistConfigurations 'lawCustomTable.bicep' = {
lawName: split(LogAnalyticsWorkspaceResourceId, '/')[8]
tableName: 'MDVMNISTConfigurations_CL'
plan: 'Analytics'
retention: 730
retention: 90
columns: [
{
name: 'configurationNumber'
type: 'int'
}
{
name: 'configurationOperator'
type: 'string'
@ -921,6 +917,10 @@ module tableMDVMNistConfigurations 'lawCustomTable.bicep' = {
name: 'transactionId'
type: 'string'
}
{
name: 'configurationNumber'
type: 'int'
}
]
}
}
@ -933,10 +933,6 @@ module tableMDVMRecommendations 'lawCustomTable.bicep' = {
tableName: 'MDVMRecommendations_CL'
plan: 'Analytics'
columns: [
{
name: 'activeAlert'
type: 'boolean'
}
{
name: 'associatedThreats'
type: 'dynamic'
@ -1033,6 +1029,10 @@ module tableMDVMRecommendations 'lawCustomTable.bicep' = {
name: 'transactionId'
type: 'string'
}
{
name: 'activeAlert'
type: 'boolean'
}
]
}
}

6
DataConnectors/M365Defender-VulnerabilityManagement/readme.md
Просмотреть файл

@ -64,17 +64,17 @@ foreach ($appRole in $appRoles) {
### Non-Network Restricted Deployment
No virtual network or Private Endpoints are deployed and public network access to the Function App and Storage Account is unrestricted. The Key Vault is restricted to only allow access from Function App public IP addresses. Use this for test environments or if you prefer to implement network restrictions yourself after deployment.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanders-alex%2FAzure-Sentinel%2FDataConnector-M365Defender-VulnerabilityManagement%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeploy.json)
### Network Restricted Deployment
Function App public access is restricted and a virtual network along with the appropriate Private DNS Zones are created to provide out of the box Private Endpoint connectivity between the Function App and its dependencies (Key Vault and Storage Account).
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanders-alex%2FAzure-Sentinel%2FDataConnector-M365Defender-VulnerabilityManagement%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeployNetworkRestricted.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeployNetworkRestricted.json)
### Workbook Deployment
A modified version of the Defender for Cloud "Vulnerability Assessment Findings" workbook to include the MDVM data collected by this connector.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanders-alex%2FAzure-Sentinel%2FDataConnector-M365Defender-VulnerabilityManagement%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2Fworkbooks%2FazureDeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2Fworkbooks%2FazureDeploy.json)
![image](https://user-images.githubusercontent.com/50784041/232255325-974cce56-b0ca-41df-827e-f97f65589e33.png)

2
DataConnectors/M365Defender-VulnerabilityManagement/workbooks/azureDeploy.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "12428279436367741536"
"templateHash": "15537029820804678138"
}
},
"parameters": {

13
DataConnectors/Syslog/Forwarder_AMA_installer.py
Просмотреть файл

@ -320,15 +320,24 @@ def main():
print("Located rsyslog daemon running on the machine")
set_rsyslog_configuration()
restart_rsyslog()
print_warning("Please note that the installation script opens port 514 to listen to incoming messages in both"
" UDP and TCP protocols. To change this setting, refer to the Rsyslog configuration file located at "
"'/etc/rsyslog.conf'.")
elif is_syslog_ng():
print("Located syslog-ng daemon running on the machine")
set_syslog_ng_configuration()
restart_syslog_ng()
print_warning("Please note that the installation script opens port 514 to listen to incoming messages in both"
" UDP and TCP protocols. To change this setting, refer to the Syslog-ng configuration file located at"
" '/etc/syslog-ng/syslog-ng.conf'.")
else:
print_error(
"Could not detect a running Syslog daemon on the machine, aborting installation. Please make sure you have a running Syslog daemon and rerun this script.")
"Could not detect a running Syslog daemon on the machine, aborting installation. Please make sure you have "
"a running Syslog daemon and rerun this script.")
exit()
print_full_disk_warning()
print_ok("Installation completed")
print_ok("Installation completed successfully")
main()

2
DataConnectors/Zoom/azuredeploy.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "ZoomLogs",
"defaultValue": "[concat('ZoomLogs',uniqueString(subscription().subscriptionId))]",
"type": "string"
},
"customLogName": {

4
DataConnectors/Zoom/azuredeploy_kv.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "ZoomLogs",
"defaultValue": "[concat('ZoomLogs',uniqueString(subscription().subscriptionId))]",
"type": "String"
}
},
@ -42,4 +42,4 @@
}
}
]
}
}

102
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Normal file
Просмотреть файл

@ -0,0 +1,102 @@
id: 1f40ed57-f54b-462f-906a-ac3a89cc90d4
name: Cross-Cloud Password Spray detection
description: |
'This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
// Materialize a table named "Azure_Bruforce" containing Azure Portal sign-in logs within the last 1 day
let Azure_Bruforce = materialize (
SigninLogs
// Filter sign-in logs related to the Azure Portal
| where AppDisplayName == "Azure Portal"
// Exclude entries with empty OriginalRequestId
| where isnotempty(OriginalRequestId)
// Summarize various counts and sets based on brute force criteria
| summarize
AzureSuccessfulEvent = countif(ResultType == 0),
AzureFailedEvent = countif(ResultType != 0),
totalAzureLoginEventId = dcount(OriginalRequestId),
AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0),
AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),
AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5),
AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5)
by
IPAddress,
UserPrincipalName,
bin(TimeGenerated, 1min),
UserAgent,
ConditionalAccessStatus,
OperationName,
RiskDetail,
AuthenticationRequirement,
ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
| extend
Name = tostring(split(UserPrincipalName, '@')[0]),
UPNSuffix = tostring(split(UserPrincipalName, '@')[1]));
// Materialize a table named "AWS_Bruforce" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day
let AWS_Bruforce = materialize (
AWSCloudTrail
// Filter CloudTrail events related to ConsoleLogin
| where EventName == "ConsoleLogin"
// Extract ActionType from ResponseElements JSON
| extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin)
// Summarize various counts and sets based on brute force criteria
| summarize
AWSSuccessful=countif(ActionType == "Success"),
AWSFailed = countif(ActionType == "Failure"),
totalAwsEventId= dcount(AwsEventId),
AWSFailedEventsCount = dcountif(AwsEventId, ActionType == "Failure"),
AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == "Success"),
AWSFailedevents = makeset(iff(ActionType == "Failure", AwsEventId, ""), 5),
AWSSuccessfulEvents = makeset(iff(ActionType == "Success", AwsEventId, ""), 5)
// Grouping by various attributes
by
SourceIpAddress,
UserIdentityUserName,
bin(TimeGenerated, 1min),
UserAgent );
// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents
Azure_Bruforce
| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent
// Filtering based on conditions for failed and successful events
| where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AwsUser: UserIdentityUserName
UserAgent: UserAgent
AzureUser: UserPrincipalName
AzureClientAppUsed: ClientAppUsed
kind: Scheduled
version: 1.0.0

149
Detections/MultipleDataSources/CrossCloudUnauthorizedCredentialsAccessDetection.yaml Normal file
Просмотреть файл

@ -0,0 +1,149 @@
id: 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1
name: Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
description: |
'
This detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.
'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AWSS3
dataTypes:
- AWSGuardDuty
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1557
- T1110
- T1110.003
- T1110.004
- T1606
- T1556
- T1133
query: |
// Define variable 'AwsAlert' to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity
let AwsAlert = materialize (
AWSGuardDuty
| where ActivityType has_any (
"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
"CredentialAccess:RDS/TorIPCaller.FailedLogin",
"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin",
"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin",
"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin"
)
| extend
AWSAlertId = Id,
AWSAlertTitle = Title,
AWSAlertDescription = Description,
AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),
RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),
RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),
RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),
RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),
AWSAlertTime = TimeCreated,
AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),
Severity =
case (
Severity >= 7.0, "High",
Severity between (4.0 .. 6.9), "Medium",
Severity between (1.0 .. 3.9), "Low",
"Unknown")
| distinct
AWSAlertTime,
ActivityType,
AWSAlertId,
AWSAlertLink,
AWSAlertTitle,
AWSAlertDescription,
AWSresourceType,
Arn,
Severity,
RDSactionType,
RDSApplication,
RDSInstanceId,
RDSUser,
AWSNetworkEntity
);
// Define variable 'Azure_sigin' to collect Azure portal sign-in activities
let Azure_sigin = materialize (
SigninLogs
| where AppDisplayName == "Azure Portal"
| where isnotempty(OriginalRequestId)
| summarize
AzureSuccessfulEvent = countif(ResultType == 0),
AzureFailedEvent = countif(ResultType != 0),
totalAzureLoginEventId = dcount(OriginalRequestId),
AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0),
AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),
AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5),
AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5)
by
IPAddress,
UserPrincipalName,
bin(TimeGenerated, 1min),
UserAgent,
ConditionalAccessStatus,
OperationName,
RiskDetail,
AuthenticationRequirement,
ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
| extend
Name = tostring(split(UserPrincipalName, '@')[0]),
UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
);
// Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address
AwsAlert
| join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
customDetails:
AWSAlertUserName: RDSUser
AWSArn: Arn
AWSresourceType: AWSresourceType
AWSInstanceType: RDSactionType
AWSAplicationName: RDSApplication
AWSInstanceId: RDSInstanceId
AzureUserAgent: UserAgent
AzureUser: UserPrincipalName
AzureClientAppUsed: ClientAppUsed
AzConditionalAccess: ConditionalAccessStatus
AzureOperationName: OperationName
AzureRiskDetail: RiskDetail
AzAuthRequirement: AuthenticationRequirement
alertSeverity: Severity
alertDetailsOverride:
alertDisplayNameFormat: "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}"
alertDescriptionFormat: "This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: AWSAlertLink
- alertProperty: ProviderName
value: "AWS"
- alertProperty: ProductName
value: "AWSGuardDuty"
- alertProperty: ProductComponentName
value: "AWSGuardDuty"
- alertProperty: Severity
value: Severity
kind: Scheduled
version: 1.0.0

123
Detections/MultipleDataSources/SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray.yaml Normal file
Просмотреть файл

@ -0,0 +1,123 @@
id: 188db479-d50a-4a9c-a041-644bae347d1f
name: Successful AWS Console Login from IP Address Observed Conducting Password Spray
description: |
'This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert.
The login is considered relevant if it originates from an IP address associated with potential attackers.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1110
- T1078
query: |
SecurityAlert
// Filtering alerts based on Microsoft product names and Relevent alert names
| where ProductName in ( "Microsoft Cloud App Security","Azure Active Directory Identity Protection")
|where AlertName in ("Multiple failed user log on attempts to an app","Password Spray")
// Parsing and extending the 'Entities' column as JSON objects
| extend Entities = parse_json(Entities)
// Exploring IP entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Exploring account entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filtering out alerts with missing IP or account information
| where isnotempty(EntityIp) and isnotempty(AccountObjectId)
// Summarizing relevant fields for further analysis
| summarize
by
AlertName,
ProductName,
ProviderName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
AlertTime= bin(TimeGenerated, 1min),
AccountObjectId,
AlertTimeGenerated=TimeGenerated
// Joining with IdentityInfo to obtain additional account details
| join kind=inner (
IdentityInfo
| where TimeGenerated >= ago(1d)
| distinct AccountObjectId, AccountUPN=tolower(AccountUPN)
)
on AccountObjectId
|extend Name = tostring(split(AccountUPN,'@')[0]), UPNSuffix =tostring(split(AccountUPN,'@')[1])
// Joining with AWSCloudTrail data to correlate AWS console logins
| join kind=inner (
AWSCloudTrail
| where EventName == "ConsoleLogin"
| extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, "/", 2)[0])))
| extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin)
| where ActionType == "Success"
| extend AWSTime= bin(TimeGenerated, 1min)
| project
EventName,
EventSource,
EventTypeName,
RecipientAccountId,
ResponseElements,
SessionMfaAuthenticated,
SourceIpAddress,
TimeGenerated,
UserAgent,
UserIdentityArn,
UserIdentityType,
CTUPN,
AWSTime,
UserIdentityUserName
)
on $left.EntityIp == $right.SourceIpAddress
// Filtering login event after the Alert generation time
| where AlertTimeGenerated between ((AWSTime - 1h)..(AWSTime + 1h))
// Calculating the time difference between alert generation and AWS login
| extend timediff = datetime_diff('minute', AlertTimeGenerated, TimeGenerated)
// Filtering alerts with a time difference of up to 60 minutes
| where timediff <= 60
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AWSUser: UserIdentityArn
UserAgent: UserAgent
AWSUserUPN: CTUPN
kind: Scheduled
version: 1.0.0

128
Detections/MultipleDataSources/SuspiciousAWSConsolLoginByCredentialAceessAlerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,128 @@
id: b51fe620-62ad-4ed2-9d40-5c97c0a8231f
name: Suspicious AWS console logins by credential access alerts
description: |
'This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.'
severity: Medium
requiredDataConnectors:
- connectorId: OfficeATP
dataTypes:
- SecurityAlert
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
query: |
SecurityAlert
// Filtering alerts based on Microsoft product names
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security","Azure Active Directory Identity Protection", "Microsoft Defender ATP")
// Narrowing down alerts to specific tactics
| where Tactics in("CredentialAccess", "InitialAccess")
// Focusing on high-severity alerts
| where AlertSeverity == "High"
// Parsing and extending the 'Entities' column as JSON objects
| extend Entities = parse_json(Entities)
// Exploring IP entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Exploring account entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filtering out alerts with missing IP or account information
| where isnotempty(EntityIp) and isnotempty(AccountObjectId)
// Summarizing relevant fields for further analysis
| summarize
by
AlertName,
ProductName,
ProviderName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
AlertTime= bin(TimeGenerated, 1min),
AccountObjectId,
AlertTimeGenerated=TimeGenerated
// Joining with IdentityInfo to obtain additional account details
| join kind=inner (
IdentityInfo
| where TimeGenerated >= ago(1d)
| distinct AccountObjectId, AccountUPN=tolower(AccountUPN)
)
on AccountObjectId
|extend Name = tostring(split(AccountUPN,'@')[0]), UPNSuffix =tostring(split(AccountUPN,'@')[1])
// Joining with AWSCloudTrail data to correlate AWS console logins
| join kind=inner (
AWSCloudTrail
| where EventName == "ConsoleLogin"
| extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, "/", 2)[0])))
| extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin)
| where ActionType == "Success"
| extend AWSTime= bin(TimeGenerated, 1min)
| project
EventName,
EventSource,
EventTypeName,
RecipientAccountId,
ResponseElements,
SessionMfaAuthenticated,
SourceIpAddress,
TimeGenerated,
UserAgent,
UserIdentityArn,
UserIdentityType,
CTUPN,
AWSTime,
UserIdentityUserName
)
on $left.EntityIp == $right.SourceIpAddress
// Filtering login event after the Alert generation time
| where AlertTimeGenerated >= AWSTime
// Calculating the time difference between alert generation and AWS login
| extend timediff = datetime_diff('minute', AlertTimeGenerated, TimeGenerated)
// Filtering alerts with a time difference of up to 60 minutes
| where timediff between ((-60)..(60))
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AWSUSerUPN: CTUPN
AzureUserUPN: AccountUPN
ComonIp: SourceIpAddress
UserAgent: UserAgent
kind: Scheduled
version: 1.0.0

147
Detections/MultipleDataSources/Unauthorized_user_access_across_AWS_and_Azure.yaml Normal file
Просмотреть файл

@ -0,0 +1,147 @@
id: 60f31001-018a-42bf-8045-a92e1f361b7b
name: Unauthorized user access across AWS and Azure
description: |
'
This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.
'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AWSS3
dataTypes:
- AWSGuardDuty
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- Exfiltration
- Discovery
relevantTechniques:
- T1557
- T1110
- T1110.003
- T1110.004
- T1212
- T1048
- T1087
- T1580
query: |
// Define a variable 'AwsAlert' to collect Unauthorized user access alerts from AWS GuardDuty table
let AwsAlert = materialize (
AWSGuardDuty
| where ActivityType has_any ("UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS", "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B","UnauthorizedAccess:IAMUser/MaliciousIPCaller")
| extend
AWSAlertId = Id,
AWSAlertTitle = Title,
AWSAlertDescription = Description,
AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
AWSAlertTime = TimeCreated,
AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),
Severity =
case (
Severity >= 7.0, "High",
Severity between (4.0 .. 6.9), "Medium",
Severity between (1.0 .. 3.9), "Low",
"Unknown")
| mv-apply AIPCall = AWSTargetingService on
(
where AIPCall has "name"
| extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
)
| distinct
AWSAlertTime,
ActivityType,
Severity,
AWSAlertId,
AWSAlertTitle,
AWSAlertDescription,
AWSAlertLink,
Arn,
AWSresourceType,
AWSNetworkEntity,
AWSAlertUserNameEntity,
InstanceType,
APICallName,
APICallCount
);
// Define a variable 'Azure_sigin' to collect Azure portal Signing activity from SigninLogs Table
let Azure_sigin = materialize (SigninLogs
| where AppDisplayName == "Azure Portal"
| where isnotempty(OriginalRequestId)
| summarize
totalAzureLoginEventId = dcount(OriginalRequestId),
AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0),
AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),
AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5),
AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5)
by
IPAddress,
UserPrincipalName,
bin(TimeGenerated, 1min),
UserAgent,
ConditionalAccessStatus,
OperationName,
RiskDetail,
AuthenticationRequirement,
ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
| extend
Name = tostring(split(UserPrincipalName, "@")[0]),
UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
);
// Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address
AwsAlert
| join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
customDetails:
AWSAlertUserName: AWSAlertUserNameEntity
AWSArn: Arn
AWSresourceType: AWSresourceType
AWSInstanceType: InstanceType
AWSAPICallName: APICallName
AWSAPICallCount: APICallCount
AzureUserAgent: UserAgent
AzureUser: UserPrincipalName
AzureClientAppUsed: ClientAppUsed
AzConditionalAccess: ConditionalAccessStatus
AzureOperationName: OperationName
AzureRiskDetail: RiskDetail
AzAuthRequirement: AuthenticationRequirement
alertSeverity: Severity
alertDetailsOverride:
alertDisplayNameFormat: "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}"
alertDescriptionFormat: " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: AWSAlertLink
- alertProperty: ProviderName
value: "AWS"
- alertProperty: ProductName
value: "AWSGuardDuty"
- alertProperty: ProductComponentName
value: "AWSGuardDuty"
- alertProperty: Severity
value: severity
kind: Scheduled
version: 1.0.1

68
Detections/MultipleDataSources/UserImpersonateByAAID.yaml Normal file
Просмотреть файл

@ -0,0 +1,68 @@
id: 11c3d541-5fa5-49df-8218-d1c98584473b
name: User impersonation by Identity Protection alerts
description: |
'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
query: |
// Retrieve SecurityAlerts generated within the last day
SecurityAlert
// Filter alerts for Azure Active Directory Identity Protection and High severity
| where ProductName has "Azure Active Directory Identity Protection"
| where AlertSeverity == "High"
// Extract IP address entities from the 'Entities' field
| extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
// Filter out alerts without IP address entities
| where isnotempty(ipAddress)
// Summarize entities per unique combination of attributes
| summarize make_set(Entities)
by
AlertTime = TimeGenerated,
ipAddress,
AlertName,
ProductName,
AlertSeverity
// Perform an inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| extend UserType = tostring(parse_json(RequestParameters).userType)
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile")
| summarize
make_set(RequestParameters),
make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime = TimeGenerated
)
on $left.ipAddress == $right.SourceIpAddress
// Filter results based on temporal correlation
| where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AWSUser: UserIdentityArn
AlertIp : ipAddress
AlertName: AlertName
kind: Scheduled
version: 1.0.0

72
Detections/MultipleDataSources/UserImpersonateByRiskyUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,72 @@
id: f4a28082-2808-4783-9736-33c1ae117475
name: High-Risk Cross-Cloud User Impersonation
description: |
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Azure AD Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
- T1078.002
- T1078.004
query: |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AwsUser: UserIdentityArn
RiskEventTypes: RiskEventTypes
AzureUser: UserPrincipalName
AWSEventName: EventName
kind: Scheduled
version: 1.0.0

4
Hunting Queries/ASimProcess/imProcess_powershell_downloads.yaml
Просмотреть файл

@ -11,8 +11,8 @@ query: |
| where Process has_any ("powershell.exe", "powershell_ise.exe") // perfromance pre-filtering
| extend FileName=tostring(split(TargetProcessName, '\\')[-1])
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where CommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "Invoke-Shellcode", "http:")
| where CommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "Invoke-Shellcode", "http:", "https:")
| project TimeGenerated, Dvc, User, ActingProcessName, FileName, CommandLine, EventVendor, EventProduct
| top 100 by TimeGenerated
| extend timestamp = TimeGenerated
version: 1.0.0
version: 1.0.1

28
Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: f5e4d3c2-b1a0-4f9d-8e7c-6b5a4d3e2c1f
name: AAD group adds in the last 7 days
description: |
This query looks for AAD group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege Escalation
relevantTechniques:
- T1548
query: >
let LookBack = 7d;
CloudAppEvents
| where ActionType in ("Add member to group.") and AccountType == "Regular" and Timestamp > ago(LookBack)
| extend SecondElement = RawEventData.ModifiedProperties[1]
| extend UserAddedId = RawEventData.ObjectId
| extend GroupName = SecondElement.NewValue
| project Timestamp, ActionType,UserAddedId,PerformedBy = AccountDisplayName,GroupName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: DisplayName
columnName: UserAddedId
- identifier: DisplayName
columnName: PerformedBy
version: 1.0.0

34
Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-role-adds.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: d7f6e5c4-b3a2-4e9f-8d7c-6a5b4c3d2e1f
name: AAD role adds in the last 7 days
description: |
This query looks for AAD role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege Escalation
relevantTechniques:
- T1548
query: >
let LookBack = 7d;
CloudAppEvents
| where ActionType in ("Add member to role.") and Timestamp > ago(LookBack)
| extend FirstElement = ActivityObjects[0], SecondElement = ActivityObjects[1], ThirdElement = ActivityObjects[2]
| extend Type = FirstElement.ServiceObjectType
| extend RoleName = FirstElement.Name
| extend UserAddedName = SecondElement.Name
| extend UserAddedObjectId = SecondElement.Id
| project Timestamp,Type,ActionType,RoleName,UserAddedName,UserAddedObjectId,PerformedByObjectId = AccountId,PerformedByDisplayName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: DisplayName
columnName: UserAddedName
- identifier: ObjectGuid
columnName: UserAddedObjectId
- identifier: ObjectGuid
columnName: PerformedByObjectId
- identifier: DisplayName
columnName: PerformedByDisplayName
version: 1.0.0

29
Hunting Queries/Microsoft 365 Defender/Cloud Apps/mass-downloads.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: a1b2c3d4-e5f6-4g7h-8i9j-k0l1m2n3o4p5
name: Mass Downloads in the last 7 days
description: |
This query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: >
let lookback = 7d; //set the period to query
let threshold = 50; //set the threshold for number of downloads
let downloadTimeframe = 5m; //set the bin timeframe to group the events
CloudAppEvents
| where ActionType == "FileDownloaded" and Timestamp > ago(lookback) // Filter to only "Download" actions
| summarize DownloadCount=count() by AccountDisplayName, AccountObjectId, bin(Timestamp,downloadTimeframe) //bin the results into a timeframe by the account
| where DownloadCount > threshold //filter the records that don't meet the threshold
| project AccountDisplayName,AccountObjectId,DownloadCount
entityMappings:
- entityType: Account
fieldMappings:
- identifier: ObjectGuid
columnName: AccountObjectId
- identifier: DisplayName
columnName: AccountDisplayName
version: 1.0.0

26
Logos/SpyCloud_Enterprise_Protection.svg Normal file
Просмотреть файл

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 26.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="961f48f1-9bca-4e48-9245-b71f47f76a6a"
xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 155 51.6"
xml:space="preserve">
<g>
<path d="M16.1,20.4L11.7,20c-4-0.3-4.2-0.6-4.2-3.3c0-3.2,0.3-3.5,6.4-3.5c3.5,0,5.5,0.2,6.9,0.5l0.3-0.3v-1.1
c0-1.9-0.7-2.6-8.2-2.6c-8.3,0-10.2,1.1-10.2,7.3c0,5.6,1,6.9,6.3,7.4l4.6,0.5c3.9,0.3,4.2,0.6,4.2,3.4c0,3.4-0.3,4-6.2,4
c-4.2,0-7.2-0.3-8.8-0.7l-0.2,0.2v1.3c0,2.3,0.8,3,9.1,3c9.4,0,11-1.5,11-7.9C22.5,21.6,21.4,20.9,16.1,20.4z"/>
<path d="M36.3,16.9c-3.2,0-4.5,0.8-5.5,2.2c-0.2-1.6-0.8-1.9-2.2-1.9h-2.1l-0.3,0.3v26.2l4.7-0.7v-9c0.9,1.5,2.4,1.8,5.7,1.8
c5.1,0,6.4-1.3,6.4-9.5C42.9,18.1,42.1,16.9,36.3,16.9z M34.5,32.2c-3.1,0-3.7-0.6-3.7-2.7v-6.2c0-2.5,1-3,3.7-3
c3.4,0,3.8,0.6,3.8,5.9C38.2,31.6,37.9,32.2,34.5,32.2z"/>
<path d="M54.8,31.9h-0.6c-0.7,0-0.8-0.1-1-0.8l-3.4-13.9h-4.9L48.9,32c0.9,3.4,1.5,3.8,4.8,3.8l-0.5,1.9c-0.6,2.3-0.8,2.4-3,2.4
c-0.8,0-1.7,0-2.3-0.1l-0.3,0.3v1c0,1.8,0.7,2.4,3.8,2.4c4.2,0,4.8-0.8,5.9-5.3l5.8-21.2h-4.8L54.8,31.9z"/>
<path d="M78.5,9.6c-9.5,0-10.7,1.3-10.7,13.1S69,35.9,78.4,35.9c6.6,0,7.9-0.6,7.9-1.9v-0.8l-0.2-0.2c-1.3,0.3-3.4,0.6-6.9,0.6
c-7.8,0-8.3-0.6-8.3-10.7S71.4,12,79.2,12c3.4,0,5.7,0.2,6.9,0.5l0.2-0.2v-0.8C86.2,10.1,85.3,9.6,78.5,9.6z"/>
<polygon points="91.1,35.5 93.9,35.5 93.9,7.9 91.1,8.3 "/>
<path d="M106.3,16.9c-6.7,0-7.8,1.4-7.8,9.5c0,8,1,9.5,7.8,9.5c6.9,0,7.8-1.4,7.8-9.5S113,16.9,106.3,16.9z M106.3,33.5
c-4.2,0-4.8-0.6-4.8-7.2c0-6.5,0.6-7.2,4.8-7.2s4.8,0.6,4.8,7.2C111.1,32.9,110.5,33.5,106.3,33.5z"/>
<path d="M129.9,30.4c0,2.7-1.9,3.2-4.9,3.2c-3.4,0-4-0.5-4-4.1V17.1h-2.9v12.3c0,5.5,1.1,6.3,5.9,6.3c3.5,0,4.8-0.6,5.8-2.1
c0.1,1.6,0.6,1.8,1.5,1.8h1.1l0.2-0.2V17.1h-2.9C129.9,17.1,129.9,30.4,129.9,30.4z"/>
<path d="M149.6,8.3v10.4c-0.9-1.5-2.4-1.8-5.6-1.8c-5.7,0-6.7,1.4-6.7,9.5s0.9,9.5,6.6,9.5c3.8,0,4.9-0.7,5.8-2.1
c0.2,1.6,0.6,1.8,1.5,1.8h1.1l0.2-0.2V8L149.6,8.3z M149.6,30.3c0,2.7-1.8,3.3-4.7,3.3c-4.2,0-4.7-0.6-4.7-7.2s0.6-7.2,4.7-7.2
c4,0,4.8,0.8,4.8,3.1v8H149.6z"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.1 KiB

11
Logos/foxy-mark.svg Normal file
Просмотреть файл

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 160 160">
<rect width="160" height="160" fill="#fff"></rect>
<g>
<polygon points="87.7 67.69 101.57 58.58 101.57 81.66 106.74 86.87 84.4 108.66 80.02 108.66 80.02 67.69 87.7 67.69" fill="#ba0c2f"></polygon>
<polygon points="72.33 67.69 58.47 58.58 58.47 81.66 53.29 86.87 75.65 108.66 80.02 108.66 80.02 67.69 72.33 67.69" fill="#e4002b"></polygon>
<path d="M41.37,123.22l7.46-10.38a45.32,45.32,0,0,1,52.35-72.91l7.45-10.36a58,58,0,0,0-67.26,93.67Z" fill="#ba0c2f"></path>
<path d="M118.72,36.78l-7.55,10.38a45.32,45.32,0,0,1-52.35,72.91l-7.45,10.36a58,58,0,0,0,67.26-93.67Z" fill="#e4002b"></path>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 715 B

14
Logos/ionix-logo.svg Normal file
Просмотреть файл

@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
viewBox="0 0 85.599045 89.39315"
fill="none"
version="1.1"
width="85.599045"
height="89.39315"
xmlns="http://www.w3.org/2000/svg">
<path
fill-rule="evenodd"
clip-rule="evenodd"
d="m 4.4972394,17.216404 c 16.3893836,0 28.4349346,11.715709 28.4349346,24.721431 h 7.214915 5.304862 7.214915 c 0,-13.005722 12.045496,-24.721431 28.434939,-24.721431 V 4.696575 c -6.075418,0 -11.926659,1.2294534 -17.212934,3.4580895 C 49.379062,14.596811 43.27267,29.454888 42.799525,38.806332 v 0.0016 -7.9e-4 7.9e-4 -0.0016 C 42.326388,29.454276 36.218842,14.594731 21.706682,8.1533006 16.421593,5.9255219 10.571073,4.696575 4.4972394,4.696575 Z m 5.64e-5,54.960349 c 16.3893272,0 28.4348782,-11.71594 28.4348782,-24.721645 h 7.214915 12.519777 c 0,13.005705 12.045496,24.721645 28.434939,24.721645 v 12.519768 c -6.075991,0 -11.928905,-1.230179 -17.215189,-3.459594 C 49.380181,74.795396 43.27378,59.940973 42.799525,50.589915 v -0.0048 0.0032 l -5.64e-4,-0.0032 v 0.0048 c -0.474274,9.352167 -6.581811,24.2089 -21.091488,30.649312 -5.285271,2.228296 -11.13606,3.457348 -17.2101772,3.457348 z"
fill="#5886fb"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.2 KiB

2
Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Audit event ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimAuditEvent",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers)))\n",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n",
"version": 1,
"functionParameters": "pack:bool=False"
}

46
Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Barracuda WAF ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Barracuda WAF.
This ASIM parser supports normalizing Barracuda WAF to the ASIM Audit Event schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventBarracudaWAF%2FASimAuditEventBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventBarracudaWAF%2FASimAuditEventBarracudaWAF.json)

46
Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Cisco ISE ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Cisco ISE.
This ASIM parser supports normalizing administrative activity in the Cisco ISE events to the ASIM Audit Event schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoISE%2FASimAuditEventCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoISE%2FASimAuditEventCiscoISE.json)

46
Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Cisco Meraki ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Cisco Meraki.
This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Audit Event normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoMeraki%2FASimAuditEventCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoMeraki%2FASimAuditEventCiscoMeraki.json)

2
Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

46
Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuditEventVectraXDRAudit",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event",
"category": "ASIM",
"FunctionAlias": "ASimAuditEventVectraXDRAudit",
"query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = \"Other\",\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
}
]
}
]
}

18
Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Vectra ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Vectra.
This ASIM parser supports normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventVectraXDRAudit%2FASimAuditEventVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventVectraXDRAudit%2FASimAuditEventVectraXDRAudit.json)

160
Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json
Просмотреть файл

@ -58,6 +58,66 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuditEventBarracudaWAF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuditEventCiscoISE",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuditEventCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -98,6 +158,26 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimAuditEventVectraXDRAudit",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -138,6 +218,66 @@
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuditEventBarracudaWAF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuditEventCiscoISE",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuditEventCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@ -197,6 +337,26 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimAuditEventVectraXDRAudit",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
}
],
"outputs": {}

2
Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Audit event ASIM filtering parser.",
"category": "ASIM",
"FunctionAlias": "imAuditEvent",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))\n",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False"
}

18
Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Barracuda WAF ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Barracuda WAF.
This ASIM parser supports normalizing Barracuda WAF to the ASIM Audit Event schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventBarracudaWAF%2FvimAuditEventBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventBarracudaWAF%2FvimAuditEventBarracudaWAF.json)

46
Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Cisco ISE ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Cisco ISE.
This ASIM parser supports normalizing administrative activity in the Cisco ISE events to the ASIM Audit Event schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoISE%2FvimAuditEventCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoISE%2FvimAuditEventCiscoISE.json)

46
Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Cisco Meraki ASIM AuditEvent Normalization Parser
ARM template for ASIM AuditEvent schema parser for Cisco Meraki.
This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Audit Event normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoMeraki%2FvimAuditEventCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoMeraki%2FvimAuditEventCiscoMeraki.json)

46
Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше