Network Sesion ARM templates
This commit is contained in:
Yaron
GitHub
Родитель
475a129f75
Коммит
e96cfc53df
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimNetworkNotables",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Source Agnostic Network Notables parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkNotables",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ASimNetworkNotables' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkNotablesGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nNetworkNotablesGeneric",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Source agnostic ASIM Network Notables Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Source agnostic. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkNotables%2FASimNetworkNotables.json)
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimNetworkSession",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Source Agnostic Network Session parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkSession",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Source agnostic ASIM Network Session Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Source agnostic. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSession%2FASimNetworkSession.json)
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,15 @@
|
|||
# Microsoft Defender for Endpoint ASIM Network Session Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for M365 Defender. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionMicrosoft365Defender%2FASimNetworkSessionMicrosoft365Defender.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimNetworkSessionLinuxSysmon",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Sysmon for Linux Network Session Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkSessionLinuxSysmon",
|
||||
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ;\n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr\n ;\n SysmonForLinuxNetwork",
|
||||
"version": 1,
|
||||
"functionParameters": "disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
# Sysmon for Linux ASIM NetworkSessions Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for Sysmon for Linux. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionMicrosoftLinuxSysmon%2FASimNetworkSessionMicrosoftLinuxSysmon.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimNetworkSessionMD4IoT",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Network Sessions Parser for Microsoft Defender for IoT - Endpoint",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkSessionMD4IoT",
|
||||
"query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr\n;\nNetworkSessionMD4IoT\n",
|
||||
"version": 1,
|
||||
"functionParameters": "disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Microsoft Defender for IoT - Endpoint ASIM NetworkSessions Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionMicrosoftMD4IoT%2FASimNetworkSessionMicrosoftMD4IoT.json)
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,15 @@
|
|||
# Windows Firewall Events ASIM NetworkSessions Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for Windows Firewall Events. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionMicrosoftWindowsEventFirewall%2FASimNetworkSessionMicrosoftWindowsEventFirewall.json)
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimWebSessions",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Source Agnostic Web Sessions parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimWebSessions",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# Source agnostic ASIM Web Sessions Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Source agnostic. The parser is a part of the Advanced SIEM Information Model.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimWebSession%2FASimWebSession.json)
|
||||
|
|
@ -11,6 +11,146 @@
|
|||
},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkNotables",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkNotables/ASimNetworkNotables.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkSession",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkSessionMicrosoft365Defender",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimWebSession",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimWebSession/ASimWebSession.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
|
|
@ -74,7 +214,27 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedNetworkSessionMicrosoft365Defender",
|
||||
"name": "linkedvimNetworkSessionEmpty",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimNetworkSessionMicrosoft365Defender",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
|
|
@ -94,27 +254,7 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedNetworkSessionMicrosoftMD4IoT",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedNetworkSessionSysmonLinux",
|
||||
"name": "linkedvimNetworkSessionMicrosoftLinuxSysmon",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
|
|
@ -134,11 +274,11 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "vimNetworkSessionMicrosoftWindowsEventFirewall",
|
||||
"name": "linkedvimNetworkSessionMicrosoftMD4IoT",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
|
|
@ -154,11 +294,11 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimNetworkSessionEmpty",
|
||||
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
|
|
|
|||
|
|
@ -29,7 +29,8 @@
|
|||
"category": "Security",
|
||||
"FunctionAlias": "imNetworkNotables",
|
||||
"query": "let NetworkNotablesGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nNetworkNotablesGeneric",
|
||||
"version": 1
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -28,8 +28,9 @@
|
|||
"displayName": "Source Agnostic Network Session parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imNetworkSession",
|
||||
"query": "let NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon\n , vimNetworkSessionMicrosoft365Defender\n , vimNetworkSessionMD4IoT\n , vimNetworkSessionMicrosoftWindowsEventFirewall\n};\nNetworkSessionsGeneric",
|
||||
"version": 1
|
||||
"query": "let NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n};\nNetworkSessionsGeneric",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -29,7 +29,8 @@
|
|||
"category": "Security",
|
||||
"FunctionAlias": "imWebSessions",
|
||||
"query": "let WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric",
|
||||
"version": 1
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -12,4 +12,4 @@ For more information, see:
|
|||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSessions%2FARM%2FvimNetworkSessionMicrosoft365Defender%2FvimNetworkSessionMicrosoft365Defender.json)
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionMicrosoft365Defender%2FvimNetworkSessionMicrosoft365Defender.json)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -7,9 +7,9 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSessions%2FARM%2FvimNetworkSessionMicrosoftMD4IoT%2FvimNetworkSessionMicrosoftMD4IoT.json)
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionMicrosoftMD4IoT%2FvimNetworkSessionMicrosoftMD4IoT.json)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ The Advanced SIEM Information Model (ASIM) enables you to use and create source-
|
|||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionsDoc)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: M365 Defender
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: Sysmon for Linux
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
@ -82,7 +82,7 @@ ParserQuery: |
|
|||
DstAppName = Process,
|
||||
DstAppType = 'Process'
|
||||
| project-away SyslogMessage
|
||||
;
|
||||
;
|
||||
let SysmonForLinuxNetwork=
|
||||
union OutboundNetworkEvents, InboundNetworkEvents
|
||||
| extend
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: Microsoft Defender for IoT - Endpoint
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: WindowsEventFirewall
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: M365 Defender
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: Sysmon for Linux
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: Microsoft Defender for IoT - Endpoint
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ Parser:
|
|||
Product:
|
||||
Name: WindowsEventFirewall
|
||||
Normalization:
|
||||
Schema: NetworkSessions
|
||||
Schema: NetworkSession
|
||||
Version: '0.2.0'
|
||||
References:
|
||||
- Title: ASIM Network Session Schema
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче