Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge remote-tracking branch 'upstream2/master' into users/sivang/parsersKqlValidator

This commit is contained in:
sivanguetta 2022-04-10 10:55:19 +03:00
Родитель 73a0d1ffb4 9bae57d776
Коммит ec49b58bee
18 изменённых файлов: 1099 добавлений и 389 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip
Просмотреть файл

Двоичный файл не отображается.

78
DataConnectors/AWS-S3/ConfigGuardDutyDataConnector.ps1
Просмотреть файл

@ -139,17 +139,25 @@ function Get-GuardDutyAndRoleKmsPolicy
return $kmsPolicy.Replace("'",'"')
}
function Enable-GuardDuty
function Enable-GuardDuty-ForRegion
{
<#
.SYNOPSIS
Enables GuardDuty based on specified configuration
.PARAMETER Region
Specifies the region
#>
Write-Log -Message "Enabling GuardDuty" -LogFileName $LogFileName -LinePadding 1
param (
[Parameter()]
[ValidateNotNullOrEmpty()][string]
$Region
)
Write-Log -Message "Enabling GuardDuty for region $region" -LogFileName $LogFileName -LinePadding 1
Set-RetryAction({
Write-Log -Message "Executing: aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES 2>&1" -LogFileName $LogFileName -Severity Verbose
$newGuarduty = aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES 2>&1
$newGuarduty = aws --region $region guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES 2>&1
$isGuardutyEnabled = $lastexitcode -ne 0
if ($isGuardutyEnabled)
@ -157,10 +165,8 @@ function Enable-GuardDuty
Write-Output `n
Write-Log -Message 'A detector already exists for the current account.' -LogFileName $LogFileName
Write-Log -Message "Executing: aws guardduty list-detectors" -LogFileName $LogFileName -Severity Verbose
$detectors = (aws guardduty list-detectors | ConvertFrom-Json)."DetectorIds" -join ', '
Write-Log -Message "List of existing detectors: $detectors" -LogFileName $LogFileName
$script:detectorId = Read-ValidatedHost 'Please enter detector Id from the above list'
$script:detectorId = (aws --region $region guardduty list-detectors | ConvertFrom-Json)."DetectorIds" -join ', '
Write-Log -Message "Detector Id: $detectorId" -LogFileName $LogFileName
}
else
@ -169,7 +175,7 @@ function Enable-GuardDuty
}
Write-Log -Message "Executing: aws guardduty list-publishing-destinations --detector-id $detectorId 2>&1" -LogFileName $LogFileName -Severity Verbose
$script:currentDestinations = aws guardduty list-publishing-destinations --detector-id $detectorId 2>&1
$script:currentDestinations = aws --region $region guardduty list-publishing-destinations --detector-id $detectorId 2>&1
Write-Log $currentDestinations -LogFileName $LogFileName -Severity Verbose
})
}
@ -179,19 +185,27 @@ function Set-GuardDutyPublishDestinationBucket
<#
.SYNOPSIS
Configures GuardDuty to publish logs to destination bucket
.PARAMETER Region
Specifies the region
#>
param (
[Parameter()]
[ValidateNotNullOrEmpty()][string]
$Region
)
$currentDestinationsObject = $currentDestinations | ConvertFrom-Json
$currentS3Destinations = $currentDestinationsObject.Destinations | Where-Object DestinationType -eq S3
if ($null -eq $currentS3Destinations)
{
Write-Log -Message "Executing: aws guardduty create-publishing-destination --detector-id $detectorId --destination-type S3 --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null" -LogFileName $LogFileName -Severity Verbose
aws guardduty create-publishing-destination --detector-id $detectorId --destination-type S3 --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
aws --region $Region guardduty create-publishing-destination --detector-id $detectorId --destination-type S3 --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
}
else
{
Write-Log "Executing: aws guardduty describe-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId | ConvertFrom-Json" -LogFileName $LogFileName -Severity Verbose
$destinationDescriptionObject = aws guardduty describe-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId | ConvertFrom-Json
$destinationDescriptionObject = aws --region $Region guardduty describe-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId | ConvertFrom-Json
$destinationArn = $destinationDescriptionObject.DestinationProperties.DestinationArn
Write-Log -Message "GuardDuty is already configured for bucket arn '$destinationArn'" -LogFileName $LogFileName -LinePadding 2
@ -199,7 +213,7 @@ function Set-GuardDutyPublishDestinationBucket
if ($guardDutyBucketConfirmation -eq 'y')
{
Write-Log -Message "Executing: aws guardduty update-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null" -LogFileName $LogFileName -Severity Verbose
aws guardduty update-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
aws --region $Region guardduty update-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
}
else
{
@ -208,6 +222,48 @@ function Set-GuardDutyPublishDestinationBucket
}
}
function Enable-GuardDuty
{
<#
.SYNOPSIS
Enables GuardDuty based on specified configuration
#>
[String[]]$allRegionsArray = (aws ec2 describe-regions | ConvertFrom-Json)."Regions".RegionName
$regionConfirmation = Read-ValidatedHost 'Do you want enable guardduty for all regions? [y/n]' -ValidationType Confirm
if ($regionConfirmation -eq 'y')
{
for($i = 0; $i -lt $allRegionsArray.length; $i++)
{
Enable-GuardDuty-ForRegion -Region $allRegionsArray[$i]
Set-GuardDutyPublishDestinationBucket -Region $allRegionsArray[$i]
}
}
else
{
[String[]]$selectedRegionsArray = Read-ValidatedHost -Prompt "Please enter list of regions seperated by space"
$selectedRegionsArray = $selectedRegionsArray.Split(' ') | Select-Object -Unique
for($i = 0; $i -lt $selectedRegionsArray.length; $i++)
{
if (-not($allRegionsArray -contains $selectedRegionsArray[$i]))
{
$notValidRegion = $selectedRegionsArray[$i]
$selectedRegionsArray = $selectedRegionsArray | ? {$_ -ne $notValidRegion}
Write-Log -Message "Region $notValidRegion doesn't exist" -LogFileName $LogFileName -LinePadding 2
}
}
for($i = 0; $i -lt $selectedRegionsArray.length; $i++)
{
Enable-GuardDuty-ForRegion -Region $selectedRegionsArray[$i]
Set-GuardDutyPublishDestinationBucket -Region $selectedRegionsArray[$i]
}
}
}
# *********** Main Flow ***********
# Validate AWS configuration
@ -255,7 +311,7 @@ Update-S3Policy -RequiredPolicy $s3RequiredPolicy -CustomMessage $customMessage
Enable-S3EventNotification -DefaultEventNotificationPrefix "AWSLogs/${callerAccount}/GuardDuty/"
Enable-GuardDuty
Set-GuardDutyPublishDestinationBucket
# Output information needed to configure Sentinel data connector
Write-RequiredConnectorDefinitionInfo -DestinationTable AWSGuardDuty

6
Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json
Просмотреть файл

@ -26,7 +26,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimDnsVectraAI",
"name": "vimDnsVectraAI",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
@ -34,10 +34,10 @@
"etag": "*",
"displayName": "DNS ASIM parser for Vectra AI Steams",
"category": "ASIM",
"FunctionAlias": "ASimDnsVectraAI",
"FunctionAlias": "vimDnsVectraAI",
"query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n) \n{\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where metadata_type_s == 'metadata_dns'\n | where (srcipaddr == '*' or id_orig_h_s == srcipaddr)\n | where (array_length(domain_has_any) == 0 or query_s has_any(domain_has_any))\n | where (responsecodename == '*' or rcode_name_s =~ responsecodename)\n | where (response_has_ipv4 == '*' or has_ipv4(answers_s, response_has_ipv4))\n | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers_s, response_has_any_prefix))\n | where (eventtype == '*' or eventtype in~ ('Query', 'lookup'))\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = split(metadata_type_s, '_')[1],\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]), eventtype:string='Query', disabled:bool=False"
}
}
]

28
Parsers/ASimDns/Parsers/vimDnsVectraAI.yaml
Просмотреть файл

@ -14,9 +14,33 @@ References:
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing Vectra AI Steams logs to the ASIM DNS normalized schema.
ParserName: ASimDnsVectraAI
EquivalentBuiltInParser: _ASim_Dns_VectraAI
ParserName: vimDnsVectraAI
EquivalentBuiltInParser: _Im_Dns_VectraAI
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr
Type: string
Default: '*'
- Name: domain_has_any
Type: dynamic
Default: dynamic([])
- Name: responsecodename
Type: string
Default: '*'
- Name: response_has_ipv4
Type: string
Default: '*'
- Name: response_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: eventtype
Type: string
Default: 'Query'
- Name: disabled
Type: bool
Default: false

294
Solutions/SAP/sapcon-instance-update.sh
Просмотреть файл

@ -1,4 +1,88 @@
#!/bin/bash
function pause() {
if [ ! "$CONFIRMALL" ]; then
read -r -p "$*"
fi
}
function check_package() {
if ! which "$1" >/dev/null 2>&1; then
echo "Binary $1 not found"
echo "Please install $1 and run the upgrade script again"
exit 1
fi
}
#global
dockerimage=mcr.microsoft.com/azure-sentinel/solutions/sapcon
sdkfileloc=/sapcon-app/inst/
CONTAINERNAMES=()
while [[ $# -gt 0 ]]; do
case $1 in
--confirm-all-prompts)
CONFIRMALL=1
shift 1
;;
--no-testrun)
NOTESTRUN=1
shift 1
;;
--sdk)
SDKFILELOC="$2"
SDKFILELOC="${SDKFILELOC/#\~/$HOME}"
shift 2
;;
--containername)
CONTAINERNAMES+=("$2")
shift 2
;;
--devmode)
DEVMODE=1
shift 1
;;
--dev-acr)
DEVURL="$2"
shift 2
;;
--dev-acr-login)
DEVACRLOGIN="$2"
shift 2
;;
--dev-acr-pwd)
DEVACRPWD="$2"
shift 2
;;
--preview)
PREVIEW=1
shift 1
;;
--force)
FORCE=1
shift 1
;;
--script-debug)
set -x
shift 1
;;
-*)
echo "Unknown option $1"
echo "Valid options are"
echo "--confirm-all-prompts"
echo "--preview"
echo "--script-debug"
echo "--no-testrun"
echo "--sdk <filepath>"
echo "--containername <containername> [--containername <containername>]..."
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
#Copyright (c) Microsoft Corporation. All rights reserved.
echo 'Microsoft Azure Sentinel SAP Continuous Threat Monitoring.
SAP ABAP Logs Connector - Preview
@ -7,88 +91,178 @@ Copyright (c) Microsoft Corporation.
You may use this preview software internally and only in accordance with the Azure preview terms, located at https://azure.microsoft.com/support/legal/preview-supplemental-terms/
Microsoft reserves all other rights
****'
function pause(){
read -p "$*"
}
****
#global
dockerimage=mcr.microsoft.com/azure-sentinel/solutions/sapcon
tagver=":latest-preview"
olddockerimage=sentinel4sapprivateprview.azurecr.io/sapcon
containername=sapcon
sysconf=systemconfig.ini
acr=sentinel4sapprivateprview.azurecr.io
sdkfileloc=/sapcon-app/inst/
echo '
-----Update All MS SAPcon instances----
This process will download the latest version of Sentinel SAP Connector, Updates current image and containers. A currently running version of the instance will be stopped and automatically start after the process.
In order to process you will need the following prerequisites:
'
# Parameter validation
if [ -n "$SDKFILELOC" ] && [ ! -f "$SDKFILELOC" ]; then
echo 'Invalid SDK path'
exit 1
fi
# Image selection
if [ $DEVMODE ]; then
dockerimage=$(echo "$DEVURL" | awk -F: '{print $1}')
acr=$(echo "$DEVURL" | awk -F/ '{print $1}')
sudo docker login "$acr" -u "$DEVACRLOGIN" -p "$DEVACRPWD"
tagver=$(echo "$DEVURL" | awk -F: '{print ":"$2}')
else
dockerimage=mcr.microsoft.com/azure-sentinel/solutions/sapcon
if [ $PREVIEW ]; then
tagver=":latest-preview"
else
tagver=":latest"
fi
fi
check_package docker
check_package jq
echo 'Starting Docker image Pull'
docker pull $dockerimage$tagver
if [ $? -eq 1 ];
then
if [ $? -eq 1 ]; then
echo 'There is an error with the docker image - please Check network connection'
exit 1
fi
pause '
Image has been downloaded - Press <Enter> key to continue with the Update'
repoimageid=$(docker inspect "$dockerimage$tagver" --format '{{.Id}}')
contlist=$(docker container ls -a | awk 'NR!=1 {print $1}')
while IFS= read -r contid; do
containerlabel=$(docker inspect "$contid" | jq '.[].Config.Labels."com.visualstudio.msazure.image.build.repository.name"')
if [ "$containerlabel" == '"ASI-Sentinel4SAP"' ]; then
contimg=$(docker inspect --format='{{.Image}}' "$contid")
contname=$(docker inspect --format '{{.Name}}' "$contid")
contname="${contname:1}"
if [[ -z ${CONTAINERNAMES[*]} ]] || [[ ${CONTAINERNAMES[*]} =~ $contname ]]; then
echo "Checking if upgrade is necessary for container $contname"
if [ ! "$contimg" = "$repoimageid" ] || [ $FORCE = 1 ]; then
echo "Updating $contname"
if [ -n "$contid" ]; then
sysfileloc=$(docker inspect -f '{{ .Mounts }}' $contname | awk 'NR==1 {print $2}')
if [ -z "$sysfileloc" ]; then
echo "Container $contname cannot be updated - The mount point is empty"
exit 1
fi
last=${sysfileloc: -1}
while IFS= read -r contid
do
contimg=$(docker inspect --format='{{.Config.Image}}' $contid)
contname=$(docker ps -a --filter id=$contid --format '{{.Names}}')
if [ "$last" != "/" ]; then
sysfileloc="$sysfileloc/"
fi
if [[ "$contimg" = *"$dockerimage"* ]] || [[ "$contimg" = *"$olddockerimage"* ]]
then
echo ' '
echo Updating $contname...
if [ ! -z $contid ]
then
sysfileloc=$(docker inspect -f '{{ .Mounts }}' $contname | awk 'NR==1 {print $2}')
if [ ! -z $sysfileloc ]
then
last=${sysfileloc: -1}
read -r -a containervariables <<<"$(docker inspect $contname -f '{{.Config.Env}}' | tr -d '[' | tr -d ']' | tr ' ' ' ')"
envstring=""
for variable in "${containervariables[@]}"; do
if [[ ! $variable == PATH=* ]] &&
[[ ! $variable == LANG=* ]] &&
[[ ! $variable == GPG_KEY=* ]] &&
[[ ! $variable == PYTHON_VERSION=* ]] &&
[[ ! $variable == PYTHON_PIP_VERSION=* ]] &&
[[ ! $variable == PYTHON_SETUPTOOLS_VERSION=* ]] &&
[[ ! $variable == PYTHON_GET_PIP_URL=* ]] &&
[[ ! $variable == PYTHON_GET_PIP_SHA256=* ]]; then
envstring+="-e $variable "
fi
done
if [ "$last" != "/" ];
then
sysfileloc="$sysfileloc/"
isRunning=$(docker inspect --format='{{.State.Running}}' "$contname")
if [ "$isRunning" == "true" ]; then
docker stop "$contname"
fi
mkdir -p /tmp/sapcon-update/ >/dev/null 2>&1
sudo rm -rf "/tmp/sapcon-update/$contname" >/dev/null 2>&1
mkdir "/tmp/sapcon-update/$contname" >/dev/null 2>&1
#renaming the container, creating a new test container
oldname="$contname-OLD"
docker container rename "$contname" "$oldname" >/dev/null
#Extract SDK from old container, or use a newly supplied one
if [ -n "$SDKFILELOC" ]; then
mkdir -p "/tmp/sapcon-update/$contname/inst"
cp "$SDKFILELOC" "/tmp/sapcon-update/$contname/inst/"
else
docker cp "$oldname":$sdkfileloc "/tmp/sapcon-update/$contname"
fi
sdkfilename=$(ls -1r /tmp/sapcon-update/$contname/inst/nwrfc*.zip | head -n 1)
if [ ! $NOTESTRUN ]; then
# If test run is required
docker create -v "$sysfileloc:/sapcon-app/sapcon/config/system" $envstring --name "$contname" $dockerimage$tagver --sapconinstanceupdate >/dev/null
docker cp "$sdkfilename" "$contname":$sdkfileloc
docker start "$contname" >/dev/null
let timeelapsed=0
dryruninprogress="true"
echo -n "Starting container test run..."
while [ "$dryruninprogress" == "true" ] && [ $timeelapsed -le 120 ]; do
dryruninprogress=$(docker inspect --format='{{.State.Running}}' "$contname")
if [ "$dryruninprogress" == "false" ]; then
containerexitcode=$(docker container inspect --format '{{.State.ExitCode}}' "$contname")
printf "\nContainer dry run exited. Exit code $containerexitcode"
if [ "$containerexitcode" == 0 ]; then
dryrunsuccess=1
docker rm "$contname" >/dev/null
docker create -v "$sysfileloc:/sapcon-app/sapcon/config/system" $envstring --name "$contname" $dockerimage$tagver >/dev/null
docker cp $sdkfilename "$contname":"$sdkfileloc"
elif [ "$containerexitcode" == 7 ]; then
printf "\nInsufficient authorizations in SAP"
dryrunsuccess=0
break
elif [ "$containerexitcode" == 8 ]; then
printf "\nContainer runtime error"
dryrunsuccess=0
break
else
printf "\nContainer exited with code $containerexitcode"
dryrunsuccess=0
break
fi
fi
sleep 1
let timeelapsed=timeelapsed+1
echo -n "."
done
if [ "$dryruninprogress" == "true" ]; then
# container did not exit after 60 seconds
printf "\nContainer is running after timeout period expired"
docker stop "$contname" >/dev/null
fi
if [ "$dryrunsuccess" == 1 ]; then
printf "\nTest run successful, removing old container"
docker rm "$oldname" >/dev/null
else
printf "\nTest run NOT successful, removing new container, renaming the old container to original name"
echo "----Container debug logs START----"
docker logs "$contname"
echo "----Container debug logs END----"
docker rm "$contname" >/dev/null
docker rename "$oldname" "$contname" >/dev/null
fi
else
docker create -v "$sysfileloc:/sapcon-app/sapcon/config/system" $envstring --name "$contname" $dockerimage$tagver >/dev/null
docker cp "$sdkfilename" "$contname":"$sdkfileloc"
docker rm "$oldname"
fi
sudo rm -rf /tmp/sapcon-update >/dev/null 2>&1
fi
contstate=$(docker inspect --format='{{.State.Running}}' $contname )
# pause 'press enter'
if [ $contstate == "false" ]
then
docker cp $contname:$sdkfileloc $(pwd)
docker container rm $contname >/dev/null
docker create -v $sysfileloc:/sapcon-app/sapcon/config/system --name $contname $dockerimage$tagver >/dev/null
docker cp "$(pwd)/inst/" $contname:/sapcon-app/ >/dev/null
echo 'Container "'"$contname"'" was updated - please start the app by running "docker start '"$contname"'"'
echo ''
else
docker cp $contname:$sdkfileloc $(pwd)
docker stop $contname >/dev/null
docker container rm $contname >/dev/null
docker create -v $sysfileloc:/sapcon-app/sapcon/config/system --name $contname $dockerimage$tagver >/dev/null
docker cp "$(pwd)/inst/" $contname:/sapcon-app/ >/dev/null
docker start $contname >/dev/null
echo 'Container "'"$contname"'" was updated'
echo ''
if [ "$isRunning" == "true" ]; then
echo "Starting container $contname"
docker start "$contname" >/dev/null
fi
else
echo 'Container "'"$contname"'" cannot be updated - The mount point is empty'
echo ' '
echo "Container image for container $contname is identical to the one in the repo"
fi
else
echo ''
echo "Skipping container $contname as it is not specified in --containername list"
fi
else
echo "Skipping container id $contid as it does not appear to be a sapcon container"
fi
done <<< "$contlist"
done \
<<<"$contlist"

963
Solutions/SAP/sapcon-sentinel-kickstart.sh
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Двоичные данные
Solutions/SecurityBridge/Package/1.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
Solutions/SecurityBridge/Package/1.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

12
Solutions/SecurityBridge/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Solutions/SecurityBridge/Solution_SecurityBridgeSAP.json
Просмотреть файл

@ -18,6 +18,6 @@
"Data Connectors/Connector_SecurityBridge.json"
],
"BasePath": "https://raw.githubusercontent.com/frozenstrawberries/Azure-Sentinel/master/Solutions/SecurityBridge/",
"Version": "1.0.0",
"Version": "1.0.1",
"Metadata": "SolutionMetadata.json"
}

61
Solutions/SecurityBridge/Workbooks/SecurityBridgeThreatDetectionforSAP.json
Просмотреть файл

@ -20,7 +20,7 @@
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
"durationMs": 5184000000
},
"typeSettings": {
"selectableValues": [
@ -87,7 +87,8 @@
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]"
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]",
"value": "Yes"
},
{
"id": "51cb8cb1-3d50-47f4-9485-2519a992c735",
@ -145,9 +146,6 @@
"query": "SecurityBridgeLogs\r\n| extend Severity = tostring(Severity)\r\n| summarize Count = count() by Severity\r\n| extend SeverityNumber = case(Severity == \"Low\", 3, Severity == \"Medium\", 7, Severity == \"High\", 9, Severity == \"Critical\", 10, 0)\r\n| sort by SeverityNumber",
"size": 4,
"title": "Events by Severity",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -253,7 +251,7 @@
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
@ -277,7 +275,7 @@
"showDefault": false
},
"timeContext": {
"durationMs": 0
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
@ -302,8 +300,9 @@
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -325,8 +324,9 @@
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -348,8 +348,9 @@
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -371,8 +372,9 @@
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -391,9 +393,7 @@
"query": "SecurityBridgeLogs\r\n| where Severity in ({Severity})\r\n| where duser in ({User}) or \"*\" in ({User})\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| where shost in ({Terminal}) or \"*\" in ({Terminal})\r\n| where DeviceEventClassID in ({Listener}) or \"*\" in ({Listener})\r\n| where Name in ({Action}) or \"*\" in ({Action})\r\n| project TimeGenerated, Severity, DeviceEventClassID, Name, msg, [\"Link to Event\"]= strcat(({urlprefix}), externalid), shost, duser, SAPsid, SAPclient\r\n| sort by TimeGenerated",
"size": 0,
"title": "Event by Selected Filters",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
@ -467,9 +467,6 @@
"quote": "'",
"delimiter": ",",
"query": "SecurityBridgeLogs\r\n| distinct SAPsid",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
@ -477,7 +474,7 @@
"showDefault": false
},
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
@ -511,9 +508,7 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by Name",
"size": 0,
"title": "Events by Event Name",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
@ -551,9 +546,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize [\"Number of Events\"] = count() by bin(todatetime(rt), 1d)",
"size": 1,
"title": "Events Ingestion by Time",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -597,9 +589,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by bin(todatetime(rt), 1h), Severity",
"size": 1,
"title": "Events by Time with respect to Severity",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -662,9 +651,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by SAPsid",
"size": 1,
"title": "Events Ingestion by Time",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -688,9 +674,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by Severity",
"size": 0,
"title": "Events by Severity",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -710,9 +693,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by duser\r\n| sort by count_\r\n| take 5",
"size": 0,
"title": "Top 5 Users",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -732,9 +712,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by dhost\r\n| sort by count_\r\n| take 5",
"size": 0,
"title": "Top 5 Workstations",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -754,9 +731,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by duser\r\n| join (\r\nSecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| extend user = duser\r\n| make-series TrendList = count() on todatetime(rt) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by duser ) on duser\r\n| project duser, [\"Total events\"] = count_, TrendLine = TrendList\r\n| top 10 by [\"Total events\"] desc",
"size": 0,
"title": "Event Stats by Users",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -787,9 +761,6 @@
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by dhost\r\n| join (\r\nSecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| extend user = dhost\r\n| make-series TrendList = count() on todatetime(rt) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by dhost ) on dhost\r\n| project dhost, [\"Total events\"] = count_, TrendLine = TrendList\r\n| top 10 by [\"Total events\"] desc",
"size": 0,
"title": "Event Stats by Host",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",