Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into senserva-tj

This commit is contained in:
Thomas Dolan 2021-03-22 13:42:39 -05:00
Родитель 98b1e100d4 3430cd98f1
Коммит f22caa79c9
99 изменённых файлов: 13749 добавлений и 320 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

417
.script/tests/KqlvalidationsTests/CustomTables/Cloudflare_CL.json Normal file
Просмотреть файл

@ -0,0 +1,417 @@
{
"Name": "Cloudflare_CL",
"Properties": [
{
"Name": "BotScore_d",
"Type": "Double"
},
{
"Name": "BotScoreSrc_s",
"Type": "String"
},
{
"Name": "CacheCacheStatus_s",
"Type": "String"
},
{
"Name": "CacheResponseBytes_d",
"Type": "Double"
},
{
"Name": "CacheResponseStatus_d",
"Type": "Double"
},
{
"Name": "CacheTieredFill_b",
"Type": "Bool"
},
{
"Name": "ClientASN_d",
"Type": "Double"
},
{
"Name": "ClientCountry_s",
"Type": "String"
},
{
"Name": "ClientDeviceType_s",
"Type": "String"
},
{
"Name": "ClientIP_s",
"Type": "String"
},
{
"Name": "ClientIPClass_s",
"Type": "String"
},
{
"Name": "ClientRequestBytes_d",
"Type": "Double"
},
{
"Name": "ClientRequestHost_s",
"Type": "String"
},
{
"Name": "ClientRequestMethod_s",
"Type": "String"
},
{
"Name": "ClientRequestPath_s",
"Type": "String"
},
{
"Name": "ClientRequestProtocol_s",
"Type": "String"
},
{
"Name": "ClientRequestReferer_s",
"Type": "String"
},
{
"Name": "ClientRequestURI_s",
"Type": "String"
},
{
"Name": "ClientRequestUserAgent_s",
"Type": "String"
},
{
"Name": "ClientSSLCipher_s",
"Type": "String"
},
{
"Name": "ClientSSLProtocol_s",
"Type": "String"
},
{
"Name": "ClientSrcPort_d",
"Type": "Double"
},
{
"Name": "ClientXRequestedWith_s",
"Type": "String"
},
{
"Name": "EdgeColoCode_s",
"Type": "String"
},
{
"Name": "EdgeColoID_d",
"Type": "Double"
},
{
"Name": "EdgeEndTimestamp_t",
"Type": "DateTime"
},
{
"Name": "EdgePathingOp_s",
"Type": "String"
},
{
"Name": "EdgePathingSrc_s",
"Type": "String"
},
{
"Name": "EdgePathingStatus_s",
"Type": "String"
},
{
"Name": "EdgeRateLimitAction_s",
"Type": "String"
},
{
"Name": "EdgeRateLimitID_d",
"Type": "Double"
},
{
"Name": "EdgeRequestHost_s",
"Type": "String"
},
{
"Name": "EdgeResponseBytes_d",
"Type": "Double"
},
{
"Name": "EdgeResponseCompressionRatio_d",
"Type": "Double"
},
{
"Name": "EdgeResponseContentType_s",
"Type": "String"
},
{
"Name": "EdgeResponseStatus_d",
"Type": "Double"
},
{
"Name": "EdgeServerIP_s",
"Type": "String"
},
{
"Name": "EdgeStartTimestamp_t",
"Type": "DateTime"
},
{
"Name": "FirewallMatchesActions_s",
"Type": "String"
},
{
"Name": "FirewallMatchesRuleIDs_s",
"Type": "String"
},
{
"Name": "FirewallMatchesSources_s",
"Type": "String"
},
{
"Name": "OriginIP_s",
"Type": "String"
},
{
"Name": "OriginResponseBytes_d",
"Type": "Double"
},
{
"Name": "OriginResponseHTTPExpires_s",
"Type": "String"
},
{
"Name": "OriginResponseHTTPLastModified_s",
"Type": "String"
},
{
"Name": "OriginResponseStatus_d",
"Type": "Double"
},
{
"Name": "OriginResponseTime_d",
"Type": "Double"
},
{
"Name": "OriginSSLProtocol_s",
"Type": "String"
},
{
"Name": "ParentRayID_s",
"Type": "String"
},
{
"Name": "RayID_s",
"Type": "String"
},
{
"Name": "SecurityLevel_s",
"Type": "String"
},
{
"Name": "WAFAction_s",
"Type": "String"
},
{
"Name": "WAFFlags_s",
"Type": "String"
},
{
"Name": "WAFMatchedVar_s",
"Type": "String"
},
{
"Name": "WAFProfile_s",
"Type": "String"
},
{
"Name": "WAFRuleID_s",
"Type": "String"
},
{
"Name": "WAFRuleMessage_s",
"Type": "String"
},
{
"Name": "WorkerCPUTime_d",
"Type": "Double"
},
{
"Name": "WorkerStatus_s",
"Type": "String"
},
{
"Name": "WorkerSubrequest_b",
"Type": "Bool"
},
{
"Name": "WorkerSubrequestCount_d",
"Type": "Double"
},
{
"Name": "ZoneID_d",
"Type": "Double"
},
{
"Name": "Application_s",
"Type": "String"
},
{
"Name": "ClientBytes_d",
"Type": "Double"
},
{
"Name": "ClientMatchedIpFirewall_s",
"Type": "String"
},
{
"Name": "ClientPort_d",
"Type": "Double"
},
{
"Name": "ClientProto_s",
"Type": "String"
},
{
"Name": "ClientTcpRtt_d",
"Type": "Double"
},
{
"Name": "ClientTlsCipher_s",
"Type": "String"
},
{
"Name": "ClientTlsClientHelloServerName_s",
"Type": "String"
},
{
"Name": "ClientTlsProtocol_s",
"Type": "String"
},
{
"Name": "ClientTlsStatus_s",
"Type": "String"
},
{
"Name": "ColoCode_s",
"Type": "String"
},
{
"Name": "ConnectTimestamp_t",
"Type": "DateTime"
},
{
"Name": "DisconnectTimestamp_t",
"Type": "DateTime"
},
{
"Name": "Event_s",
"Type": "String"
},
{
"Name": "IpFirewall_b",
"Type": "Bool"
},
{
"Name": "OriginBytes_d",
"Type": "Double"
},
{
"Name": "OriginPort_d",
"Type": "Double"
},
{
"Name": "OriginProto_s",
"Type": "String"
},
{
"Name": "OriginTcpRtt_d",
"Type": "Double"
},
{
"Name": "OriginTlsCipher_s",
"Type": "String"
},
{
"Name": "OriginTlsFingerprint_s",
"Type": "String"
},
{
"Name": "OriginTlsMode_s",
"Type": "String"
},
{
"Name": "OriginTlsProtocol_s",
"Type": "String"
},
{
"Name": "OriginTlsStatus_s",
"Type": "String"
},
{
"Name": "ProxyProtocol_s",
"Type": "String"
},
{
"Name": "Status_d",
"Type": "Double"
},
{
"Name": "Timestamp_t",
"Type": "DateTime"
},
{
"Name": "Action_s",
"Type": "String"
},
{
"Name": "ClientASNDescription_s",
"Type": "String"
},
{
"Name": "ClientRefererHost_s",
"Type": "String"
},
{
"Name": "ClientRefererPath_s",
"Type": "String"
},
{
"Name": "ClientRefererQuery_s",
"Type": "String"
},
{
"Name": "ClientRefererScheme_s",
"Type": "String"
},
{
"Name": "ClientRequestQuery_s",
"Type": "String"
},
{
"Name": "ClientRequestScheme_s",
"Type": "String"
},
{
"Name": "Datetime_t",
"Type": "DateTime"
},
{
"Name": "Kind_s",
"Type": "String"
},
{
"Name": "MatchIndex_d",
"Type": "Double"
},
{
"Name": "OriginatorRayID_s",
"Type": "String"
},
{
"Name": "RuleID_s",
"Type": "String"
},
{
"Name": "Source_s",
"Type": "String"
}
]
}

2017
.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

6
.script/tests/KqlvalidationsTests/CustomTables/InfobloxNIOS.json
Просмотреть файл

@ -20,6 +20,10 @@
{
"Name": "Client_IP",
"Type": "String"
},
{
"Name": "ServerIP",
"Type": "String"
}
]
}
}

6
.script/tests/KqlvalidationsTests/CustomTables/PulseConnectSecure.json
Просмотреть файл

@ -16,6 +16,10 @@
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "Source_IP",
"Type": "String"
}
]
}
}

32
.script/tests/KqlvalidationsTests/KqlValidationTests.cs
Просмотреть файл

@ -39,8 +39,6 @@ namespace Kqlvalidations.Tests
return;
}
var lines = Regex.Split(queryStr, @"\n\r?");
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line: 0, Col: 0);
if (!validationRes.IsValid)
@ -49,6 +47,36 @@ namespace Kqlvalidations.Tests
}
Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : $"Template Id:{id} is not valid in Line:{firstErrorLocation.Line} col:{firstErrorLocation.Col} Errors:{validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}");
}
[Theory]
[ClassData(typeof(DetectionsYamlFilesTestData))]
public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string detectionsYamlFileName)
{
var detectionsYamlFile = Directory.GetFiles(DetectionPath, detectionsYamlFileName, SearchOption.AllDirectories).Single();
var yaml = File.ReadAllText(detectionsYamlFile);
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize<dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
//Templates that are in the skipped templates should not pass the validateion (if they pass, why skip?)
if (TemplatesToSkipValidationReader.WhiteListTemplateIds.Contains(id))
{
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line: 0, Col: 0);
if (!validationRes.IsValid)
{
firstErrorLocation = GetLocationInQuery(queryStr, validationRes.Diagnostics.First(d => d.Severity == "Error").Start);
}
Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid.");
}
else
{
return;
}
}
private (int Line, int Col) GetLocationInQuery(string queryStr, int pos)
{

13
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -1,20 +1,11 @@
[
"34663177-8abf-4db1-b0a4-5683ab273f44",
"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c",
"7249500f-3038-4b83-8549-9cd8dfa2d498",
"06a9b845-6a95-4432-a78b-83919b28c375",
"04384937-e927-4595-8f3c-89ff58ed231f",
"0914adab-90b5-47a3-a79f-7cdcac843aa7",
"155f40c6-610d-497d-85fc-3cf06ec13256",
"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e",
"d6491be0-ab2d-439d-95d6-ad8ea39277c5",
"57e56fc9-417a-4f41-a579-5475aea7b8ce",
"a9956d3a-07a9-44a6-a279-081a85020cae",
"aac495a9-feb1-446d-b08e-a1164a539452",
"f2dd4a3a-ebac-4994-9499-1a859938c947",
"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06",
"f041e01d-840d-43da-95c8-4188f6cef546",
"a4025a76-6490-4e6b-bb69-d02be4b03f07",
"e70fa6e0-796a-4e85-9420-98b17b0bb749",
"6d7214d9-4a28-44df-aafb-0910b9e6ae3e"
]
"e70fa6e0-796a-4e85-9420-98b17b0bb749"
]

17
.script/tests/detectionTemplateSchemaValidation/DetectionTemplateSchemaValidationTests.cs
Просмотреть файл

@ -77,6 +77,23 @@ namespace Kqlvalidations.Tests
var numberOfNotYamlFiles = 1; //This is the readme.md file in the directory
Assert.True(AllFiles.Count == yamlFiles.Count + numberOfNotYamlFiles, "All the files in detections folder are supposed to end with .yaml");
}
[Fact]
public void Validate_DetectionTemplates_NoSameTemplateIdTwice()
{
string detectionPath = DetectionsYamlFilesTestData.GetDetectionPath();
var yamlFiles = Directory.GetFiles(detectionPath, "*.yaml", SearchOption.AllDirectories);
var templatesAsStrings = yamlFiles.Select(yaml => GetYamlFileAsString(Path.GetFileName(yaml)));
var templatesAsObjects = templatesAsStrings.Select(yaml => JObject.Parse(ConvertYamlToJson(yaml)));
var duplicationsById = templatesAsObjects.GroupBy(a => a["id"]).Where(group => group.Count() > 1); //Finds duplications -> ids that there are more than 1 template from
var duplicatedId = "";
if (duplicationsById.Count() > 0){
duplicatedId = duplicationsById.Last().Select(x => x["id"]).First().ToString();
}
Assert.True(duplicationsById.Count() == 0, $"There should not be 2 templates with the same ID, but the id {duplicatedId} is duplicated.");
}
private string GetYamlFileAsString(string detectionsYamlFileName)
{

2
CODEOWNERS
Просмотреть файл

@ -3,7 +3,7 @@
# the last matching pattern has the most precendence.
# Core team members
* @liemilyg @mgladi @orco365 @shalinoid @KobyKoren @shainw @ianhelle @timbMSFT @juliango2100 @dicolanl @Amitbergman @sagamzu @YaronFruchtmann @preetikr @Yaniv-Shasha @sarah-yo @nazang @ehudk-msft @oshvartz @Liatlishams @NoamLandress @laithhisham @petebryan
* @liemilyg @mgladi @orco365 @shalinoid @KobyKoren @shainw @ianhelle @timbMSFT @juliango2100 @dicolanl @Amitbergman @sagamzu @YaronFruchtmann @preetikr @Yaniv-Shasha @sarah-yo @nazang @ehudk-msft @oshvartz @Liatlishams @NoamLandress @laithhisham @petebryan @lior-tamir
# This is copied from here: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners

4
DataConnectors/AIA-Darktrace.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"id": "DarktraceDarktrace",
"id": "Darktrace",
"title": "AI Analyst Darktrace",
"publisher": "Darktrace",
"descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.",
@ -111,4 +111,4 @@
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
}
}

Двоичные данные
DataConnectors/AtlassianJiraAudit/JiraAuditAPISentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

12
DataConnectors/AtlassianJiraAudit/JiraAuditAPISentinelConnector/__init__.py
Просмотреть файл

@ -9,6 +9,7 @@ import hashlib
import os
import tempfile
import logging
import re
from .state_manager import StateManager
customer_id = os.environ['WorkspaceID']
@ -17,9 +18,18 @@ jira_token = os.environ['JiraAccessToken']
jira_username = os.environ['JiraUsername']
jira_homesite_name = os.environ['JiraHomeSiteName']
connection_string = os.environ['AzureWebJobsStorage']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
log_type = 'Jira_Audit'
jira_uri_audit = "https://" + jira_homesite_name + ".atlassian.net/rest/api/3/auditing/record"
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Invalid Log Analytics Uri.")
def generate_date():
current_time = datetime.datetime.utcnow().replace(second=0, microsecond=0) - datetime.timedelta(minutes=10)
state = StateManager(connection_string=connection_string)
@ -95,7 +105,7 @@ def post_data(body):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,

4
DataConnectors/AtlassianJiraAudit/JiraAudit_API_FunctionApp.json
Просмотреть файл

@ -111,11 +111,11 @@
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://github.com/averbn/azure_sentinel_data_connectors/blob/main/jira-audit-azure-sentinel-data-connector/JiraAuditAPISentinelConn.zip?raw=true) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. JiraAuditXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-jiraauditapi-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. JiraAuditXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tJiraUsername\n\t\tJiraAccessToken\n\t\tJiraHomeSiteName\n\t\tWorkspaceID\n\t\tWorkspaceKey\n3. Once all application settings have been entered, click **Save**."
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tJiraUsername\n\t\tJiraAccessToken\n\t\tJiraHomeSiteName\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
}
]
}

24
DataConnectors/AtlassianJiraAudit/azuredeploy_Connector_JiraAuditAPI_AzureFunction.json
Просмотреть файл

@ -4,6 +4,8 @@
"parameters": {
"FunctionName": {
"defaultValue": "JiraAudit",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"WorkspaceID": {
@ -28,7 +30,9 @@
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]"
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
@ -148,30 +152,18 @@
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"JiraAccessToken": "[parameters('JiraAccessToken')]",
"JiraUsername": "[parameters('JiraUsername')]",
"JiraHomeSiteName": "[parameters('JiraHomeSiteName')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/averbn/azure_sentinel_data_connectors/blob/main/jira-audit-azure-sentinel-data-connector/JiraAuditAPISentinelConn.zip?raw=true"
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-jiraauditapi-functionapp"
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(variables('FunctionName'), '/', variables('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
],
"properties": {
"siteName": "[variables('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",

11
DataConnectors/Cloudflare/AzureFunctionCloudflare/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "main.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 */2 * * * *"
}
]
}

263
DataConnectors/Cloudflare/AzureFunctionCloudflare/main.py Normal file
Просмотреть файл

@ -0,0 +1,263 @@
import os
import asyncio
from azure.storage.blob.aio import ContainerClient
import json
import logging
from dateutil.parser import parse as parse_date
import datetime
import azure.functions as func
import re
from .sentinel_connector_async import AzureSentinelMultiConnectorAsync
from .state_manager import StateManagerAsync
# interval of script execution
SCRIPT_EXECUTION_INTERVAL_MINUTES = 2
# if ts of last processed file is older than now - MAX_PERIOD_MINUTES -> script will get events from now - SCRIPT_EXECUTION_INTERVAL_MINUTES
MAX_PERIOD_MINUTES = 1440
MAX_SCRIPT_EXEC_TIME_MINUTES = 35
AZURE_STORAGE_CONNECTION_STRING = os.environ['AZURE_STORAGE_CONNECTION_STRING']
CONTAINER_NAME = os.environ['CONTAINER_NAME']
WORKSPACE_ID = os.environ['WORKSPACE_ID']
SHARED_KEY = os.environ['SHARED_KEY']
LOG_TYPE = 'Cloudflare'
LOG_ANALYTICS_URI = os.environ.get('logAnalyticsUri')
if not LOG_ANALYTICS_URI or str(LOG_ANALYTICS_URI).isspace():
LOG_ANALYTICS_URI = 'https://' + WORKSPACE_ID + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern, str(LOG_ANALYTICS_URI))
if not match:
raise Exception("Invalid Log Analytics Uri.")
async def main(mytimer: func.TimerRequest):
checkpoint_manager = CheckpointManager(conn_string=os.environ['AzureWebJobsStorage'])
script_is_active = await checkpoint_manager.script_is_active()
last_date = await checkpoint_manager.get_last_date()
exclude_files = await checkpoint_manager.get_exclude_files()
include_files = await checkpoint_manager.get_include_files()
now = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc)
if last_date and (now - last_date).seconds > MAX_SCRIPT_EXEC_TIME_MINUTES * 60:
script_is_active = False
if script_is_active:
print('Script is running now. Exit.')
logging.info('Script is running now. Exit.')
return
if not last_date or (now - last_date).seconds > MAX_PERIOD_MINUTES * 60:
last_date = now - datetime.timedelta(minutes=SCRIPT_EXECUTION_INTERVAL_MINUTES)
print('Getting files updated after {}'.format(last_date))
logging.info('Getting files updated after {}'.format(last_date))
await checkpoint_manager.mark_script_as_active()
conn = AzureBlobStorageConnector(AZURE_STORAGE_CONNECTION_STRING, CONTAINER_NAME)
await conn.get_blobs(updated_after=last_date, exclude_files=exclude_files, include_files=include_files)
await conn.process_blobs()
message = 'Program finished. {} events have been sent. {} events have not been sent'.format(
conn.sentinel.successfull_sent_events_number,
conn.sentinel.failed_sent_events_number
)
print(message)
logging.info(message)
if conn.sentinel.failed_sent_events_number:
raise Exception('Program finished with errors. {} events have not been sent'.format(conn.sentinel.failed_sent_events_number))
if conn.has_errors():
raise Exception('Program finished with errors')
await conn.delete_old_blobs()
await checkpoint_manager.mark_script_as_inactive()
class AzureBlobStorageConnector:
def __init__(self, conn_string, container_name, queue_max_size=10):
self.__conn_string = conn_string
self.__container_name = container_name
self.semaphore = asyncio.Semaphore(queue_max_size)
self.blobs = []
self.log_type = LOG_TYPE
self.sentinel = AzureSentinelMultiConnectorAsync(LOG_ANALYTICS_URI, WORKSPACE_ID, SHARED_KEY, queue_size=10000)
self._processed_blobs = []
self._processed_blob_names = set()
self._blobs_to_delete = []
self.checkpoint_manager = CheckpointManager(conn_string=os.environ['AzureWebJobsStorage'])
self.checkpoint_lock = asyncio.Lock()
self.last_saved_date = None
self.last_saved_exclude_files = None
self.last_saved_include_files = set()
def _create_container_client(self):
return ContainerClient.from_connection_string(self.__conn_string, self.__container_name, logging_enable=False)
async def get_blobs(self, updated_after: datetime.datetime, exclude_files: list, include_files: set):
print('Start getting blobs')
logging.info('Start getting blobs')
container_client = self._create_container_client()
async with container_client:
async for blob in container_client.list_blobs():
if 'ownership-challenge' in blob['name']:
continue
if blob['name'] in include_files:
self.blobs.append(blob)
continue
if updated_after and blob['last_modified'] < updated_after:
self._blobs_to_delete.append(blob)
continue
if blob['name'] in exclude_files:
self._blobs_to_delete.append(blob)
continue
self.blobs.append(blob)
print('Finish getting blobs. Count {}'.format(len(self.blobs)))
logging.info('Finish getting blobs. Count {}'.format(len(self.blobs)))
async def process_blobs(self):
if self.blobs:
container_client = self._create_container_client()
async with container_client:
await asyncio.wait([self._process_blob(blob, container_client) for blob in self.blobs])
await self.sentinel.flush()
async def delete_old_blobs(self):
if self._blobs_to_delete:
container_client = self._create_container_client()
async with container_client:
await asyncio.wait([self._delete_blob(blob, container_client) for blob in self._blobs_to_delete])
async def _delete_blob(self, blob, container_client):
print("Deleting blob {}".format(blob['name']))
logging.info("Deleting blob {}".format(blob['name']))
await container_client.delete_blob(blob['name'])
async def _process_blob(self, blob, container_client):
async with self.semaphore:
print("Start processing {}".format(blob['name']))
logging.info("Start processing {}".format(blob['name']))
blob_cor = await container_client.download_blob(blob['name'])
s = ''
async for chunk in blob_cor.chunks():
s += chunk.decode()
lines = s.splitlines()
for n, line in enumerate(lines):
if n < len(lines) - 1:
if line:
event = json.loads(line)
await self.sentinel.send(event, log_type=self.log_type)
s = line
if s:
event = json.loads(s)
await self.sentinel.send(event, log_type=self.log_type)
print("Finish processing {}".format(blob['name']))
logging.info("Finish processing {}".format(blob['name']))
await self.save_checkpoint(blob)
def has_errors(self):
return len(self._processed_blobs) != len(self.blobs)
async def save_checkpoint(self, blob):
async with self.checkpoint_lock:
self._processed_blobs.append(blob)
self._processed_blob_names.add(blob['name'])
include_files = self.get_not_processed_files_names()
last_date = self.get_last_blob_date()
exlude_files = self.get_last_date_blob_names()
cors = []
if not self.last_saved_date or self.last_saved_date <= last_date:
cors.append(self.checkpoint_manager.post_last_date(last_date))
if self.last_saved_exclude_files != exlude_files:
cors.append(self.checkpoint_manager.post_exclude_files(exlude_files))
if self.last_saved_include_files != include_files:
cors.append(self.checkpoint_manager.post_include_files(include_files))
if cors:
await asyncio.wait(cors)
self.last_saved_date = last_date
self.last_saved_exclude_files = exlude_files
self.last_saved_include_files = include_files
print('Checkpoint {} saved'.format(last_date))
logging.info('Checkpoint {} saved'.format(last_date))
def get_last_blob_date(self):
if self._processed_blobs:
return max([x['last_modified'] for x in self._processed_blobs])
else:
return None
def get_last_date_blob_names(self):
last_modified = self.get_last_blob_date()
names = []
for b in self._processed_blobs:
if b['last_modified'] == last_modified:
names.append(b['name'])
return names
def get_not_processed_files_names(self):
return set([x['name'] for x in self.blobs if x['name'] not in self._processed_blob_names])
class CheckpointManager:
def __init__(self, conn_string):
self.last_date_state_manager = StateManagerAsync(connection_string=conn_string, file_path='last_date')
self.exclude_files_state_manager = StateManagerAsync(connection_string=conn_string, file_path='exclude_files')
self.exec_marker_state_manager = StateManagerAsync(connection_string=conn_string, file_path='exec_marker')
self.include_files_state_manager = StateManagerAsync(connection_string=conn_string, file_path='include_files')
async def get_last_date(self):
res = await self.last_date_state_manager.get()
if res:
return parse_date(res)
async def post_last_date(self, date: datetime.datetime):
if date:
await self.last_date_state_manager.post(date.isoformat())
async def get_exclude_files(self):
res = await self.exclude_files_state_manager.get()
if res:
return [row.strip() for row in res.split('\n') if row.strip()]
else:
return []
async def post_exclude_files(self, exclude_files: list):
if exclude_files:
data = '\n'.join(exclude_files)
await self.exclude_files_state_manager.post(data)
async def script_is_active(self):
res = await self.exec_marker_state_manager.get()
if res == '1':
return True
else:
return False
async def mark_script_as_inactive(self):
await self.exec_marker_state_manager.post('0')
async def mark_script_as_active(self):
await self.exec_marker_state_manager.post('1')
async def get_include_files(self):
res = await self.include_files_state_manager.get()
if res:
return set([row.strip() for row in res.split('\n') if row.strip()])
else:
return set()
async def post_include_files(self, include_files: list):
if include_files:
data = '\n'.join(include_files)
else:
data = ''
await self.include_files_state_manager.post(data)

120
DataConnectors/Cloudflare/AzureFunctionCloudflare/sentinel_connector_async.py Normal file
Просмотреть файл

@ -0,0 +1,120 @@
import datetime
import logging
import json
import hashlib
import hmac
import base64
import aiohttp
import asyncio
from collections import deque
class AzureSentinelConnectorAsync:
def __init__(self, log_analytics_uri, workspace_id, shared_key, log_type, queue_size=1000, queue_size_bytes=25 * (2**20)):
self.log_analytics_uri = log_analytics_uri
self.workspace_id = workspace_id
self.shared_key = shared_key
self.log_type = log_type
self.queue_size = queue_size
self.queue_size_bytes = queue_size_bytes
self._queue = deque()
self.successfull_sent_events_number = 0
self.failed_sent_events_number = 0
self.lock = asyncio.Lock()
async def send(self, event):
events = None
async with self.lock:
self._queue.append(event)
if len(self._queue) >= self.queue_size:
events = list(self._queue)
self._queue.clear()
if events:
await self._flush(events)
async def flush(self):
await self._flush(list(self._queue))
async def _flush(self, data: list):
if data:
data = self._split_big_request(data)
async with aiohttp.ClientSession() as session:
await asyncio.wait([self._post_data(session, self.workspace_id, self.shared_key, d, self.log_type) for d in data])
def _build_signature(self, workspace_id, shared_key, date, content_length, method, content_type, resource):
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(workspace_id, encoded_hash)
return authorization
async def _post_data(self, session: aiohttp.ClientSession, workspace_id, shared_key, body, log_type):
logging.info('Start sending data to sentinel')
print('Start sending data to sentinel')
events_number = len(body)
body = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = self._build_signature(workspace_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = self.log_analytics_uri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
async with session.post(uri, data=body, headers=headers) as response:
if (response.status >= 200 and response.status <= 299):
logging.info('{} events have been successfully sent to Azure Sentinel'.format(events_number))
print('{} events have been successfully sent to Azure Sentinel'.format(events_number))
self.successfull_sent_events_number += events_number
else:
logging.error("Error during sending events to Azure Sentinel. Response code: {}".format(response.status))
print("Error during sending events to Azure Sentinel. Response code: {}".format(response.status))
self.failed_sent_events_number += events_number
def _check_size(self, queue):
data_bytes_len = len(json.dumps(queue).encode())
return data_bytes_len < self.queue_size_bytes
def _split_big_request(self, queue):
if self._check_size(queue):
return [queue]
else:
middle = int(len(queue) / 2)
queues_list = [queue[:middle], queue[middle:]]
return self._split_big_request(queues_list[0]) + self._split_big_request(queues_list[1])
class AzureSentinelMultiConnectorAsync:
def __init__(self, log_analytics_uri, workspace_id, shared_key, queue_size=1000, queue_size_bytes=25 * (2**20)):
self.log_analytics_uri = log_analytics_uri
self.workspace_id = workspace_id
self.shared_key = shared_key
self.queue_size = queue_size
self.queue_size_bytes = queue_size_bytes
self.connectors = dict()
async def send(self, event, log_type):
if log_type not in self.connectors:
self.connectors[log_type] = AzureSentinelConnectorAsync(self.log_analytics_uri, self.workspace_id, self.shared_key, log_type, self.queue_size, self.queue_size_bytes)
conn = self.connectors[log_type]
await conn.send(event)
async def flush(self):
await asyncio.wait([conn.flush() for conn in self.connectors.values()])
@property
def successfull_sent_events_number(self):
return sum([conn.successfull_sent_events_number for conn in self.connectors.values()])
@property
def failed_sent_events_number(self):
return sum([conn.failed_sent_events_number for conn in self.connectors.values()])

37
DataConnectors/Cloudflare/AzureFunctionCloudflare/state_manager.py Normal file
Просмотреть файл

@ -0,0 +1,37 @@
from azure.storage.fileshare.aio import ShareClient
from azure.storage.fileshare.aio import ShareFileClient
from azure.core.exceptions import ResourceNotFoundError
class StateManagerAsync:
def __init__(self, connection_string, share_name='funcstatemarkershare', file_path='funcstatemarkerfile'):
self.connection_string = connection_string
self.share_name = share_name
self.file_path = file_path
def _get_file_cli(self):
return ShareFileClient.from_connection_string(conn_str=self.connection_string, share_name=self.share_name, file_path=self.file_path)
def _get_share_cli(self):
return ShareClient.from_connection_string(conn_str=self.connection_string, share_name=self.share_name)
async def post(self, marker_text: str):
file_cli = self._get_file_cli()
async with file_cli:
try:
await file_cli.upload_file(marker_text)
except ResourceNotFoundError:
share_cli = self._get_share_cli()
async with share_cli:
await share_cli.create_share()
await file_cli.upload_file(marker_text)
async def get(self):
file_cli = self._get_file_cli()
async with file_cli:
try:
cor = await file_cli.download_file()
f = await cor.readall()
return f.decode()
except ResourceNotFoundError:
return None

Двоичные данные
DataConnectors/Cloudflare/CloudflareConn.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

130
DataConnectors/Cloudflare/Cloudflare_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,130 @@
{
"id": "CloudflareDataConnector",
"title": "Cloudflare",
"publisher": "Cloudflare",
"descriptionMarkdown": "The Cloudflare data connector provides the capability to ingest [Cloudflare logs](https://developers.cloudflare.com/logs/) into Azure Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to [Cloudflare documentation](https://developers.cloudflare.com/logs/logpush) for more information.",
"additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **Cloudflare** in queries and workbooks. [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-CloudflareDataConnector-parser) ",
"graphQueries": [
{
"metricName": "Cloudflare logs",
"legend": "Cloudflare_CL",
"baseQuery": "Cloudflare_CL"
}
],
"sampleQueries": [
{
"description" : "All Cloudflare logs",
"query": "Cloudflare_CL\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "Cloudflare_CL",
"lastDataReceivedQuery": "Cloudflare_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Cloudflare_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "Azure Blob Storage connection string and container name",
"description": "Azure Blob Storage connection string and container name where the logs are pushed to by Cloudflare Logpush. [See the documentation to learn more about creating Azure Blob Storage container.](https://developers.cloudflare.com/logs/logpush/azure/)"
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Azure Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": ">**NOTE:** This connector uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-CloudflareDataConnector-parser) to create the Kusto function alias **Cloudflare**."
},
{
"title": "",
"description": "**STEP 1 - Configuration of the Cloudflare Logpush**\n\nSee documentation to [setup Cloudflare Logpush to Microsoft Azure](https://developers.cloudflare.com/logs/logpush/logpush-dashboard)"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Cloudflare data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available.",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Cloudflare data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CloudflareDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Azure Blob Storage Container Name**, **Azure Blob Storage Connection String**, **Azure Sentinel Workspace Id**, **Azure Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Cloudflare data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CloudflareDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CloudflareXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCONTAINER_NAME\n\t\tAZURE_STORAGE_CONNECTION_STRING\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://WORKSPACE_ID.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
}
]
}

200
DataConnectors/Cloudflare/azuredeploy_Cloudflare_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,200 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "Cloudflare",
"type": "string",
"minLength": 1,
"maxLength": 11
},
"AzureBlobStorageContainerName": {
"type": "string",
"defaultValue": ""
},
"AzureBlobStorageConnectionString": {
"type": "securestring",
"defaultValue": ""
},
"AzureSentinelWorkspaceId": {
"type": "string",
"defaultValue": ""
},
"AzureSentinelSharedKey": {
"type": "securestring",
"defaultValue": ""
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('AzureSentinelWorkspaceId')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"CONTAINER_NAME": "[parameters('AzureBlobStorageContainerName')]",
"AZURE_STORAGE_CONNECTION_STRING": "[parameters('AzureBlobStorageConnectionString')]",
"WORKSPACE_ID": "[parameters('AzureSentinelWorkspaceId')]",
"SHARED_KEY": "[parameters('AzureSentinelSharedKey')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CloudflareDataConnector-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

15
DataConnectors/Cloudflare/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

4
DataConnectors/Cloudflare/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

5
DataConnectors/Cloudflare/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,5 @@
azure-storage-blob
aiohttp
azure-functions
azure-storage-file-share
python-dateutil

Двоичные данные
DataConnectors/ESET Enterprise Inspector/AzureFunctionESETEnterpriseInspector.zip
Просмотреть файл

Двоичный файл не отображается.

13
DataConnectors/ESET Enterprise Inspector/EnterpriseInspectorProcessDetections/__init__.py
Просмотреть файл

@ -38,8 +38,18 @@ def main(eeimsg: func.QueueMessage) -> None:
verify = bool(strtobool(os.environ['verifySsl']))
workspace_id = os.environ['workspaceId']
workspace_key = os.environ['workspaceKey']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
log_type = 'ESETEnterpriseInspector'
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("ESET Enterprise Inspector: Invalid Log Analytics Uri.")
# Connect to ESET Enterprise Inspector server
ei = EnterpriseInspector(
base_url=base_url,
@ -58,5 +68,6 @@ def main(eeimsg: func.QueueMessage) -> None:
customer_id=workspace_id,
shared_key=workspace_key,
body=body,
log_type=log_type
log_type=log_type,
logAnalyticsUri = logAnalyticsUri
)

11
DataConnectors/ESET Enterprise Inspector/datacollector/__init__.py
Просмотреть файл

@ -24,15 +24,16 @@ def build_signature(customer_id, shared_key, date, content_length, method, conte
return authorization
# Build and send a request to the POST API
def post_data(customer_id, shared_key, body, log_type):
def post_data(customer_id, shared_key, body, log_type, logAnalyticsUri):
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
@ -40,9 +41,9 @@ def post_data(customer_id, shared_key, body, log_type):
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print('Accepted')
else:
exit_error(f'Response code "{response.status_code}" while sending data through data-collector API.')
exit_error(f'Response code "{response.status_code}" while sending data through data-collector API.')

Двоичные данные
DataConnectors/GoogleWorkspaceReports/GWorkspaceReportsAPISentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

15
DataConnectors/GoogleWorkspaceReports/GWorkspaceReportsAPISentinelConnector/__init__.py
Просмотреть файл

@ -13,6 +13,7 @@ import azure.functions as func
import logging
import os
import time
import re
customer_id = os.environ['WorkspaceID']
shared_key = os.environ['WorkspaceKey']
@ -20,6 +21,15 @@ pickle_str = os.environ['GooglePickleString']
pickle_string = base64.b64decode(pickle_str)
SCOPES = ['https://www.googleapis.com/auth/admin.reports.audit.readonly']
activities = ["login", "calendar", "drive", "admin", "mobile", "token", "user_accounts"]
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Google Workspace Reports: Invalid Log Analytics Uri.")
def get_credentials():
creds = None
@ -75,15 +85,14 @@ def post_data(customer_id, shared_key, body, log_type):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
logging.info("Logs with {} activity was processed into Azure".format(log_type))
else:

Двоичные данные
DataConnectors/ProofpointPOD/ProofpointSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

15
DataConnectors/ProofpointPOD/ProofpointSentinelConnector/__init__.py
Просмотреть файл

@ -12,6 +12,7 @@ import requests
import azure.functions as func
import logging
import certifi
import re
customer_id = os.environ['WorkspaceID']
@ -20,6 +21,15 @@ cluster_id = os.environ['ProofpointClusterID']
_token = os.environ['ProofpointToken']
time_delay_minutes = 60
event_types = ["maillog","message"]
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("ProofpointPOD: Invalid Log Analytics Uri.")
def main(mytimer: func.TimerRequest) -> None:
if mytimer.past_due:
@ -35,6 +45,7 @@ def main(mytimer: func.TimerRequest) -> None:
class Proofpoint_api:
def __init__(self):
self.cluster_id = cluster_id
self.logAnalyticsUri = logAnalyticsUri
self._token = _token
self.time_delay_minutes = int(time_delay_minutes)
self.gen_timeframe(time_delay_minutes=self.time_delay_minutes)
@ -113,7 +124,9 @@ class Proofpoint_api:
content_length = len(body)
signature = self.build_signature(rfc1123date, content_length, method, content_type,
resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = self.logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,

Двоичные данные
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

14
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConnector/__init__.py
Просмотреть файл

@ -9,6 +9,7 @@ import csv
import os
import sys
import tempfile
import re
import azure.functions as func
@ -25,7 +26,15 @@ interval = "hourly"
hours_interval = 1
days_interval = 1
url = "https://login.salesforce.com/services/oauth2/token"
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Salesforce Service Cloud: Invalid Log Analytics Uri.")
def _get_token():
params = {
@ -175,14 +184,15 @@ def post_data(customer_id, shared_key, body, log_type, chunk_count):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print('Accepted')
logging.info("Chunk was processed({} events)".format(chunk_count))

18
DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/Template_REST_API_AzureFunction_App_Code/Template_REST_API_Function_App_PowerShell/Template_REST_API_Function_App_PowerShell.ps1
Просмотреть файл

@ -18,7 +18,6 @@ $currentUTCtime = (Get-Date).ToUniversalTime()
# The 'IsPastDue' property is 'true' when the current function invocation is later than scheduled.
if ($Timer.IsPastDue) {
Write-Host "PowerShell timer is running late! $($Timer.ScheduledStatus.Last)"
}
# Define the application settings (environmental variables) for the Workspace ID, Workspace Key, <PROVIDER NAME APPLIANCE NAME> API Key(s) or Token, URI, and/or Other variables. Reference (https://docs.microsoft.com/azure/azure-functions/functions-reference-powershell#environment-variables)for more information
@ -116,9 +115,22 @@ Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
"time-generated-field" = $TimeStampField;
}
$response = Invoke-WebRequest -Uri $logAnalyticsUri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
return $response.StatusCode
try {
$response = Invoke-WebRequest -Uri $logAnalyticsUri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
}
catch {
Write-Error "Error during sending logs to Azure Sentinel: $_.Exception.Message"
# Exit out of context
Exit
}
if ($response.StatusCode -eq 200) {
Write-Host "Logs have been successfully sent to Azure Sentinel."
}
else {
Write-Host "Error during sending logs to Azure Sentinel. Response code : $response.StatusCode"
}
return $response.StatusCode
}
<# Use this block to post the JSON formated data into Azure Log Analytics via the Azure Log Analytics Data Collector API

17
DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/Template_REST_API_AzureFunction_App_Code/Template_REST_API_Function_App_Python/Template_REST_API_Function_App_Python.py
Просмотреть файл

@ -37,7 +37,7 @@ def main(mytimer: func.TimerRequest) -> None:
customer_id = os.environ['workspaceId']
shared_key = os.envviron['workspaceKey']
log_type = os.envviron['tableName']
logAnalyticsUri = os.environ['logAnalyticsUri']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customerId + '.ods.opinsights.azure.com'
@ -97,7 +97,7 @@ def post_data(customer_id, shared_key, body, log_type):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
logAnalyticsUri = logAnalyticsUri + resource + "?api-version=2016-04-01"
uri = logAnalyticsUri + resource + "?api-version=2016-04-01"
headers = {
'content-type': content_type,
@ -105,12 +105,15 @@ def post_data(customer_id, shared_key, body, log_type):
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(logAnalyticsUri,data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print 'Accepted'
try:
response = requests.post(uri, data=body, headers=headers)
except Exception as err:
print("Error during sending logs to Azure Sentinel: {}".format(err))
else:
print "Response code: {}".format(response.status_code)
if (response.status_code >= 200 and response.status_code <= 299):
print("logs have been successfully sent to Azure Sentinel.")
else:
print("Error during sending logs to Azure Sentinel. Response code: {}".format(response.status_code))
/* Use this block to post the JSON formated data into Azure Log Analytics via the Azure Log Analytics Data Collector API

Двоичные данные
DataConnectors/Trend Micro/AzureFunctionTrendMicroXDR.zip
Просмотреть файл

Двоичный файл не отображается.

15
DataConnectors/Trend Micro/AzureFunctionTrendMicroXDR/TimerTrigger/__init__.py
Просмотреть файл

@ -14,6 +14,7 @@ import hmac
import hashlib
import sys
import os
import re
import azure.functions as func
def main(mytimer: func.TimerRequest) -> None:
@ -39,6 +40,15 @@ api_id = os.environ ['api_key']
regioncode = os.environ ['regioncode']
url_base = region[regioncode]
log_type = 'TrendMicro_XDR'
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Trend Micro: Invalid Log Analytics Uri.")
#Get List of Events
def getWorkbenchList():
@ -107,7 +117,7 @@ def post_data(customer_id, shared_key, body, log_type, workbencheIds):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
@ -116,7 +126,7 @@ def post_data(customer_id, shared_key, body, log_type, workbencheIds):
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print ('Accepted ' + workbencheIds)
#Uncomment for easy troublshooting of log posting to Sentinel
@ -150,3 +160,4 @@ def function():
a += 1
return status

102
Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
Просмотреть файл

@ -1,52 +1,52 @@
id: c9b6d281-b96b-4763-b728-9a04b9fe1246
name: Cisco Umbrella - Connection to non-corporate private network
description: |
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- Exfiltration
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
id: c9b6d281-b96b-4763-b728-9a04b9fe1246
name: Cisco Umbrella - Connection to non-corporate private network
description: |
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- Exfiltration
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

102
Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
Просмотреть файл

@ -1,52 +1,52 @@
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
description: |
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- InitialAccess
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
description: |
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- InitialAccess
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

72
Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
Просмотреть файл

@ -1,37 +1,37 @@
id: de58ee9e-b229-4252-8537-41a4c2f4045e
name: Cisco Umbrella - Request to blocklisted file type
description: |
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
query: |
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
id: de58ee9e-b229-4252-8537-41a4c2f4045e
name: Cisco Umbrella - Request to blocklisted file type
description: |
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
query: |
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

66
Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Просмотреть файл

@ -1,34 +1,34 @@
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
name: Cisco Umbrella - URI contains IP address
description: |
'Malware can use IP address to communicate with C2.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
name: Cisco Umbrella - URI contains IP address
description: |
'Malware can use IP address to communicate with C2.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

3
Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml
Просмотреть файл

@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt

46
Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml Normal file
Просмотреть файл

@ -0,0 +1,46 @@
id: faf1a6ff-53b5-4f92-8c55-4b20e9957594
name: Exchange OAB Virtual Directory Attribute Containing Potential Webshell
description: |
'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.
This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services
where the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvents
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
SecurityEvent
// Look for specific Directory Service Changes and parse data
| where EventID == 5136
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion = array EventData
| evaluate bag_unpack(EventData)
| extend Key =tostring(['@Name']), Value = ['#text']
| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
// Where changes relate to Exchange OAB
| where ObjectClass =~ "msExchOABVirtualDirectory"
// Look for InternalHostName or ExternalHostName properties being changed
| where AttributeLDAPDisplayName in ("msExchExternalHostName", "msExchInternalHostName")
// Look for suspected webshell activity
| where AttributeValue has "script"
| project-rename LastSeen = TimeGenerated
| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue
| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

2
Detections/SecurityEvent/HAFNIUMSuspiciousUMServiceError.yaml
Просмотреть файл

@ -18,7 +18,7 @@ query: |
| where EventLog =~ "Application"
| where Source startswith "MSExchange"
| where EventLevelName =~ "error"
| where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service"
| where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service" or RenderedDescription contains "MSExchange Unified Messaging"
| where RenderedDescription !contains "System.OutOfMemoryException"
| extend timestamp = TimeGenerated, HostCustomEntity = Computer
entityMappings:

3
Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml
Просмотреть файл

@ -27,6 +27,7 @@ query: |
// A user account was enabled
| where EventID == 4722
| where AccountType =~ "User"
| where TargetAccount !hassuffix "$"
| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName,
AccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
| join kind= inner (
@ -34,7 +35,7 @@ query: |
| where TimeGenerated > ago(timeframe)
// A user account was disabled
| where EventID == 4725
| where AccountType == "User"
| where AccountType =~ "User"
| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName,
AccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid
) on Computer, TargetAccount

4
Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml → Detections/http_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml
Просмотреть файл

@ -17,8 +17,8 @@ relevantTechniques:
query: |
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
http_proxy_oab_CL
| where Message contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,Message)
| where RawData contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
| extend Extension = strcat(".",split(File, ".")[-1])
| extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
// Uncomment the following line to alert only on interactive file download type

5
Logos/cloudflare.svg Normal file
Просмотреть файл

@ -0,0 +1,5 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M57.9129 36.0524L56.4192 35.4482C49.3989 51.4259 21.471 41.7122 19.7906 46.4654C19.5104 49.676 35.0419 47.0759 46.1454 47.6201C49.5313 47.7859 51.2293 50.3713 49.7915 54.5854L52.6234 54.5942C55.8901 44.2933 66.3155 49.5503 66.7512 46.1507C66.0354 43.9155 54.7696 46.1507 57.9129 36.0524Z" fill="white"/>
<path d="M50.5934 52.8234C51.0414 51.3125 50.8921 49.8016 50.1453 48.895C49.3983 47.9883 48.3527 47.3841 47.0083 47.233L21.0166 46.9306C20.8672 46.9306 20.7179 46.7796 20.5685 46.7796C20.4192 46.6285 20.4192 46.4775 20.5685 46.3264C20.7179 46.0243 20.8672 45.8729 21.1659 45.8729L47.307 45.5708C50.444 45.4198 53.7304 42.8512 54.9252 39.8294L56.4192 35.901C56.4192 35.7496 56.5685 35.5986 56.4192 35.4475C54.7758 27.7417 47.9046 22 39.8381 22C32.3692 22 25.946 26.8351 23.7053 33.6345C22.2116 32.5768 20.4192 31.9723 18.3278 32.1236C14.7427 32.4257 11.9046 35.4475 11.4563 39.0738C11.307 39.9804 11.4563 40.8871 11.6059 41.7935C5.78012 41.9445 1 46.7796 1 52.8234C1 53.4277 1 53.8811 1.14934 54.4854C1.14934 54.7878 1.44803 54.9388 1.59766 54.9388H49.5477C49.8464 54.9388 50.1453 54.7878 50.1453 54.4854L50.5934 52.8234Z" fill="#F4811F"/>
<path d="M58.8091 35.9013H58.0621C57.9128 35.9013 57.7635 36.0524 57.6141 36.2034L56.5684 39.8298C56.1204 41.3406 56.2697 42.8518 57.0167 43.7582C57.7634 44.6648 58.8091 45.2691 60.1535 45.4204L65.6806 45.7225C65.83 45.7225 65.9793 45.8736 66.1287 45.8736C66.278 46.0246 66.278 46.1757 66.1287 46.3268C65.9793 46.6292 65.83 46.7802 65.531 46.7802L59.8548 47.0824C56.7178 47.2334 53.4316 49.802 52.2366 52.8238L51.9376 54.1839C51.7883 54.335 51.9376 54.6371 52.2366 54.6371H71.9545C72.2532 54.6371 72.4025 54.486 72.4025 54.1839C72.7012 52.9751 72.9999 51.6153 72.9999 50.2552C72.9999 42.3983 66.5767 35.9013 58.8091 35.9013Z" fill="#FAAD3F"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.9 KiB

216
Parsers/Cloudflare/Cloudflare.txt Normal file
Просмотреть файл

@ -0,0 +1,216 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Cloudflare.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Cloudflare | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
Cloudflare_CL
| extend
BotScore_d=column_ifexists('BotScore_d', ''),
BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),
CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),
CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),
CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),
CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),
ClientASN_d=column_ifexists('ClientASN_d', ''),
ClientCountry_s=column_ifexists('ClientCountry_s', ''),
ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),
ClientIP_s=column_ifexists('ClientIP_s', ''),
ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),
ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),
ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),
ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),
ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),
ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),
ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),
ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),
ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),
ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),
ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),
EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),
EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),
EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),
EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),
EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),
EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),
EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),
EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),
EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),
EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),
EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),
EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),
EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),
EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),
EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),
FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),
FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),
FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),
OriginIP_s=column_ifexists('OriginIP_s', ''),
OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),
OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),
OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),
OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),
OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),
OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),
ParentRayID_s=column_ifexists('ParentRayID_s', ''),
RayID_s=column_ifexists('RayID_s', ''),
SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),
WAFAction_s=column_ifexists('WAFAction_s', ''),
WAFFlags_s=column_ifexists('WAFFlags_s', ''),
WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),
WAFProfile_s=column_ifexists('WAFProfile_s', ''),
WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),
WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),
WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),
WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),
WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),
WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),
ZoneID_d=column_ifexists('ZoneID_d', ''),
Application_s=column_ifexists('Application_s', ''),
ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),
ClientProto_s=column_ifexists('ClientProto_s', ''),
ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),
ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),
ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),
ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),
ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),
ColoCode_s=column_ifexists('ColoCode_s', ''),
ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),
DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),
Event_s=column_ifexists('Event_s', ''),
IpFirewall_b=column_ifexists('IpFirewall_b', ''),
OriginBytes_d=column_ifexists('OriginBytes_d', ''),
OriginPort_d=column_ifexists('OriginPort_d', ''),
OriginProto_s=column_ifexists('OriginProto_s', ''),
OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),
OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),
OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),
OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),
OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),
OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),
ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),
Status_d=column_ifexists('Status_d', ''),
Timestamp_t=column_ifexists('Timestamp_t', ''),
Action_s=column_ifexists('Action_s', ''),
ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),
ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),
ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),
ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),
ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),
ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),
ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),
Datetime_t=column_ifexists('Datetime_t', ''),
Kind_s=column_ifexists('Kind_s', ''),
MatchIndex_d=column_ifexists('MatchIndex_d', ''),
OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),
RuleID_s=column_ifexists('RuleID_s', ''),
Source_s=column_ifexists('Source_s', '')
| extend
SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),
TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),
TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),
DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),
NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),
ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),
ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),
EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))
| project-rename
SrcBytes=ClientRequestBytes_d,
SrcPortNumber=ClientSrcPort_d,
DstBytes=EdgeResponseBytes_d,
BotScore=BotScore_d,
BotScoreSrc=BotScoreSrc_s,
CacheCacheStatus=CacheCacheStatus_s,
CacheResponseBytes=CacheResponseBytes_d,
CacheResponseStatus=CacheResponseStatus_d,
CacheTieredFill=CacheTieredFill_b,
ClientASN=ClientASN_d,
SrcGeoCountry=ClientCountry_s,
SrcIpAddr=ClientIP_s,
ClientIPClass=ClientIPClass_s,
HttpRequestHeaderHost=ClientRequestHost_s,
HttpRequestMethod=ClientRequestMethod_s,
ClientRequestPath=ClientRequestPath_s,
ClientRequestProtocol=ClientRequestProtocol_s,
HttpReferrerOriginal=ClientRequestReferer_s,
ClientRequestURI=ClientRequestURI_s,
HttpUserAgentOriginal=ClientRequestUserAgent_s,
ClientXRequestedWith=ClientXRequestedWith_s,
EdgeColoCode=EdgeColoCode_s,
EdgeColoID=EdgeColoID_d,
EdgeEndTimestamp=EdgeEndTimestamp_t,
EdgePathingOp=EdgePathingOp_s,
EdgePathingSrc=EdgePathingSrc_s,
EdgePathingStatus=EdgePathingStatus_s,
EdgeRateLimitAction=EdgeRateLimitAction_s,
EdgeRateLimitID=EdgeRateLimitID_d,
EdgeRequestHost=EdgeRequestHost_s,
EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,
HttpContentType=EdgeResponseContentType_s,
EdgeResponseStatus=EdgeResponseStatus_d,
EdgeServerIP=EdgeServerIP_s,
EdgeStartTimestamp=EdgeStartTimestamp_t,
FirewallMatchesSources=FirewallMatchesSources_s,
DstIpAddr=OriginIP_s,
OriginResponseBytes=OriginResponseBytes_d,
OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,
OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,
HttpStatusCode=OriginResponseStatus_d,
OriginResponseTime=OriginResponseTime_d,
OriginSSLProtocol=OriginSSLProtocol_s,
ParentRayID=ParentRayID_s,
RayID=RayID_s,
SecurityLevel=SecurityLevel_s,
WAFAction=WAFAction_s,
WAFFlags=WAFFlags_s,
WAFMatchedVar=WAFMatchedVar_s,
WAFProfile=WAFProfile_s,
WAFRuleID=WAFRuleID_s,
WAFRuleMessage=WAFRuleMessage_s,
WorkerCPUTime=WorkerCPUTime_d,
WorkerStatus=WorkerStatus_s,
WorkerSubrequest=WorkerSubrequest_b,
WorkerSubrequestCount=WorkerSubrequestCount_d,
ZoneID=ZoneID_d,
Application=Application_s,
ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,
NetworkProtocol=ClientProto_s,
ClientTcpRtt=ClientTcpRtt_d,
ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,
ClientTlsStatus=ClientTlsStatus_s,
ColoCode=ColoCode_s,
ConnectTimestamp=ConnectTimestamp_t,
DisconnectTimestamp=DisconnectTimestamp_t,
IpFirewall=IpFirewall_b,
DstPortNumber=OriginPort_d,
OriginProto=OriginProto_s,
OriginTcpRtt=OriginTcpRtt_d,
OriginTlsCipher=OriginTlsCipher_s,
OriginTlsFingerprint=OriginTlsFingerprint_s,
OriginTlsMode=OriginTlsMode_s,
OriginTlsProtocol=OriginTlsProtocol_s,
OriginTlsStatus=OriginTlsStatus_s,
ProxyProtocol=ProxyProtocol_s,
EventResult=Status_d,
Timestamp=Timestamp_t,
ClientASNDescription=ClientASNDescription_s,
ClientRefererHost=ClientRefererHost_s,
ClientRefererPath=ClientRefererPath_s,
ClientRefererQuery=ClientRefererQuery_s,
ClientRefererScheme=ClientRefererScheme_s,
ClientRequestQuery=ClientRequestQuery_s,
ClientRequestScheme=ClientRequestScheme_s,
Datetime=Datetime_t,
EventSubType=Kind_s,
MatchIndex=MatchIndex_d,
OriginatorRayID=OriginatorRayID_s
| project-away
ClientDeviceType_s,
Source_s,
ClientSSLCipher_s,
ClientTlsCipher_s,
ClientSSLProtocol_s,
ClientTlsProtocol_s,
FirewallMatchesActions_s,
Event_s,
Action_s,
FirewallMatchesRuleIDs_s,
RuleID_s

46
Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt
Просмотреть файл

@ -1,8 +1,8 @@
// Title: Broadcom Symantec Endpoint Protection (SEP)
// Author: Microsoft
// Version: 1.0
// Last Updated: 12/15/2020
// Comment: Inital Release
// Version: 1.1
// Last Updated: 03/12/2020
// Comment: Added parsing for Administrative Logs
//
// DESCRIPTION:
// This parser takes raw Symantec Endpoint Protection (SEP) logs from a Syslog stream and parses the logs into a normalized schema.
@ -31,16 +31,20 @@
let LogHeader = Syslog
| where Computer in ("server1", "server2") // server1 and server2 are examples, replace this list with your SEP device names
| extend ServerName = extract(@"^([\w\-\_]+)?(,|\Site:)",1,SyslogMessage)
// Administrative Log Header
| extend AdministrativeLogsParser = extract_all(@"Site:\s([^,]+)\,Server\sName\:\s([^,]+)\,Domain\sName\:\s([^,]+)?\,Admin\:\s([^,]+)?\,Event\sDescription\:\s([^#]+)?(#|$)",dynamic([1,2,3,4,5,6,7]), SyslogMessage)
| mv-expand AdministrativeLogsParser
| extend LogType = iif(isnotempty(AdministrativeLogsParser),"Administrative Logs", "")
// Agent System Log Header
| extend AgentSystemLogsParser = extract_all(@'^([^,]+)\,Category:\s([\d]+)\,([^,]+)\,\"?Event\sDescription:\s([^,]+\"?)(\,Event time:\s([^,]+)\,Group Name:\s([^,]+)$?)?',dynamic([1,2,3,4,6,7]), SyslogMessage)
| mv-expand AgentSystemLogsParser
| extend LogType = iif(isnotempty(AgentSystemLogsParser),"Agent System Logs","")
| extend LogType = iif(isempty(LogType) and isnotempty(AgentSystemLogsParser),"Agent System Logs",LogType)
// Agent Activity Log Header
| extend AgentActivityLogsParser = extract_all(@"Site:\s([^,]+)\,Server\sName\:\s([^,]+)\,Domain\sName\:\s([^,]+)?\,([^,]+)?\,([^,]+)?\,([^,]+)?\,([^,]+)?",dynamic([1,2,3,4,5,6,7]), SyslogMessage)
| mv-expand AgentActivityLogsParser
| extend LogType = iif(isempty(LogType) and isnotempty(AgentActivityLogsParser),"Agent Activity Logs", LogType)
// Agent Behavior Log Header
| extend AgentBehaviorLogsParser = extract_all(@"^([^,]+)\,([^,]+)\,([^,]+)\,([^,]+)\,([^,]+)\,Begin:\s([^,]+)\,End Time:\s([^,]+)\,Rule:\s([^,]+)\,(\d+)\,([^,]+)\,([\S\s]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11]),SyslogMessage)
| extend AgentBehaviorLogsParser = extract_all(@"^([^,]+)\,([\d\.]+)\,([^,]+)\,([^,]+)\,([^,]+)\,Begin:\s([^,]+)\,End Time:\s([^,]+)\,Rule:\s([^,]+)\,(\d+)\,([^,]+)\,([\S\s]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11]),SyslogMessage)
| mv-expand AgentBehaviorLogsParser
| extend AgentBehaviorLogsSubstring = tostring(AgentBehaviorLogsParser[10])
| extend AgentBehaviorLogsParser2 = extract_all(@"([^,]+)\,([^,]+)\,([^,]+)\,User Name:\s([^,]+)?\,Domain Name:\s([^,]+)?\,Action Type:\s([^,]+)?\,File size \(bytes\):\s(\d+)?\,Device ID:\s([^,]+)?",dynamic([1,2,3,4,5,6,7,8]),AgentBehaviorLogsSubstring)
@ -77,6 +81,14 @@ let LogHeader = Syslog
| extend AgentRiskLogsParser4 = extract_all(@"^Certificate signer:\s([^,]+)?\,Certificate thumbprint:\s([^,]+)?\,Signing timestamp:\s([^,]+)?\,Certificate serial number:\s([^,]+)?(\,|$)",dynamic([1,2,3,4]),AgentRiskLogsSubstring3)
| mv-expand AgentRiskLogsParser4
| extend LogType = iif(isempty(LogType) and isnotempty(AgentRiskLogsParser) and isnotempty(AgentRiskLogsParser2) and isnotempty(AgentRiskLogsParser3),"Agent Risk Logs",LogType);
// Administrative Log Parser
let AdministrativeLogs = LogHeader
| where LogType == "Administrative Logs"
| extend SiteName = tostring(AdministrativeLogsParser[0]),
ServerName = tostring(AdministrativeLogsParser[1]),
DomainName = tostring(AdministrativeLogsParser[2]),
AdminName = tostring(AdministrativeLogsParser[3]),
EventDescription = tostring(AdministrativeLogsParser[4]);
// Agent System Log Parser
let AgentSystemLogs = LogHeader
| where LogType == "Agent System Logs"
@ -126,7 +138,7 @@ let AgentTrafficLogs = LogHeader
RemoteHostName = tostring(AgentTrafficLogsParser[5]),
RemotePortNumber = toint(AgentTrafficLogsParser[6]),
RemoteHostMacAddr = tostring(AgentTrafficLogsParser[7]),
NetworkProtocol = tostring(AgentTrafficLogsParser[8]),
NetworkProtocol = toint(AgentTrafficLogsParser[8]),
TrafficDirection = tostring(AgentTrafficLogsParser[9]),
EventStartTime = todatetime(AgentTrafficLogsParser[10]),
EventEndTime = todatetime(AgentTrafficLogsParser[11]),
@ -150,7 +162,7 @@ let AgentSecurityLogs = LogHeader
RemoteHostIpAddr = tostring(AgentSecurityLogsParser[7]),
RemoteHostMacAddr = tostring(AgentSecurityLogsParser[8]),
TrafficDirection = tostring(AgentSecurityLogsParser[9]),
NetworkProtocol = tostring(AgentSecurityLogsParser[10]),
NetworkProtocol = toint(AgentSecurityLogsParser[10]),
IntrusionId = tostring(AgentSecurityLogsParser[11]),
EventStartTime = todatetime(AgentSecurityLogsParser[13]),
EventEndTime = todatetime(AgentSecurityLogsParser[14])
@ -185,7 +197,7 @@ let AgentRiskLogs = LogHeader
SrcHostName = tostring(AgentRiskLogsParser[2]),
Source = tostring(AgentRiskLogsParser[3]),
RiskName = tostring(AgentRiskLogsParser[4]),
Occurrences = toint(AgentRiskLogsParser[5]),
Occurences = toint(AgentRiskLogsParser[5]),
FilePath = iif(isempty(tostring(AgentRiskLogsParser[6])),tostring(AgentRiskLogsParser[7]),tostring(AgentRiskLogsParser[6])),
EventDescription = tostring(AgentRiskLogsParser[8]),
ActualAction = tostring(AgentRiskLogsParser[9]),
@ -201,11 +213,11 @@ let AgentRiskLogs = LogHeader
ServerName = tostring(AgentRiskLogsParser2[4]),
UserName = tostring(AgentRiskLogsParser2[5]),
SrcComputerName = tostring(AgentRiskLogsParser2[6]),
SrcComputerIpAddr = tostring(AgentRiskLogsParser2[7]),
SrcComputerIPAddr = tostring(AgentRiskLogsParser2[7]),
Disposition = tostring(AgentRiskLogsParser2[8]),
DownloadSite = tostring(AgentRiskLogsParser2[9]),
WebDomain = tostring(AgentRiskLogsParser2[10]),
DownloadedBy = tostring(AgentRiskLogsParser2[11]),
DonwloadedBy = tostring(AgentRiskLogsParser2[11]),
Prevalence = tostring(AgentRiskLogsParser2[12]),
Confidence = tostring(AgentRiskLogsParser2[13]),
UrlTrackingStatus = tostring(AgentRiskLogsParser2[14])
@ -218,22 +230,18 @@ let AgentRiskLogs = LogHeader
ApplicationName = tostring(AgentRiskLogsParser3[6]),
ApplicationVersion = tostring(AgentRiskLogsParser3[7]),
ApplicationType = tostring(AgentRiskLogsParser3[8]),
FileSize = toint(AgentRiskLogsParser3[9]),
FileSize = tostring(AgentRiskLogsParser3[9]),
CategorySet = tostring(AgentRiskLogsParser3[10]),
CategoryType = tostring(AgentRiskLogsParser3[11]),
Location = tostring(AgentRiskLogsParser3[12]),
IntensiveProtectionLevel = tostring(AgentRiskLogsParser3[13]),
CertificateIssuer = tostring(AgentRiskLogsParser3[14])
| extend CertificateSigner = tostring(AgentRiskLogsParser4[0]),
CertificateThumbprint = tostring(AgentRiskLogsParser4[1]),
CertificateThumprint = tostring(AgentRiskLogsParser4[1]),
SigningTimestamp = tostring(AgentRiskLogsParser4[2]),
CertificateSerialNumber = tostring(AgentRiskLogsParser4[3]);
// All Other Logs - Captures all other logs not specifically identified
let AllOtherLogs = LogHeader
| where LogType !in ("Agent System Logs","Agent Activity Logs","Agent Behavior Logs", "Agent Traffic Logs","Agent Security Logs", "Agent Packet Logs", "Agent Risk Logs")
| extend LogType = iif(isempty(LogType),"Other",LogType),
SiteName = extract(@"Site Name:\s([^,]\,)",1,SyslogMessage),
ServerName = extract(@"Server Name:\s([^,]\,)",1,SyslogMessage),
EventDescription = extract(@"Event Description:\s([^,]+)(\,|$)",1,SyslogMessage);
union AgentActivityLogs, AgentBehaviorLogs, AgentSystemLogs, AgentTrafficLogs, AgentSecurityLogs, AgentPacketLogs, AgentRiskLogs, AllOtherLogs
| project-away AgentBehaviorLogsParser, AgentBehaviorLogsParser2, AgentTrafficLogsParser, AgentTrafficLogsParser2, AgentTrafficLogsSubstring, AgentActivityLogsParser, AgentBehaviorLogsSubstring, AgentSecurityLogsParser, AgentSecurityLogsSubstring, AgentSecurityLogsParser2, AgentSystemLogsParser, AgentPacketLogsParser, AgentRiskLogsParser, AgentRiskLogsParser2, AgentRiskLogsParser3, AgentRiskLogsParser4, AgentRiskLogsSubstring, AgentRiskLogsSubstring2, AgentRiskLogsSubstring3
| where LogType !in ("Agent System Logs","Agent Activity Logs","Agent Behavior Logs", "Agent Traffic Logs","Agent Security Logs", "Agent Packet Logs", "Agent Risk Logs", "Administrative Logs");
union AdministrativeLogs, AgentActivityLogs, AgentBehaviorLogs, AgentSystemLogs, AgentTrafficLogs, AgentSecurityLogs, AgentPacketLogs, AgentRiskLogs, AllOtherLogs
| project-away AgentBehaviorLogsParser, AgentBehaviorLogsParser2, AgentTrafficLogsParser, AgentTrafficLogsParser2, AgentTrafficLogsSubstring, AgentActivityLogsParser, AgentBehaviorLogsSubstring, AgentSecurityLogsParser, AgentSecurityLogsSubstring, AgentSecurityLogsParser2, AgentSystemLogsParser, AgentPacketLogsParser, AgentRiskLogsParser, AgentRiskLogsParser2, AgentRiskLogsParser3, AgentRiskLogsParser4, AgentRiskLogsSubstring, AgentRiskLogsSubstring2, AgentRiskLogsSubstring3, AdministrativeLogsParser

4838
Sample Data/Custom/Cloudflare_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

663
Sample Data/Custom/CrowdstrikeReplicatorLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,663 @@
[{
"ProcessCreateFlags":"525332",
"IntegrityLevel":"4096",
"ParentProcessId":"2065892889926",
"SourceProcessId":"2065892889926",
"aip":"165.165.165.165",
"SHA1HashData":"0000000000000000000000000000000000000000",
"UserSid":"S-1-12-1-3105947409-1312664182-3305734049-3050736265",
"event_platform":"Win",
"TokenType":"2",
"ProcessEndTime":"",
"AuthenticodeHashData":"7e23eb59249cc9d1be47b6e0dd9e89039d5dc6eb70b5105051ed739418a68c5e",
"ParentBaseFileName":"svchost.exe",
"RpcClientProcessId":"2065892889926",
"ImageSubsystem":"2",
"id":"8b1852b8-649f-11eb-811e-06ca739c04b7",
"EffectiveTransmissionClass":"3",
"SessionId":"1",
"Tags":"53, 54, 55, 12094627905582, 12094627906234",
"timestamp":"1612192196113",
"event_simpleName":"ProcessRollup2",
"RawProcessId":"19076",
"ConfigStateHash":"4091923303",
"MD5HashData":"b7fc4a29431d4f795bbab1fb182b759a",
"SHA256HashData":"48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
"ProcessSxsFlags":"1600",
"AuthenticationId":"1259939",
"ConfigBuild":"1007.3.0012806.1",
"WindowFlags":"128",
"CommandLine":"\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider",
"ParentAuthenticationId":"1259939",
"TargetProcessId":"2119008022556",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe",
"SourceThreadId":"67139455641525",
"Entitlements":"15",
"name":"ProcessRollup2V19",
"ProcessStartTime":"1612192197.855",
"ProcessParameterFlags":"16385",
"aid":"f0b5394377fb4cc1592c660de3ac2ccb",
"SignInfoFlags":"9175042",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"ScreenshotsTakenCount":"0",
"ExitCode":"0",
"ParentProcessId":"1421648597103",
"UserSid":"S-1-5-20",
"NetworkListenCount":"0",
"SuspiciousRawDiskReadCount":"0",
"NetworkBindCount":"0",
"NetworkRecvAcceptCount":"0",
"ContextData":"",
"id":"9047859a-649f-11eb-b1b3-068090ee3e49",
"NewExecutableWrittenCount":"0",
"ExeAndServiceCount":"0",
"NetworkCloseCount":"0",
"SuspectStackCount":"0",
"CLICreationCount":"0",
"UnsignedModuleLoadCount":"0",
"UserTime":"156250",
"event_simpleName":"EndOfProcess",
"RawProcessId":"13184",
"ContextTimeStamp":"1612192202.219",
"AllocateVirtualMemoryCount":"0",
"ContextProcessId":"1437581318764",
"ServiceEventCount":"0",
"SnapshotFileOpenCount":"0",
"RemovableDiskFileWrittenCount":"0",
"InjectedDllCount":"0",
"ModuleLoadCount":"39",
"UserMemoryProtectExecutableCount":"0",
"NetworkCapableAsepWriteCount":"0",
"TargetProcessId":"1437581318764",
"DnsRequestCount":"0",
"ArchiveFileWrittenCount":"0",
"Entitlements":"15",
"name":"EndOfProcessV15",
"ProcessStartTime":"1612192112.216",
"SetThreadContextCount":"0",
"SuspiciousCredentialModuleLoadCount":"0",
"aid":"d4a94db4404b42d95ae69960dd2364a5",
"cid":"e941027a2d1141f189b6c6c049c83215",
"FileDeletedCount":"0",
"UserMemoryAllocateExecutableCount":"0",
"DirectoryCreatedCount":"0",
"NetworkConnectCountUdp":"0",
"QueueApcCount":"0",
"ContextThreadId":"75529593909860",
"aip":"165.165.165.165",
"SuspiciousFontLoadCount":"0",
"ConHostId":"1152",
"NetworkConnectCount":"0",
"BinaryExecutableWrittenCount":"0",
"CycleTime":"105226185",
"event_platform":"Win",
"ConHostProcessId":"1421648597103",
"PrivilegedProcessHandleCount":"0",
"MaxThreadCount":"10",
"ImageSubsystem":"2",
"GenericFileWrittenCount":"0",
"EffectiveTransmissionClass":"3",
"ScriptEngineInvocationCount":"0",
"RunDllInvocationCount":"0",
"timestamp":"1612192204811",
"CreateProcessCount":"0",
"KernelTime":"312500",
"DirectoryEnumeratedCount":"0",
"ConfigStateHash":"4091923303",
"AsepWrittenCount":"0",
"SuspiciousDnsRequestCount":"0",
"DocumentFileWrittenCount":"0",
"ProtectVirtualMemoryCount":"0",
"SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15",
"UserMemoryProtectExecutableRemoteCount":"0",
"ConfigBuild":"1007.3.0012806.1",
"UserMemoryAllocateExecutableRemoteCount":"0",
"ExecutableDeletedCount":"0",
"RegKeySecurityDecreasedCount":"0",
"InjectedThreadCount":"0",
"NetworkModuleLoadCount":"0"
},
{
"event_simpleName":"DnsRequest",
"ContextTimeStamp":"1612192188.546",
"ConfigStateHash":"1187562179",
"ContextProcessId":"593354899211",
"DomainName":"domain1",
"ContextThreadId":"26667268649418",
"aip":"82.82.82.82",
"QueryStatus":"9003",
"InterfaceIndex":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"DnsRequestCount":"1",
"DualRequest":"0",
"Entitlements":"15",
"name":"DnsRequestV4",
"id":"881d1128-649f-11eb-9c59-022209fbed9d",
"EffectiveTransmissionClass":"3",
"aid":"eb2763e9afca47c996acf2a8e6651f18",
"timestamp":"1612192191111",
"cid":"e941027a2d1141f189b6c6c049c83215",
"RequestType":"1"
},
{
"ChannelVersion":"2353",
"event_simpleName":"ChannelVersionRequired",
"ConfigStateHash":"3574986334",
"aip":"165.165.165.165",
"ChannelVersionRequired":"0",
"ChannelId":"200",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"ChannelVersionRequiredV1",
"id":"7d66d49d-649f-11eb-8ef0-06f5d9b66909",
"EffectiveTransmissionClass":"0",
"aid":"ec61c9f00a054a7c499eb92b9f67e2ab",
"timestamp":"1612192173140",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"LocalAddressIP4":"10.10.10.10",
"event_simpleName":"NetworkConnectIP4",
"ContextTimeStamp":"1612192203.293",
"ConfigStateHash":"3840237054",
"ConnectionFlags":"0",
"ContextProcessId":"1435198812605",
"RemotePort":"443",
"ContextThreadId":"35388335972466",
"aip":"104.104.104.104",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"LocalPort":"54781",
"Entitlements":"15",
"name":"NetworkConnectIP4V5",
"id":"8fbf8c4c-649f-11eb-93e6-06d64cd93503",
"Protocol":"6",
"EffectiveTransmissionClass":"3",
"aid":"124bdfdf1dcf4bdb6cf503d3b93a8e36",
"RemoteAddressIP4":"52.52.52.52",
"ConnectionDirection":"0",
"InContext":"0",
"timestamp":"1612192203920",
"cid":"e941027a2d1141f189bc6c049c83215"
},
{
"ModuleCharacteristics":"8450",
"ContextThreadId":"118013339024792",
"aip":"189.189.189.189",
"OriginalEventTimeStamp":"1612192206.828",
"SHA1HashData":"0000000000000000000000000000000000000000",
"event_platform":"Win",
"MappedFromUserMode":"1",
"AuthenticodeHashData":"c733fb7f27aeb8af40676839d86bf52a58e175436de685abbc25bb881c3da65f",
"id":"92b01584-649f-11eb-b4d4-02d8cc9f6f77",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192208852",
"event_simpleName":"ImageHash",
"ContextTimeStamp":"1612192206.828",
"ConfigStateHash":"4091923303",
"ContextProcessId":"4770863664501",
"MD5HashData":"2d84620a2580073a2940067e9153243b",
"SHA256HashData":"7db6c8d5f59adbcda1fd8e4052cd0f0ad2d409b19e4ead5d9800e63913c478fb",
"ConfigBuild":"1007.3.0012806.1",
"TargetProcessId":"4770863664501",
"TreeId":"249108533330",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\gdi32.dll",
"Entitlements":"15",
"name":"ImageHashV4",
"PrimaryModule":"0",
"aid":"f46cf24c09c545c06826924f56e9b12",
"SignInfoFlags":"9175042",
"cid":"e941027a2d1141f89b6c6c049c83215"
},
{
"event_simpleName":"SensorHeartbeat",
"ConfigStateHash":"1187562179",
"NetworkContainmentState":"0",
"aip":"165.165.165.165",
"ConfigIDBase":"65994753",
"SensorStateBitMap":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ConfigurationVersion":"10",
"Entitlements":"15",
"name":"SensorHeartbeatV4",
"ConfigIDPlatform":"3",
"id":"99d1e81e-649f-11eb-b627-06e39ca35a05",
"ConfigIDBuild":"12806",
"EffectiveTransmissionClass":"0",
"aid":"265ebfb466e649e14f739b2ec82ef4c0",
"ProvisionState":"1",
"timestamp":"1612192220818",
"cid":"e941027a2d1141f89b6c6c049c83215"
},
{
"Parameter2":"104741656",
"event_simpleName":"ErrorEvent",
"Parameter1":"3934815034",
"Parameter3":"0",
"ConfigStateHash":"4091923303",
"aip":"104.104.104.104",
"Line":"1066",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ErrorStatus":"3221227780",
"Entitlements":"15",
"name":"ErrorEventV1",
"id":"851075fd-649f-11eb-9d98-0256c1ba3b87",
"Facility":"67109928",
"EffectiveTransmissionClass":"0",
"aid":"7eece200f1444be9650676f1460ec1f4",
"File":"0",
"timestamp":"1612192185995",
"cid":"e941027a2d114189b6c6c049c83215"
},
{
"Options":"35651617",
"ContextThreadId":"34965671247409",
"MinorFunction":"0",
"aip":"47.47.47.47",
"FileIdentifier":"f31039767b57934cab36a2c87ff011b649010000001a00",
"Information":"2",
"event_platform":"Win",
"ShareAccess":"3",
"id":"9c750397-649f-11eb-a468-02143f29d047",
"FileObject":"18446614397218495824",
"EffectiveTransmissionClass":"3",
"FileAttributes":"128",
"timestamp":"1612192225242",
"Status":"0",
"event_simpleName":"DirectoryCreate",
"ContextTimeStamp":"1612192225.647",
"ConfigStateHash":"370429029",
"ContextProcessId":"1015925104824",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1048577",
"Entitlements":"15",
"name":"DirectoryCreateV1",
"OperationFlags":"0",
"aid":"d9a8e94338e34c667ac3c406b33a26",
"cid":"e941027a2d114189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume4\\Users\\T\\AppData\\Local\\Temp\\{A6EDA298-D2B2-43BD-BF53-4AAC80A8F624}"
},
{
"event_simpleName":"SetWinEventHookEtw",
"RawProcessId":"0",
"ContextTimeStamp":"1612192180.085",
"ConfigStateHash":"1002018934",
"EtwRawProcessId":"12680",
"ContextProcessId":"1462865029781",
"EventMax":"2147483410",
"SourceProcessId":"0",
"aip":"147.147.147.147",
"EtwRawThreadId":"13348",
"Flags":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"EventMin":"2147483408",
"SourceThreadId":"0",
"Entitlements":"15",
"name":"SetWinEventHookEtwV1",
"RawThreadId":"0",
"id":"8004b527-649f-11eb-9488-024e6bf3d6b1",
"EffectiveTransmissionClass":"3",
"aid":"e30dfd2dac46425c721ffb42691c1c",
"timestamp":"1612192177530",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"LocalAddressIP4":"10.10.10.10",
"event_simpleName":"NetworkReceiveAcceptIP4",
"ContextTimeStamp":"1612192231.439",
"ConfigStateHash":"976821965",
"ConnectionFlags":"0",
"ContextProcessId":"138285062270780",
"RemotePort":"137",
"aip":"165.165.165.165",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"LocalPort":"137",
"Entitlements":"15",
"name":"NetworkReceiveAcceptIP4V5",
"id":"a02b6add-649f-11eb-a61c-027816f012a3",
"Protocol":"17",
"EffectiveTransmissionClass":"3",
"aid":"acd89ebd166344b17e6d7018dbde25cc",
"RemoteAddressIP4":"23.23.23.23",
"ConnectionDirection":"1",
"InContext":"0",
"timestamp":"1612192231470",
"cid":"e941027a2d1141f186c6c049c83215"
},
{
"event_simpleName":"RegisterRawInputDevicesEtw",
"ContextTimeStamp":"1612192192.661",
"ConfigStateHash":"4091923303",
"EtwRawProcessId":"9528",
"ContextProcessId":"2801870511975",
"aip":"71.71.71.71",
"EtwRawThreadId":"9428",
"ApiReturnValue":"1",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"RegisterRawInputDevicesEtwV1",
"id":"89e6dbf0-649f-11eb-b45d-022d70a19ab5",
"EffectiveTransmissionClass":"3",
"aid":"ede5911c3ded4cac6927ee72eef376ba",
"timestamp":"1612192194111",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"Size":"14712251",
"ContextThreadId":"165986129080464",
"MinorFunction":"0",
"aip":"185.185.185.185",
"IsOnNetwork":"0",
"FileIdentifier":"5399f2747c5de811960c806e6f6e69632cc701000000e31f",
"event_platform":"Win",
"TokenType":"1",
"id":"7d82fc3d-649f-11eb-86d4-06271f28c015",
"FileObject":"2292681824",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192173324",
"event_simpleName":"DmpFileWritten",
"ContextTimeStamp":"1612192172.528",
"ConfigStateHash":"3840237054",
"ContextProcessId":"30359610206388",
"IrpFlags":"1028",
"AuthenticationId":"237790",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"DmpFileWrittenV12",
"OperationFlags":"0",
"aid":"e7149f2a8a69453b74a072f67cfc4d",
"cid":"e941027a2d1141f9b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume1\\ProgramData\\Zscaler\\ZSATray.exe.11924.dmp"
},
{
"Size":"5120",
"ContextThreadId":"20459934839588",
"MinorFunction":"0",
"aip":"165.165.165.165",
"IsOnNetwork":"0",
"FileIdentifier":"405e4cec2cac994b802c88a89583ce852db9000000002e00",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_8086&DEV_F1A6&SUBSYS_390B8086&REV_03\\4&280be160&0&00E4",
"id":"954b4f19-649f-11eb-86b9-06f80c26adc1",
"FileObject":"18446698488861015536",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192213225",
"event_simpleName":"PeFileWritten",
"ContextTimeStamp":"1612192154.275",
"ConfigStateHash":"1187562179",
"IsTransactedFile":"0",
"ContextProcessId":"538129154765",
"IrpFlags":"1028",
"SHA256HashData":"28ca0d1c692331a22174be034be2d6a39f4c1868e2a7b23172335554fcd1e681",
"AuthenticationId":"999",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"PeFileWrittenV15",
"OperationFlags":"0",
"aid":"578817b172b44b32fec1ab92ea86b0",
"cid":"e941027a2d1141f1b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\2C957836-F162-4817-87B7-A6668CC4AE78\\en-US\\UnattendProvider.dll.mui"
},
{
"Options":"33554532",
"ContextThreadId":"76915493345508",
"MinorFunction":"0",
"aip":"147.147.147.147",
"Information":"2",
"FileIdentifier":"edc203080b0ab8458680afe68146b1ed6c62010000009700",
"event_platform":"Win",
"ShareAccess":"0",
"id":"80d5ae7b-649f-11eb-9488-024e6bf3d6b1",
"FileObject":"18446634184237273600",
"EffectiveTransmissionClass":"3",
"FileAttributes":"0",
"timestamp":"1612192178899",
"Status":"0",
"event_simpleName":"NewExecutableWritten",
"ContextTimeStamp":"1612192178.595",
"ConfigStateHash":"1002018934",
"ContextProcessId":"1462865029781",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1180054",
"Entitlements":"15",
"name":"NewExecutableWrittenV1",
"OperationFlags":"0",
"aid":"e30dfd2dac464a925c721ffb42691c1c",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\S\\AppData\\Local\\assembly\\tmp\\VVCQJISQ\\Newtonsoft.Json.DLL"
},
{
"Options":"88080484",
"ContextThreadId":"121390994923701",
"MinorFunction":"0",
"aip":"165.165.165.165",
"Information":"2",
"FileIdentifier":"8e22c65ac1de534d924b77bef9724e893b34000000007e01",
"event_platform":"Win",
"ShareAccess":"1",
"id":"9a1112a6-649f-11eb-a1a0-02d051f2be4b",
"FileObject":"18446705066600845600",
"EffectiveTransmissionClass":"3",
"FileAttributes":"0",
"timestamp":"1612192221231",
"Status":"0",
"event_simpleName":"NewScriptWritten",
"ContextTimeStamp":"1612192219.844",
"ConfigStateHash":"4091923303",
"ContextProcessId":"2092451718379",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1180054",
"Entitlements":"15",
"name":"NewScriptWrittenV7",
"OperationFlags":"0",
"aid":"1d26eadfb948448653c36c1b900df377",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\__PSS.ps1"
},
{
"event_simpleName":"ExecutableDeleted",
"ContextTimeStamp":"1612192183.367",
"ConfigStateHash":"4091923303",
"ContextProcessId":"2235221295047",
"IrpFlags":"1028",
"ContextThreadId":"115372276358029",
"MinorFunction":"0",
"aip":"165.165.165.165",
"FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8e86ea010000006c00",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"MajorFunction":"18",
"Entitlements":"15",
"name":"ExecutableDeletedV3",
"OperationFlags":"0",
"id":"840c4b68-649f-11eb-bde3-024e3dec27db",
"FileObject":"18446713894431458368",
"EffectiveTransmissionClass":"3",
"aid":"e17bf6ec831e4f3976553f9969664271",
"timestamp":"1612192184290",
"cid":"e941027a2d1141f186c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\k\\AppData\\Local\\assembly\\tmp\\QN76W635\\WinZipExpressForOffice.DLL"
},
{
"Status":"3221225506",
"KernelTime":"0",
"event_simpleName":"SignInfoError",
"ConfigStateHash":"4091923303",
"aip":"165.165.165.165",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\iwprn.dll",
"Entitlements":"15",
"name":"SignInfoErrorV3",
"id":"8257ef61-649f-11eb-b376-02f6607228a3",
"EffectiveTransmissionClass":"2",
"aid":"c0da753d75ff4e7971901ab055d804b4",
"timestamp":"1612192181431",
"cid":"e941027a2d1141fb6c6c049c83215"
},
{
"Size":"104753",
"ContextThreadId":"68150305082852",
"MinorFunction":"0",
"aip":"165.165.165.165",
"IsOnNetwork":"0",
"FileIdentifier":"8e22c65ac1de534d924b77bef9724e89bd9c000000009300",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_15B7&DEV_5002&SUBSYS_500215B7&REV_00\\4&18cf69ef&0&00E4",
"id":"7d068550-649f-11eb-9be1-065505666d6f",
"FileObject":"18446655072069839760",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192172508",
"event_simpleName":"OoxmlFileWritten",
"ContextTimeStamp":"1612192167.261",
"ConfigStateHash":"1187562179",
"ContextProcessId":"1961692248212",
"TemporaryFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix",
"IrpFlags":"1028",
"AuthenticationId":"286344857",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"OoxmlFileWrittenV12",
"OperationFlags":"0",
"aid":"cfbece25ef5444715fb3340fad3cab37",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix"
},
{
"event_simpleName":"ProcessRollup2Stats",
"ConfigStateHash":"2191674825",
"Timeout":"600",
"aip":"77.77.77.77",
"SHA256HashData":"7b7d042adc61f6bd613c202e72b88045702d3171ab27e4702411d337dd0ccb4b",
"ProcessCount":"6",
"ConfigBuild":"1007.4.0012204.1",
"UID":"0",
"event_platform":"Mac",
"CommandLine":"/usr/bin/awk {print $1;}",
"Entitlements":"15",
"name":"ProcessRollup2StatsMacV1",
"id":"7ddb47a2-649f-11eb-b100-069ffba97e11",
"aid":"4a685c5af31c441b78b96df71752f303",
"timestamp":"1612192173903",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"event_simpleName":"PeVersionInfo",
"ConfigStateHash":"4091923303",
"aip":"147.147.147.147",
"SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15",
"ConfigBuild":"1007.3.0012806.1",
"VersionInfo":"880334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000a000100634500000a00010063453f000000000000000400040002000000000000000000000000000000e6020000010053007400720069006e006700460069006c00650049006e0066006f000000c202000001003000340030003900300034004200300000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e0000004c0012000100460069006c0065004400650073006300720069007000740069006f006e000000000057004d0049002000500072006f0076006900640065007200200048006f00730074000000680024000100460069006c006500560065007200730069006f006e0000000000310030002e0030002e00310037003700360033002e00310020002800570069006e004200750069006c0064002e003100360030003100300031002e003000380030003000290000003a000d00010049006e007400650072006e0061006c004e0061006d006500000057006d006900700072007600730065002e006500780065000000000080002e0001004c006500670061006c0043006f0070007900720069006700680074000000a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e00000042000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000057006d006900700072007600730065002e00650078006500000000006a0025000100500072006f0064007500630074004e0061006d006500000000004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d00000000003e000d000100500072006f006400750063007400560065007200730069006f006e000000310030002e0030002e00310037003700360033002e00310000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000904b00400000000000000000000000000000000",
"CompanyName":"Microsoft Corporation",
"event_platform":"Win",
"OriginalFilename":"Wmiprvse.exe",
"TargetProcessId":"1467339488123",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"FileVersion":"10.0.17763.1 (WinBuild.160101.0800)",
"Entitlements":"15",
"name":"PeVersionInfoV3",
"id":"85d170dd-649f-11eb-b7ab-02c72af1f307",
"EffectiveTransmissionClass":"3",
"aid":"8a7c4aa9c11944aa7afa437b73a4817d",
"LanguageId":"1033",
"timestamp":"1612192187260",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"Size":"5120",
"ContextThreadId":"37505999371785",
"MinorFunction":"0",
"aip":"84.84.84.84",
"IsOnNetwork":"0",
"FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8ed2da010000007f00",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_17AA&DEV_0003&SUBSYS_100317AA&REV_00\\4&18cf69ef&0&00E4",
"id":"7fca95a3-649f-11eb-87c5-0608a1cc49e3",
"FileObject":"18446668234812634352",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192177149",
"event_simpleName":"OleFileWritten",
"ContextTimeStamp":"1612192175.957",
"ConfigStateHash":"4091923303",
"ContextProcessId":"1017509766761",
"IrpFlags":"1028",
"AuthenticationId":"757446330",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"OleFileWrittenV12",
"OperationFlags":"0",
"aid":"b324ab19ddf34b8f6672c64a05758b",
"cid":"e941027a2d1141f9b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\D\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\AutomationManager\\Active\\{990EF5F6-645A-11EB-AE23-7C2A31092D5A}.dat"
},
{
"event_simpleName":"DriverLoad",
"ContextTimeStamp":"1612192188.246",
"ConfigStateHash":"1036481984",
"ContextProcessId":"1305670660340",
"DriverLoadFlags":"0",
"ContextThreadId":"47805865802230",
"aip":"104.104.104.104",
"MD5HashData":"3c15a5ac47b1ca4d9a9f8680e224996f",
"SHA256HashData":"f95ec4e4e5fdff1d68179205430aad01a0124dbd682faff6270b99b4aacc793f",
"ConfigBuild":"1007.3.0012806.1",
"CompanyName":"Microsoft Corporation",
"event_platform":"Win",
"OriginalFilename":"WSDScan.sys",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\drivers\\WSDScan.sys",
"FileVersion":"10.0.17134.1 (WinBuild.160101.0800)",
"Entitlements":"15",
"name":"DriverLoadV3",
"id":"948cb457-649f-11eb-a03c-065d96aa71d1",
"EffectiveTransmissionClass":"3",
"aid":"6bbe3993fd594f45d25512aeabbfd4",
"timestamp":"1612192211975",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"event_simpleName":"NeighborListIP4",
"ConfigStateHash":"1187562179",
"NeighborList":"BC-0F-9A-F5-62-FW|192.168.0.1|0|!!!!UNKNOWN!!!!;",
"aip":"103.103.103.103",
"InterfaceIndex":"7",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"NeighborListIP4V2",
"id":"9926a93d-649f-11eb-910e-024bf0016c79",
"EffectiveTransmissionClass":"3",
"aid":"504c07d9cdbb47ac793b11238a2476e1",
"timestamp":"1612192219695",
"cid":"e941027a2d114189b6c6c049c83215"
}
]

17
Sample Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv
Просмотреть файл

@ -2,11 +2,11 @@ DateAdded,FirstSeen,Indicator,IndicatorType,TLP
2021-03-10,2021-03-05T10:07:29.0421232Z,8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc,sha256,White
2021-03-10,2021-03-03T10:51:16.7363037Z,2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e,sha256,White
2021-03-10,2021-03-05T09:51:58.5865879Z,a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a,sha256,White
2020-03-09,2021-03-04T08:05:00.5878895Z,511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1,sha256,White
2020-03-09,2021-01-06T18:38:17.8341434Z,b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0,sha256,White
2020-03-09,2021-02-09T00:33:52.5232083Z,4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea,sha256,White
2020-03-09,2021-02-23T09:14:05.8243534Z,811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d,sha256,White
2020-03-09,2021-01-24T12:59:40.6969216Z,65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5,sha256,White
2021-03-09,2021-03-04T08:05:00.5878895Z,511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1,sha256,White
2021-03-09,2021-01-06T18:38:17.8341434Z,b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0,sha256,White
2021-03-09,2021-02-09T00:33:52.5232083Z,4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea,sha256,White
2021-03-09,2021-02-23T09:14:05.8243534Z,811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d,sha256,White
2021-03-09,2021-01-24T12:59:40.6969216Z,65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5,sha256,White
2021-03-09,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\8Lw7tAhF9i1pJnRo.aspx,filepath,White
2021-03-09,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookZH.aspx,filepath,White
2021-03-09,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\authhead.aspx,filepath,White
@ -58,3 +58,10 @@ DateAdded,FirstSeen,Indicator,IndicatorType,TLP
2021-03-11,2021-03-09T13:14:14.3522438Z,feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede,sha256,White
2021-03-15,2021-03-09T08:20:35.6649557Z,dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d,sha256,White
2021-03-15,2021-03-10T15:25:16.6382191Z,201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41,sha256,White
2021-03-16,2021-03-05T01:38:38.1121792Z,5a5f4a1c7dbac3e1ac900f43415f378e88a7b591aff730d9715b62d6d782bdde,sha256,White
2021-03-16,,C:\inetpub\wwwroot\aspnet_client\services.aspx,filepath,White
2021-03-19,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\logon.aspx,filepath,White
2021-03-19,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\TimeoutLogout.aspx,filepath,White
2021-03-19,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\333.aspx,filepath,White
2021-03-19,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookUS.aspx,filepath,White
2021-03-22,2021-03-19T08:28:31.8997563Z,733b4d5174669caab2bbcc9bfe51606a13346b70af59fccea4f479d1fde7b5d7,sha256,White

1 DateAdded FirstSeen Indicator IndicatorType TLP
2 2021-03-10 2021-03-05T10:07:29.0421232Z 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc sha256 White
3 2021-03-10 2021-03-03T10:51:16.7363037Z 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e sha256 White
4 2021-03-10 2021-03-05T09:51:58.5865879Z a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a sha256 White
5 2020-03-09 2021-03-09 2021-03-04T08:05:00.5878895Z 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 sha256 White
6 2020-03-09 2021-03-09 2021-01-06T18:38:17.8341434Z b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 sha256 White
7 2020-03-09 2021-03-09 2021-02-09T00:33:52.5232083Z 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea sha256 White
8 2020-03-09 2021-03-09 2021-02-23T09:14:05.8243534Z 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d sha256 White
9 2020-03-09 2021-03-09 2021-01-24T12:59:40.6969216Z 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 sha256 White
10 2021-03-09 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\8Lw7tAhF9i1pJnRo.aspx filepath White
11 2021-03-09 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookZH.aspx filepath White
12 2021-03-09 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\authhead.aspx filepath White
58 2021-03-11 2021-03-09T13:14:14.3522438Z feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede sha256 White
59 2021-03-15 2021-03-09T08:20:35.6649557Z dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d sha256 White
60 2021-03-15 2021-03-10T15:25:16.6382191Z 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41 sha256 White
61 2021-03-16 2021-03-05T01:38:38.1121792Z 5a5f4a1c7dbac3e1ac900f43415f378e88a7b591aff730d9715b62d6d782bdde sha256 White
62 2021-03-16 C:\inetpub\wwwroot\aspnet_client\services.aspx filepath White
63 2021-03-19 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\logon.aspx filepath White
64 2021-03-19 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\TimeoutLogout.aspx filepath White
65 2021-03-19 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\333.aspx filepath White
66 2021-03-19 C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookUS.aspx filepath White
67 2021-03-22 2021-03-19T08:28:31.8997563Z 733b4d5174669caab2bbcc9bfe51606a13346b70af59fccea4f479d1fde7b5d7 sha256 White

2
Sample Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

59
Solutions/Cisco ISE/Workbooks/CiscoISE.json
Просмотреть файл

@ -243,42 +243,7 @@
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "rancid",
"label": "John Doe"
},
{
"seriesName": "JPTOK1N1571.ap.adsint.biz",
"label": "John Smith"
},
{
"seriesName": "yumas",
"label": "root"
},
{
"seriesName": "zhangsta",
"label": "sales"
},
{
"seriesName": "louluc",
"label": "CFO"
},
{
"seriesName": "JPTOK1N1536.ap.adsint.biz",
"label": "ciseadmin"
},
{
"seriesName": "prime",
"label": "cisebackup"
},
{
"seriesName": "apurva",
"label": "ciseoperator"
}
]
}
"chartSettings": {}
},
"customWidth": "30",
"name": "TopUsersActivity "
@ -297,22 +262,7 @@
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "rancid",
"label": "ciseadmin"
},
{
"seriesName": "host/CNSHA1N5663.ap.adsint.biz",
"label": "jsmith"
},
{
"seriesName": "Anguljun",
"label": "jdoe"
}
]
}
"chartSettings": {}
},
"customWidth": "30",
"name": "TopUsersFailedAuthentication"
@ -354,9 +304,6 @@
"name": "DetailsTopErrors"
}
],
"fallbackResourceIds": [
"/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourcegroups/socprime/providers/microsoft.operationalinsights/workspaces/azuresocprimesentinel"
],
"fromTemplateId": "sentinel-CiscoISE",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
}

52
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml Normal file
Просмотреть файл

@ -0,0 +1,52 @@
id: c9b6d281-b96b-4763-b728-9a04b9fe1246
name: Cisco Umbrella - Connection to non-corporate private network
description: |
'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- Exfiltration
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

42
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,42 @@
id: 75297f62-10a8-4fc1-9b2a-12f25c6f05a7
name: Cisco Umbrella - Connection to Unpopular Website Detected
description: |
'Detects first connection to an unpopular website (possible malicious payload delivery).'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated
| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

33
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,33 @@
id: b619d1f1-7f39-4c7e-bf9e-afbb46457997
name: Cisco Umbrella - Crypto Miner User-Agent Detected
description: |
'Detects suspicious user agent strings used by crypto miners in proxy logs.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "XMRig" or HttpUserAgentOriginal contains "ccminer"
| extend Message = "Crypto Miner User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal
| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

33
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,33 @@
id: 2b328487-162d-4034-b472-59f1d53684a1
name: Cisco Umbrella - Empty User Agent Detected
description: |
'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal == ''
| extend Message = "Empty User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated
| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

81
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,81 @@
id: 8d537f3c-094f-430c-a588-8a87da36ee3a
name: Cisco Umbrella - Hack Tool User-Agent Detected
description: |
'Detects suspicious user agent strings used by known hack tools'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let timeframe = 15m;
let user_agents=dynamic([
'(hydra)',
' arachni/',
' BFAC ',
' brutus ',
' cgichk ',
'core-project/1.0',
' crimscanner/',
'datacha0s',
'dirbuster',
'domino hunter',
'dotdotpwn',
'FHScan Core',
'floodgate',
'get-minimal',
'gootkit auto-rooter scanner',
'grendel-scan',
' inspath ',
'internet ninja',
'jaascois',
' zmeu ',
'masscan',
' metis ',
'morfeus fucking scanner',
'n-stealth',
'nsauditor',
'pmafind',
'security scan',
'springenwerk',
'teh forest lobster',
'toata dragostea',
' vega/',
'voideye',
'webshag',
'webvulnscan',
' whcc/',
' Havij',
'absinthe',
'bsqlbf',
'mysqloit',
'pangolin',
'sql power injector',
'sqlmap',
'sqlninja',
'uil2pn',
'ruler',
'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'
]);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal has_any (user_agents)
| extend Message = "Hack Tool User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

34
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: b12b3dab-d973-45af-b07e-e29bb34d8db9
name: Cisco Umbrella - Windows PowerShell User-Agent Detected
description: |
'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- DefenseEvasion
query: |
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "WindowsPowerShell"
| extend Message = "Windows PowerShell User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal
| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

39
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 8c8de3fa-6425-4623-9cd9-45de1dd0569a
name: Cisco Umbrella - Rare User Agent Detected
description: |
'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let lookBack = 14d;
let timeframe = 1d;
let user_agents_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)
| summarize count() by HttpUserAgentOriginal
| summarize make_list(HttpUserAgentOriginal);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal !in (user_agents_list)
| extend Message = "Rare User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

52
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml Normal file
Просмотреть файл

@ -0,0 +1,52 @@
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
description: |
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
- InitialAccess
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

37
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestBlocklistedFileType.yaml Normal file
Просмотреть файл

@ -0,0 +1,37 @@
id: de58ee9e-b229-4252-8537-41a4c2f4045e
name: Cisco Umbrella - Request to blocklisted file type
description: |
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
query: |
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

34
Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
name: Cisco Umbrella - URI contains IP address
description: |
'Malware can use IP address to communicate with C2.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandandControl
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaAnomalousFQDNsforDomain.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: c92741e6-8454-40bb-8830-069cb86946c6
name: Cisco Umbrella - Anomalous FQDNs for domain
description: |
'Large number of FQDNs for domain may be indicator of suspicious domain.'
requiredDataConnectors: []
tactics:
- CommandandControl
relevantTechniques:
- T1071
query: |
Cisco_Umbrella
| where TimeGenerated > ago(24h)

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaBlockedUserAgents.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaBlockedUserAgents.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: 497d7250-87e1-49b1-a096-94f61c7ade9c
name: Cisco Umbrella - 'Blocked' User-Agents.
description: |
'Shows User-Agent values which requests were blocked'
requiredDataConnectors: []
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
Cisco_Umbrella
| where TimeGenerated > ago(24h)

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaDNSErrors.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaDNSErrors.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: 26aebe0d-9a4f-456d-bbb9-9f4c9c5d28ca
name: Cisco Umbrella - DNS Errors.
description: |
'Shows error DNS requests.'
requiredDataConnectors: []
tactics:
- InitialAccess
relevantTechniques:
- T1189
query: |
Cisco_Umbrella
| where TimeGenerated > ago(24h)

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaDNSRequestsUunreliableCategory.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaDNSRequestsUunreliableCategory.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: bd1457df-3e81-4218-a079-0963200c8d67
name: Cisco Umbrella - DNS requests to unreliable categories.
description: |
'Shows requests to URI categories which heavily are used in Initial Access stage by threat actiors and may contain malicious content.'
requiredDataConnectors: []
tactics:
- InitialAccess
relevantTechniques:
- T1189
query: |
Cisco_Umbrella
| where TimeGenerated > ago(24h)

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: 173f8699-6af5-484a-8b06-8c47ba89b380
name: Cisco Umbrella - Higher values of count of the Same BytesIn size
description: |
'Calculate the count of BytesIn per Source-Destination pair over 24 hours. Higher values may indicate beaconing.'
requiredDataConnectors: []
tactics:
- CommandandControl
relevantTechniques:
- T1071
query: |
let timeframe = 1d;
Cisco_Umbrella

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaHighValuesOfUploadedData.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighValuesOfUploadedData.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: 975419eb-7041-419c-b8f0-c4bf513cf2b2
name: Cisco Umbrella - High values of Uploaded Data
description: |
'A normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website. Calculate the sum of BytesOut per Source-Destination pair over 12/24 hours.'
requiredDataConnectors: []
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
let timeframe = 1d;
Cisco_Umbrella

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaPossibleConnectionC2.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: 85421f18-2de4-42ff-9ef4-058924dcb1bf
name: Cisco Umbrella - Possible connection to C2.
description: |
'Calculate the count of BytesIn per Source-Destination pair over 12/24 hours. Higher values may indicate beaconing. C2 servers reply with the same data, making BytesIn value the same.'
requiredDataConnectors: []
tactics:
- CommandandControl
relevantTechniques:
- T1071
query: |
let timeframe = 1d;
Cisco_Umbrella

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaPossibleDataExfiltration.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleDataExfiltration.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: 497d7250-87e1-49b1-a096-94f61c7ade9c
name: Cisco Umbrella - Possible data exfiltration
description: |
'A normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website. Calculate the sum of BytesOut per Source-Destination pair over 12/24 hours.'
requiredDataConnectors: []
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
let timeframe = 1d;
Cisco_Umbrella

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaProxyAllowedUnreliableCategory.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaProxyAllowedUnreliableCategory.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: daf2f3cf-0f0d-45c1-b428-3c23d643859b
name: Cisco Umbrella - Proxy 'Allowed' to unreliable categories.
description: |
'Shows allowed requests to URI categories which heavily are used in Initial Access stage by threat actiors and may contain malicious content.'
requiredDataConnectors: []
tactics:
- InitialAccess
relevantTechniques:
- T1189
query: |
Cisco_Umbrella
| where TimeGenerated > ago(24h)

3
Hunting Queries/CiscoUmbrella/CiscoUmbrellaRequestsUncategorizedURI.yaml → Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaRequestsUncategorizedURI.yaml
Просмотреть файл

@ -2,8 +2,11 @@ id: de2ec986-ee24-465f-adf2-b718997074c1
name: Cisco Umbrella - Requests to uncategorized resources
description: |
'Shows requests to URL where UrlCategory is not set.'
requiredDataConnectors: []
tactics:
- InitialAccess
relevantTechniques:
- T1071
query: |
Cisco_Umbrella
| where TimeGenerated > ago(24h)

153
Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella Normal file
Просмотреть файл

@ -0,0 +1,153 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Cisco_Umbrella.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Cisco_Umbrella | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let Cisco_Umbrella_dns_view = view () {
Cisco_Umbrella_dns_CL
| extend
EventEndTime=column_ifexists('Timestamp_t', ''),
SrcIpAddr=column_ifexists('InternalIp_s', ''),
SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),
DvcAction=column_ifexists('Action_s', ''),
DnsQueryName=column_ifexists('Domain_s', ''),
UrlCategory=column_ifexists('Categories_s', ''),
ThreatCategory=column_ifexists('Blocked_Categories_s', ''),
Identities=column_ifexists('Identities_s', ''),
DnsQueryTypeName=column_ifexists('QueryType_s', ''),
DnsResponseCodeName=column_ifexists('ResponseCode_s', ''),
IdentityTypes=column_ifexists('Identity_Types_s', ''),
EventType=column_ifexists('EventType_s', ''),
PolicyIdentity=column_ifexists('Policy_Identity_s', ''),
PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', '')
| project
TimeGenerated,
EventEndTime,
SrcIpAddr,
SrcNatIpAddr,
DvcAction,
DnsQueryName,
UrlCategory,
ThreatCategory,
Identities,
DnsQueryTypeName,
DnsResponseCodeName,
IdentityTypes,
EventType,
PolicyIdentity,
PolicyIdentityType
};
let Cisco_Umbrella_proxy_view = view () {
Cisco_Umbrella_proxy_CL
| extend
EventType=column_ifexists('EventType_s', ''),
EventEndTime=column_ifexists('Timestamp_t', ''),
Identities=column_ifexists('Identities_s', ''),
SrcIpAddr=column_ifexists('Internal_IP_s', ''),
SrcNatIpAddr=column_ifexists('External_IP_s', ''),
DstIpAddr=column_ifexists('Destination_IP_s', ''),
HttpContentType=column_ifexists('Content_Type_s', ''),
DvcAction=column_ifexists('Verdict_s', ''),
UrlOriginal=column_ifexists('URL_s', ''),
HttpReferrerOriginal=column_ifexists('Referer_s', ''),
HttpUserAgentOriginal=column_ifexists('userAgent_s', ''),
HttpStatusCode=column_ifexists('statusCode_s', ''),
SrcBytes=column_ifexists('requestSize_d', ''),
DstBytes=column_ifexists('responseSize_d', ''),
HttpResponseBodyBytes=column_ifexists('responseBodySize_d', ''),
HashSha256=column_ifexists('SHA-SHA256_s', ''),
UrlCategory=column_ifexists('Categories_s', ''),
AvDetections=column_ifexists('AVDetections_s', ''),
Puas=column_ifexists('PUAs_s', ''),
AmpDisposition=column_ifexists('AMP_Disposition_s', ''),
ThreatName=column_ifexists('AMP_Malware_Name_s', ''),
AmpScore=column_ifexists('AMP_Score_s', ''),
IdentityType=column_ifexists('Identity_Type_s', ''),
ThreatCategory=column_ifexists('Blocked_Categories_s', '')
| project
TimeGenerated,
EventType,
EventEndTime,
Identities,
SrcIpAddr,
SrcNatIpAddr,
DstIpAddr,
HttpContentType,
DvcAction,
UrlOriginal,
HttpReferrerOriginal,
HttpUserAgentOriginal,
HttpStatusCode,
SrcBytes,
DstBytes,
HttpResponseBodyBytes,
HashSha256,
UrlCategory,
AvDetections,
Puas,
AmpDisposition,
ThreatName,
AmpScore,
IdentityType,
ThreatCategory
};
let Cisco_Umbrella_ip_view = view () {
Cisco_Umbrella_ip_CL
| extend
EventType=column_ifexists('EventType_s', ''),
EventEndTime=column_ifexists('Timestamp_t', ''),
Identities=column_ifexists('Identity_s', ''),
SrcIpAddr=column_ifexists('Source_IP_s', ''),
SrcPortNumber=column_ifexists('Source_Port_s', ''),
DstIpAddr=column_ifexists('Destination_IP_s', ''),
DstPortNumber=column_ifexists('Destination_Port_s', ''),
UrlCategory=column_ifexists('Categories_s', '')
| project
TimeGenerated,
EventType,
EventEndTime,
Identities,
SrcIpAddr,
SrcPortNumber,
DstIpAddr,
DstPortNumber,
UrlCategory
};
let Cisco_Umbrella_cloudfirewall_view = view () {
Cisco_Umbrella_cloudfirewall_CL
| extend
EventType=column_ifexists('EventType_s', ''),
EventEndTime=column_ifexists('Timestamp_t', ''),
NetworkSessionId=column_ifexists('originId_s', ''),
NetworkRuleName=column_ifexists('Identity_s', ''),
IdentityType=column_ifexists('Identity_Type_s', ''),
NetworkDirection=column_ifexists('Direction_s', ''),
NetworkProtocol=column_ifexists('ipProtocol_s', ''),
NetworkPackets=column_ifexists('packetSize_s', ''),
SrcIpAddr=column_ifexists('SourceIP', ''),
SrcPortNumber=column_ifexists('sourcePort_s', ''),
DstIpAddr=column_ifexists('destinationIp_s', ''),
DstPortNumber=column_ifexists('destinationPort_s', ''),
DvcHostname=column_ifexists('dataCenter_s', ''),
NetworkRuleNumber=column_ifexists('ruleId_s', ''),
DvcAction=column_ifexists('verdict_s', '')
| project
TimeGenerated,
EventType,
EventEndTime,
NetworkSessionId,
NetworkRuleName,
IdentityType,
NetworkDirection,
NetworkProtocol,
NetworkPackets,
SrcIpAddr,
SrcPortNumber,
DstIpAddr,
DstPortNumber,
DvcHostname,
NetworkRuleNumber,
DvcAction
};
union isfuzzy=true Cisco_Umbrella_dns_view, Cisco_Umbrella_proxy_view, Cisco_Umbrella_ip_view, Cisco_Umbrella_cloudfirewall_view

697
Solutions/CiscoUmbrella/Workbooks/CiscoUmbrella.json Normal file
Просмотреть файл

@ -0,0 +1,697 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoUmbrella/Cisco_Umbrella) to create the Kusto function alias **Cisco_Umbrella**."
},
"name": "Text"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "464b6899-a8de-4f01-84a6-d4e3ecc7f282",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Main Dashboard",
"subTarget": "cisco_umbrella_main_dashboard",
"preText": "Cisco Umbrella Main Dashboard",
"style": "link"
},
{
"id": "a3798d8a-a610-475c-9cbf-7252301dab7e",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Dns Dashboard",
"subTarget": "cisco_umbrella_dns_dashboard",
"style": "link"
},
{
"id": "80bcf252-bcf6-4736-993d-59da0a8e4c76",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Proxy Dashboard",
"subTarget": "cisco_umbrella_proxy_dashboard",
"style": "link"
},
{
"id": "f536a1e9-362e-4d98-bdd1-0f7dfb23901a",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Cisco Umbrella Firewall Dashboard",
"subTarget": "cisco_umbrella_firewall_dashboard",
"style": "link"
}
]
},
"name": "Links"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "37b91baf-6272-4709-a028-1370823249d4",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 5184000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Parameters1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by EventType\n| render barchart",
"size": 3,
"title": "Events Count by EventType",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "EventType",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "EventType",
"formatter": 1
},
"centerContent": {
"columnMatch": "Count",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "30",
"name": "EventsCountByEventType"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
"size": 0,
"title": "Events over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "70",
"name": "EventsOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where DvcAction contains \"block\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Blocks over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "70",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let CU_Total_Requests =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| summarize count()\n| extend evttype=\"Total Requests\";\n\nlet CU_Total_Blocked =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| summarize count()\n| extend evttype=\"Total Blocked\";\n\nlet CU_Security_Blocked =\nCisco_Umbrella \n| where TimeGenerated {TimeRange} \n| where DvcAction contains \"block\"\n| where isnotempty(ThreatCategory)\n| summarize count()\n| extend evttype=\"Security Blocked\";\n\nunion CU_Security_Blocked,CU_Total_Blocked,CU_Total_Requests",
"size": 3,
"title": "Network Breakdown Statistic",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "evttype",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_main_dashboard"
},
"customWidth": "30",
"name": "NetworkBreakdownStatistic"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize count() by DvcAction",
"size": 3,
"title": "DNS - Events count by Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DvcAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "30",
"name": "DNSEventsCountByAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| summarize Count=count() by DnsQueryTypeName | sort by Count",
"size": 0,
"title": "DNS - Events count by QueryType",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "70",
"name": "DNSEventsCountByQueryType"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where EventType == \"dnslogs\"\n| where TimeGenerated {TimeRange} \n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where EventType == \"dnslogs\"\n| where isnotempty(ThreatCategory)\n| where TimeGenerated {TimeRange} \n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "DNS - Events by Threat Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "30",
"name": "DNSEventsByThreatCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "DNS - Events by Url Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "35",
"name": "DNSEventsByUrlCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
"size": 0,
"title": "DNS - Top 10 SrcIp with Blocked Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"customWidth": "35",
"name": "DNSTop10SrcIpBlockedAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"dnslogs\"\n| where DvcAction == \"Blocked\"\n| summarize Count=count() by DnsQueryName, UrlCategory \n| top 10 by Count\n",
"size": 0,
"title": "DNS - Top 10 Blocked Url ",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_dns_dashboard"
},
"name": "DNSTop10BlockedUrl "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| summarize count() by DvcAction",
"size": 3,
"title": "Proxy - Events count by Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "30",
"name": "ProxyEventsCountByAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let CU_proxy_outcoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Outcoming\", Bytes = SrcBytes\n| project TrafficType, Bytes, TimeGenerated;\n\nlet CU_proxy_incoming_traffic =\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| extend TrafficType = \"Incoming\", Bytes = DstBytes\n| project TrafficType, Bytes, TimeGenerated;\n\n\nunion CU_proxy_outcoming_traffic, CU_proxy_incoming_traffic\n| make-series TotalGbytes = round(sum(Bytes/(1024*1024*1024)),2) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by TrafficType\n",
"size": 0,
"title": "Proxy - Traffic timechart, GB",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "70",
"name": "ProxyTrafficTimechart"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| summarize Count=count() by tostring(Url_Category)\n| sort by Count\n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(UrlCategory)\n| extend Url_Category=parsejson(tostring(UrlCategory))\n| mv-expand Url_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Url_Category))\n on Url_Category\n | project-away Url_Category1, TimeGenerated\n | project Url_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "Proxy - Events by Url Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "30",
"name": "ProxyEventsByUrlCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let list_IP = Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr | top 10 by Count\n| summarize makelist(SrcIpAddr);\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n|summarize Count=count() by SrcIpAddr \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| where SrcIpAddr in (list_IP)\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcIpAddr)\n on SrcIpAddr\n | project-away SrcIpAddr1, TimeGenerated\n | project SrcIpAddr, Count, Trend\n | order by Count\n| take 10\n\n",
"size": 0,
"title": "Proxy - Top 10 Source IP with Blocked Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "35",
"name": "ProxyTop10SourceIPBlockedAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| summarize Count=count() by tostring(Threat_Category)\n| sort by Count \n| join kind = inner (\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"proxylogs\"\n| where isnotempty(ThreatCategory)\n| extend Threat_Category=parsejson(tostring(ThreatCategory))\n| mv-expand Threat_Category\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(Threat_Category))\n on Threat_Category\n | project-away Threat_Category1, TimeGenerated\n | project Threat_Category, Count, Trend\n | order by Count\n| take 10",
"size": 0,
"title": "Proxy - Events by Threat Category",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "blueGreen"
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "turquoise"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"customWidth": "35",
"name": "ProxyEventsByThreatCategory"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange}\n| where EventType == \"proxylogs\"\n| where DvcAction == \"BLOCKED\"\n| summarize Count=count() by UrlOriginal, UrlCategory \n| top 10 by Count\n",
"size": 0,
"title": "Proxy - Top 10 Blocked Url ",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_proxy_dashboard"
},
"name": "ProxyTop10BlockedUrl "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| summarize count() by DvcAction",
"size": 3,
"title": "Firewall - Events count by Action",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DvcAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_firewall_dashboard"
},
"customWidth": "30",
"name": "FirewallEventsCountByAction"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\nCisco_Umbrella\n| where TimeGenerated {TimeRange} \n| where EventType == \"cloudfirewalllogs\"\n| make-series Packets = sum(toint(NetworkPackets)) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by NetworkDirection",
"size": 0,
"title": "Firewall - Traffic over time, Packets",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_firewall_dashboard"
},
"customWidth": "70",
"name": "FirewallTrafficOverTime"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cisco_Umbrella\n|where EventType == \"cloudfirewalllogs\"\n| where DvcAction contains \"BLOCK\"\n| where TimeGenerated {TimeRange} \n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Firewall - Block Events over time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "cisco_umbrella_firewall_dashboard"
},
"customWidth": "50",
"name": "query - 19"
}
],
"fromTemplateId": "sentinel-CiscoUmbrella",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

176
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,176 @@
import boto3
import json
import datetime
from botocore.config import Config as BotoCoreConfig
import tempfile
import os
import gzip
import time
import base64
import hashlib
import hmac
import requests
import threading
import azure.functions as func
import logging
import re
customer_id = os.environ['WorkspaceID']
shared_key = os.environ['WorkspaceKey']
log_type = "CrowdstrikeReplicatorLogs"
AWS_KEY = os.environ['AWS_KEY']
AWS_SECRET = os.environ['AWS_SECRET']
AWS_REGION_NAME = os.environ['AWS_REGION_NAME']
QUEUE_URL = os.environ['QUEUE_URL']
VISIBILITY_TIMEOUT = 60
temp_dir = tempfile.TemporaryDirectory()
if 'logAnalyticsUri' in os.environ:
logAnalyticsUri = os.environ['logAnalyticsUri']
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
match = re.match(pattern,str(logAnalyticsUri))
if not match:
raise Exception("Invalid Log Analytics Uri.")
else:
logAnalyticsUri = "https://" + customer_id + ".ods.opinsights.azure.com"
def get_sqs_messages():
logging.info("Creating SQS connection")
sqs = boto3.resource('sqs', region_name=AWS_REGION_NAME, aws_access_key_id=AWS_KEY, aws_secret_access_key=AWS_SECRET)
queue = sqs.Queue(url=QUEUE_URL)
logging.info("Queue connected")
for msg in queue.receive_messages(VisibilityTimeout=VISIBILITY_TIMEOUT):
msg_body = json.loads(msg.body)
ts = datetime.datetime.utcfromtimestamp(msg_body['timestamp'] / 1000).strftime('%Y-%m-%d %H:%M:%S.%f')[:-3]
logging.info("Start processing bucket {0}: {1} files with total size {2}, bucket timestamp: {3}".format(msg_body['bucket'],msg_body['fileCount'],msg_body['totalSize'],ts))
if "files" in msg_body:
if download_message_files(msg_body) is True:
msg.delete()
def process_message_files():
for file in files_for_handling:
process_file(file)
def download_message_files(msg):
try:
msg_output_path = os.path.join(temp_dir.name, msg['pathPrefix'])
if not os.path.exists(msg_output_path):
os.makedirs(msg_output_path)
for s3_file in msg['files']:
s3_path = s3_file['path']
local_path = os.path.join(temp_dir.name, s3_path)
logging.info("Start downloading file {}".format(s3_path))
s3_client.download_file(msg['bucket'], s3_path, local_path)
if check_damaged_archive(local_path) is True:
logging.info("File {} successfully downloaded.".format(s3_path))
files_for_handling.append(local_path)
else:
logging.warn("File {} damaged. Unpack ERROR.".format(s3_path))
return True
except Exception as ex:
logging.error("Exception in downloading file from S3. Msg: {0}".format(str(ex)))
return False
def check_damaged_archive(file_path):
chunksize = 1024*1024 # 10 Mbytes
with gzip.open(file_path, 'rb') as f:
try:
while f.read(chunksize) != '':
return True
except:
return False
def process_file(file_path):
global processed_messages_success, processed_messages_failed
processed_messages_success = 0
processed_messages_failed = 0
size = 1024*1024
# unzip archive to temp file
out_tmp_file_path = file_path.replace(".gz", ".tmp")
with gzip.open(file_path, 'rb') as f_in:
with open(out_tmp_file_path, 'wb') as f_out:
while True:
data = f_in.read(size)
if not data:
break
f_out.write(data)
os.remove(file_path)
threads = []
with open(out_tmp_file_path) as file_handler:
for data_chunk in split_chunks(file_handler):
chunk_size = len(data_chunk)
logging.info("Processing data chunk of file {} with {} events.".format(out_tmp_file_path, chunk_size))
data = json.dumps(data_chunk)
t = threading.Thread(target=post_data, args=(data, chunk_size))
threads.append(t)
t.start()
for t in threads:
t.join()
logging.info("File {} processed. {} events - successfully, {} events - failed.".format(file_path, processed_messages_success,processed_messages_failed))
os.remove(out_tmp_file_path)
def split_chunks(file_handler, chunk_size=15000):
chunk = []
for line in file_handler:
chunk.append(json.loads(line))
if len(chunk) == chunk_size:
yield chunk
chunk = []
if chunk:
yield chunk
def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource):
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(customer_id,encoded_hash)
return authorization
def post_data(body,chunk_count):
global processed_messages_success, processed_messages_failed
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = logAnalyticsUri + resource + "?api-version=2016-04-01"
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
processed_messages_success = processed_messages_success + chunk_count
logging.info("Chunk with {} events was processed and uploaded to Azure".format(chunk_count))
else:
processed_messages_failed = processed_messages_failed + chunk_count
logging.warn("Problem with uploading to Azure. Response code: {}".format(response.status_code))
def cb_rename_tmp_to_json(file_path, file_size, lines_count):
out_file_name = file_path.replace(".tmp", ".json")
os.rename(file_path, out_file_name)
def create_s3_client():
try:
boto_config = BotoCoreConfig(region_name=AWS_REGION_NAME)
return boto3.client('s3', region_name=AWS_REGION_NAME, aws_access_key_id=AWS_KEY, aws_secret_access_key=AWS_SECRET, config=boto_config)
except Exception as ex:
logging.error("Connect to S3 exception. Msg: {0}".format(str(ex)))
return None
s3_client = create_s3_client()
def main(mytimer: func.TimerRequest) -> None:
if mytimer.past_due:
logging.info('The timer is past due!')
logging.info('Starting program')
logging.info(logAnalyticsUri)
global files_for_handling
files_for_handling = []
get_sqs_messages()
process_message_files()

11
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConnector/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 */5 * * * *"
}
]
}

121
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"id": "CrowdstrikeReplicator",
"title": "Crowdstrike Falcon Data Replicator",
"publisher": "Crowdstrike",
"descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Azure Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).",
"graphQueries": [{
"metricName": "Total data received",
"legend": "CrowdstrikeReplicatorLogs_CL",
"baseQuery": "CrowdstrikeReplicatorLogs_CL"
}
],
"sampleQueries": [{
"description": "Data Replicator - All Activities",
"query": "CrowdstrikeReplicator\n | sort by TimeGenerated desc"
}
],
"dataTypes": [{
"name": "CrowdstrikeReplicatorLogs_CL",
"lastDataReceivedQuery": "CrowdstrikeReplicatorLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [{
"type": "IsConnectedQuery",
"value": [
"CrowdstrikeReplicatorLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "SQS and AWS S3 account credentials/permissions",
"description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket."
}
]
},
"instructionSteps": [{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the S3 bucket to pull logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-crowdstrikereplicator-parser) to create the Kusto functions alias, **CrowdstrikeReplicator**."
},
{
"title": "",
"description": "**STEP 1 - Contact CrowdStrike support to obtain the credentials and Queue URL.**\n"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Crowdstrike Falcon Data Replicator connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicator-azuredeploy)\n2. Select the preferred **AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
]
}

206
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,206 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "CSFalcon",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "securestring",
"defaultValue": "<workspaceKey>"
},
"AWS_KEY": {
"type": "string",
"defaultValue": "<AWS_KEY>"
},
"AWS_SECRET": {
"type": "securestring",
"defaultValue": "<AWS_SECRET>"
},
"AWS_REGION_NAME": {
"type": "string",
"defaultValue": "<AWS_REGION_NAME>"
},
"QUEUE_URL": {
"type": "string",
"defaultValue": "<QUEUE_URL>"
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"AWS_KEY": "[parameters('AWS_KEY')]",
"AWS_SECRET": "[parameters('AWS_SECRET')]",
"AWS_REGION_NAME": "[parameters('AWS_REGION_NAME')]",
"QUEUE_URL": "[parameters('QUEUE_URL')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

15
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

4
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

7
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/CrowdstrikeReplicator/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
azure-functions
boto3
requests

7
Solutions/CrowdStrike Falcon Endpoint Protection/DataConnectors/Logo/crowdstrike.svg Normal file
Просмотреть файл

@ -0,0 +1,7 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M71.2837 56.2381C68.5154 55.7879 65.6757 56.2237 63.1699 57.4833C59.5898 59.3123 58.1694 59.4291 56.3988 59.1956C56.9241 60.149 57.9748 61.4721 61.2826 61.7056C64.5903 61.9391 66.1664 62.0364 64.4347 66.1808C64.4347 64.9355 64.1817 62.5033 60.8934 62.9314C57.6051 63.3595 56.8463 66.3364 60.3681 67.8152C59.2201 68.0487 56.7879 68.1849 55.0562 63.6124C53.8499 64.1378 52.0014 65.1884 48.6547 62.6006C49.4985 62.8744 50.3757 63.0315 51.262 63.0676C48.2343 61.4944 45.6158 59.2357 43.6153 56.4715C44.9714 57.6327 46.597 58.4355 48.3434 58.8064C44.7347 54.5997 40.8336 50.653 36.669 46.9958C40.1324 49.2723 44.3352 52.833 51.1842 52.0547C58.0332 51.2764 62.5084 49.6809 71.2837 56.2381Z" fill="#FC3000"/>
<path d="M41.9614 54.6037C38.5202 53.0091 34.92 51.783 31.221 50.9457C25.5187 49.6367 20.3969 46.509 16.6279 42.0342C19.1768 43.9799 24.4109 47.7157 29.7811 47.3071C28.6667 45.9677 27.254 44.9082 25.6561 44.2134C27.6992 44.6999 33.8477 46.2954 41.9614 54.6037Z" fill="#FC3000"/>
<path d="M32.6024 38.6291C31.4933 35.4381 29.4892 31.3521 20.0135 25.2814C12.4574 20.7469 5.61242 15.1214 -0.299988 8.58698C0.342105 11.2332 3.16342 18.1016 17.3673 27.0131C22.0371 30.2041 28.0494 32.1888 32.6024 38.6875V38.6291Z" fill="#FC3000"/>
<path d="M33.1861 43.26C32.0187 40.5554 29.6838 37.092 20.4999 32.1498C13.8333 28.8269 7.75924 24.4291 2.52133 19.1329C3.10505 21.6429 6.1404 27.1688 19.1574 34.0761C22.7181 36.0608 28.8861 37.9287 33.1861 43.26Z" fill="#FC3000"/>
<path d="M42.0976 29.3091C24.1968 24.1529 17.0754 17.6736 11.569 10.8635C14.079 18.6464 20.0719 21.4872 26.4928 26.7407C32.9137 31.9942 33.264 34.8155 35.1513 37.9287C39.3541 44.836 40.0157 45.9646 44.1795 48.9999C49.1023 52.2688 55.0562 50.0506 61.5744 51.0819C66.7553 52.0585 71.4072 54.8786 74.6692 59.0205C76.0312 56.5688 72.7235 53.0471 71.8868 52.152C72.3538 48.9415 64.8043 47.5406 61.9247 46.4316C61.3799 46.2175 59.9789 45.8867 61.1853 43.0071C62.8197 39.1156 64.5125 35.5743 42.0976 29.3869V29.3091ZM67.9175 50.4009C71.3226 50.9067 71.1475 51.6267 71.1864 52.8719C70.2376 51.8768 69.1337 51.0423 67.9175 50.4009V50.4009Z" fill="#FC3000"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.2 KiB

1011
Solutions/CrowdStrike Falcon Endpoint Protection/Parsers/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

17
Tools/RuleMigration/AnalyticsUseCases.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
## Azure Sentinel Analytics Usecases
|No|Use-case |Artefacts |
|--|---------------|--------------------|
|1|Receive an alert when users are accessing resources outside a specified time range.|Data Sources – Azure AD Sign-in logs, Defined time range Azure AD Group<br> that will be monitored for login activity, a logic app that pulls members of AD Group<br> into a LA table, Analytics rule that will trigger an incident when a member of the AD Group<br> signs in outside of the defined time range. KQL Query:<span style="color:lightblue"><pre>SigninLogs &#124;extend TimeInUK = CreatedDateTime&#124;extend day = (dayofweek(TimeInUK))<br>&#124; extend daystarting = tostring(day) //daystrating definitions, 1=Monday, 2=Tuesday,<br> 3=Wednesday, 4=Thursday, 5=Friday, 6=Saturday, 7=Sunday&#124; where daystarting<br> == "6.00:00:00" or daystarting == "7.00:00:00" or hourofday(TimeInUK)<br> !between (7...18)&#124; project TimeGenerated , TimeInUK , UserPrincipalName<br> , day , AppDisplayName , username = UserPrincipalName &#124; <br>join (UserWatchlist_CL &#124; project-rename username = Username_s )<br> on username &#124; project TimeInUK , day , username , AppDisplayName)*</span></pre>|
|2|Use a watchlist to dismiss expected alerts|Data Sources – Azure Defender for IoT, list of user and device pairs uploaded into a Watchlist,<br> Analytics rule that will look up the watchlist and a Playbook that will close incidents from expected alerts.KQL Query:<span style="color:lightblue"><pre>let alert = (SecurityAlert &#124; where TimeGenerated > ago(14d) &#124;where DisplayName<br> == "Brute force attempt"&#124;extend DeviceID = tostring(parse_json(ExtendedProperties)<br>"DeviceId"])&#124; extend UserID = tostring(parse_json(ExtendedProperties)["UserId"])<br>&#124;extend UserName = tostring(parse_json(ExtendedProperties)["UserName"])<br>&#124; project DeviceID, UserName,SystemAlertId);let watchlst =<br> (_GetWatchlist("iwatch"));alert&#124; join kind=inner watchlst on<br> $left.DeviceID == $right.device and $left.UserName == $right.username</span></pre>|
|3|Detect priviledge escalation-user created then deleted within 10 minutes |Data sources: Azure AD and Windows Security Events. KQL Query: <span style="color:lightblue"><pre>let timeframe = 10m;let lookback = 1d;let account_created =SecurityEvent<br> &#124; where TimeGenerated > ago(lookback+timeframe)&#124; where EventID == "4720"<br> // A user account was created&#124; where AccountType =~ "User"<br>&#124; project creationTime = TimeGenerated, CreateEventID =<br>EventID,Activity, Computer, TargetUserName, UserPrincipalName,<br> AccountUsedToCreate = SubjectUserName, TargetSid,<br> SubjectUserSid;account_created &#124; join kind= inner (account_deleted)<br> on Computer, TargetUserName&#124; where deletionTime - creationTime<br> < lookback&#124; where tolong(deletionTime - creationTime)<br> >= 0&#124;extend timestamp = creationTime, AccountCustomEntity<br> = AccountUsedToCreate, HostCustomEntity = Computer*</span></pre>|
|4|Detect Solorigate Network Beacon|Data sources: DNS, CISCO ASA, Palo Alto Networks, Microsoft 365 Defender. KQL Query: <span style="color:lightblue"><pre>let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);let timeframe = 6h;(union isfuzzy=true(CommonSecurityLog &#124; where TimeGenerated >= ago(timeframe)&#124; parse Message with * '(' DNSName ')' * &#124; where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains) &#124; extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP ),(DnsEvents &#124; where TimeGenerated >= ago(timeframe) &#124; extend DNSName = Name&#124; where isnotempty(DNSName)&#124; where DNSName in~ (domains) &#124; extend IPCustomEntity = ClientIP),VMConnection&#124; where TimeGenerated >= ago(timeframe)&#124; parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *&#124; where isnotempty(DNSName)&#124; where DNSName in~ (domains)&#124; extend IPCustomEntity = RemoteIp ),(DeviceNetworkEvents &#124; where TimeGenerated >= ago(timeframe)&#124; where isnotempty(RemoteUrl)&#124; where RemoteUrl has_any (domains)&#124; extend DNSName = RemoteUrl&#124; extend IPCustomEntity = RemoteIP&#124; extend HostCustomEntity = DeviceName)) *</span></pre>|
|5 |An IP address that had (failed) attempts to sign in to one or more disabled accounts signed in successfully to another account.|Data Sources: Azure AD.Analytics that looks for specific Azure AD Sign-In log entries<br> 50057 = User account is disabled.The account has been disabled by an administrator.KQL Query: <span style="color:lightblue"><pre>let lookBack = 1d;SigninLogs &#124; where TimeGenerated >= ago(lookBack)<br>&#124; where ResultType == "50057"&#124; where ResultDescription == "User account<br> is disabled.The account has been disabled by an administrator."&#124;<br> summarize StartTimeUtc = min(TimeGenerated),EndTimeUtc<br> = max(TimeGenerated),<br> disabledAccountLoginAttempts = count(),disabledAccountsTargeted<br> = dcount(UserPrincipalName), applicationsTargeted<br> = dcount(AppDisplayName), disabledAccountSet<br> = makeset(UserPrincipalName),applicationSet<br> = makeset(AppDisplayName) by IPAddress&#124; order by<br> disabledAccountLoginAttempts desc&#124; join<br> kind= leftouter (// Consider these IPs suspicious - and alert<br> any related successful sign-insSigninLogs&#124; where TimeGenerated<br> >= ago(lookBack)&#124; where ResultType == 0&#124; summarize <br>successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet<br> = makeset(UserPrincipalName, 15) by IPAddress// Assume IPs associated with sign-ins<br> from 100+ distinct user accounts are safe&#124; where successfulAccountSigninCount<br> < 100) on IPAddress// IPs from which attempts to authenticate<br> as disabled user accounts originated, and had a non-zero<br> success rate for some other account&#124; where successfulAccountSigninCount<br> != 0&#124; project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts,<br> disabledAccountsTargeted, disabledAccountSet, applicationSet,<br> successfulAccountSigninCount,successfulAccountSigninSet&#124;<br> order by disabledAccountLoginAttempts&#124; extend timestamp = <br>StartTimeUtc,IPCustomEntity = IPAddress</span></pre>|
|6|Detect Brute Force attack based on statistical detections|Data sources: Azure AD. KQL Query:<span style="color:lightblue"><pre>let signin_threshold = toscalar(SigninLogs &#124; where TimeGenerated >= startofday(ago(7d))<br> and TimeGenerated < startofday(now()) &#124; where ResultType !in ("0", "50125", "50140")<br> &#124; where IPAddress != "127.0.0.1" &#124; summarize cnt=count() by IPAddress, bin(TimeGenerated, 1d)<br> &#124; summarize percentile(cnt, 95)); &#124; SigninLogs&#124; where signin_threshold > 10 and Location == "KE"</span></pre>|

Двоичные данные
Tools/RuleMigration/Data table mapping.xlsx Normal file
Просмотреть файл

Двоичный файл не отображается.

7
Tools/RuleMigration/KQL Optimization.md Normal file
Просмотреть файл

@ -0,0 +1,7 @@
### KQL Optimization Resources
|No|Resources |
|--|--------------------|
|1 | [KQL Query best practices](https://docs.microsoft.com/azure/data-explorer/kusto/query/best-practices) |
|2 | [Optimize Queries in Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/query-optimization) |
|3 | [Optimizing KQL performance-Webinar](https://youtu.be/jN1Cz0JcLYU) |

4
Tools/Sentinel-All-In-One/MSSPversion/msspdeploy.json
Просмотреть файл

@ -288,7 +288,7 @@
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(parameters('_artifactsLocation'), 'Sentinel-All-In-One/MSSPversion/scheduledAlerts.json')]",
"uri": "[uri(parameters('_artifactsLocation'), 'Sentinel-All-In-One/MSSPversion/LinkedTemplates/scheduledAlerts.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -359,4 +359,4 @@
"value": "[replace(replace(string(parameters('enableDataConnectorsKind')),'\"',''),'[','')]"
}
}
}
}

981
Workbooks/Cloudflare.json Normal file
Просмотреть файл

@ -0,0 +1,981 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-CloudflareDataConnector-parser) to create the Kusto function alias **Cloudflare**."
},
"name": "text - 0"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2088f290-65ee-4357-badb-55ce732a5004",
"cellValue": "tab",
"linkTarget": "parameter",
"linkLabel": "Cloudflare Web Traffic Overview",
"subTarget": "cloudflare_web_traffic_overview",
"style": "link"
},
{
"id": "25df6ee6-dcf7-4aa2-b90e-50f8a4b6548d",
"cellValue": "tab",
"linkTarget": "parameter",
"linkLabel": "Cloudflare Security Overview",
"subTarget": "cloudflare_security_overview",
"style": "link"
},
{
"id": "a2108bc6-5769-4c86-a5c0-201f531ed929",
"cellValue": "tab",
"linkTarget": "parameter",
"linkLabel": "Cloudflare Reliability Summary",
"subTarget": "cloudflare_reliability_summary",
"style": "link"
}
]
},
"name": "links - 1"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "c64d5d3d-90c6-484a-ab88-c70652b75b6e",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 172800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize count() by ClientDeviceType_s",
"size": 0,
"title": "Traffic Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Traffic Type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize count() by ClientRequestProtocol_s",
"size": 0,
"title": "HTTP Protocols",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "HTTP Protocols"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize count() by ClientRequestMethod_s",
"size": 0,
"title": "Request Methods",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Request Methods"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| extend EdgeResponseContentType = iif(isempty(EdgeResponseContentType_s),\"empty\",EdgeResponseContentType_s )\n| summarize count() by EdgeResponseContentType",
"size": 0,
"title": "Content Types",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Content Types"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize Count=count() by ClientRequestURI_s\n| sort by Count | project-rename ClientRequestURI=ClientRequestURI_s | take 50",
"size": 0,
"title": "Top Requested URIs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Top Requested URIs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize Count=count() by ClientIP_s\n| sort by Count | take 50 | project-rename ClientIP=ClientIP_s",
"size": 0,
"title": "Top Traffic IPs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Top Traffic IPs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| extend ClientRequestReferer = iif(isempty(ClientRequestReferer_s),\"empty\",ClientRequestReferer_s )\n| summarize Count=count() by ClientRequestReferer\n| sort by Count | take 50\n",
"size": 0,
"title": "Top Referer",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Top Referer"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize Count=count() by ClientIPClass_s | project-rename ClientIPClass=ClientIPClass_s\n| sort by Count | take 50\n",
"size": 0,
"title": "Top Traffic Types",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"customWidth": "25",
"name": "Top Traffic Types"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\n| sort by Count | take 50",
"size": 0,
"title": "Top User Agents",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ClientRequestUserAgent",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "75%"
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_web_traffic_overview"
},
"name": "Top User Agents"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let total_number_of_requests =\nCloudflare_CL\n| summarize Count=count()\n| extend title=\"Total Number Of Requests\";\n\nlet threats_stopped =\nCloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat) | summarize Count=count()\n| extend title=\"Stopped Threats\";\n\nlet result_table = union total_number_of_requests, threats_stopped; \nresult_table \n| sort by Count\n\n",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Req_Threats_title"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by threat",
"size": 0,
"title": "Top Threats",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Top Threats"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let total_number_of_requests =\nCloudflare_CL\n| summarize Count=count()\n| extend title=\"Total Number Of Requests\";\n\nlet threats_stopped =\nCloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat) | summarize Count=count()\n| extend title=\"Stopped Threats\";\n\nlet result_table = union total_number_of_requests, threats_stopped; \nresult_table \n| sort by Count\n\n",
"size": 0,
"title": "Requests vs Threats",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Requests vs Threats"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Threats Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Threats Over Time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize count() by ClientCountry_s | project-rename Country=ClientCountry_s | take 20",
"size": 0,
"title": "Top Threat Countries",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Top Threat Countries"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize count() by ClientIP_s | project-rename ClientIP=ClientIP_s",
"size": 0,
"title": "Top Threat Client IPs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Top Threat Client IPs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by ClientRequestURI_s | project-rename ClientRequestURI=ClientRequestURI_s",
"size": 0,
"title": "Top Threat URIs",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Top Threat URIs"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s",
"size": 0,
"title": "Top Threat User Agents",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Top Threat User Agents"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend threat=case(EdgePathingSrc_s ==\"user\" and EdgePathingOp_s == \"ban\" and EdgePathingStatus_s has \"ip\" ,\"IP Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\",\"Country Block\",EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"zl\", \"Routed by Zone Lockdown\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ua\", \"Blocked User Agent\", EdgePathingSrc_s==\"user\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"rateLimit\", \"Blocked by Rate Limiting\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Blocked by Filter Based Firewall\", EdgePathingSrc_s==\"filterBasedFirewall\" and EdgePathingOp_s==\"chl\", \"Challenged by Filter Based Firewall\", EdgePathingSrc_s==\"bic\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"unknown\", \"Browser Integrity Check\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ctry\", \"Blocked Hotlink\", EdgePathingSrc_s==\"hot\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"ip\", \"Blocked Hotlink\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaErr\", \"CAPTCHA Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaFail\", \"CAPTCHA Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"captchaNew\", \"New CAPTCHA\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlErr\", \"Java Script Challenge Error\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlFail\", \"Java Script Challenge Failed\", EdgePathingSrc_s==\"macro\" and EdgePathingOp_s==\"chl\" and EdgePathingStatus_s==\"jschlNew\", \"New Java Script Challenge\", EdgePathingSrc_s==\"protect\" and EdgePathingOp_s==\"ban\" and EdgePathingStatus_s==\"17ddos\", \"L7 DDos Mitigation\",\"\")\n| where isnotempty(threat)\n| summarize Count=count() by EdgePathingStatus_s | project-rename EdgePathingStatus=EdgePathingStatus_s",
"size": 0,
"title": "Top Threat User Agents",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "Count",
"sortOrderField": 2,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_security_overview"
},
"customWidth": "33",
"name": "Top Threat User Agents - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let 5xx = Cloudflare_CL \n| where tostring(EdgeResponseStatus_d) startswith \"5\"\n| summarize Count=count()\n| extend title=\"5xx Errors (Edge)\";\n\nlet 4xx = Cloudflare_CL \n| where tostring(EdgeResponseStatus_d) startswith \"4\"\n| summarize Count=count()\n| extend title=\"4xx Errors (Edge)\";\n\nlet 3xx = Cloudflare_CL \n| where tostring(EdgeResponseStatus_d) startswith \"3\"\n| summarize Count=count()\n| extend title=\"3xx Errors (Edge)\";\n\nlet result_table = union 5xx, 4xx, 3xx; \nresult_table \n| sort by Count\n\n",
"size": 0,
"title": "ERRORS Counts (Edge)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_reliability_summary"
},
"customWidth": "33",
"name": "Errors (Edge)"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \"2\" , \"2xx\", tostring(EdgeResponseStatus_d) startswith \"3\" , \"3xx\", tostring(EdgeResponseStatus_d) startswith \"4\" , \"4xx\", tostring(EdgeResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| summarize Count=count() by response_error_type",
"size": 0,
"title": "Edge Response Error Ratio",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_reliability_summary"
},
"customWidth": "33",
"name": "Edge Response Error Ratio"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \"2\" , \"2xx\", tostring(OriginResponseStatus_d) startswith \"3\" , \"3xx\", tostring(OriginResponseStatus_d) startswith \"4\" , \"4xx\", tostring(OriginResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| summarize Count=count() by response_error_type",
"size": 0,
"title": "Origin Response Error Ratio",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_reliability_summary"
},
"customWidth": "33",
"name": "Origin Response Error Ratio"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \"2\" , \"2xx\", tostring(EdgeResponseStatus_d) startswith \"3\" , \"3xx\", tostring(EdgeResponseStatus_d) startswith \"4\" , \"4xx\", tostring(EdgeResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;",
"size": 0,
"title": "Edge Response Status Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_reliability_summary"
},
"customWidth": "50",
"name": "Edge Response Status Over Time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Cloudflare_CL \n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \"2\" , \"2xx\", tostring(OriginResponseStatus_d) startswith \"3\" , \"3xx\", tostring(OriginResponseStatus_d) startswith \"4\" , \"4xx\", tostring(OriginResponseStatus_d) startswith \"5\" , \"5xx\",\"\")\n| where isnotempty(response_error_type)\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;",
"size": 0,
"title": "Origin Response Status Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "title",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "tab",
"comparison": "isEqualTo",
"value": "cloudflare_reliability_summary"
},
"customWidth": "50",
"name": "Origin Response Status Over Time"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-CloudflareWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

5
Workbooks/Images/Logos/cloudflare.svg Normal file
Просмотреть файл

@ -0,0 +1,5 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M57.9129 36.0524L56.4192 35.4482C49.3989 51.4259 21.471 41.7122 19.7906 46.4654C19.5104 49.676 35.0419 47.0759 46.1454 47.6201C49.5313 47.7859 51.2293 50.3713 49.7915 54.5854L52.6234 54.5942C55.8901 44.2933 66.3155 49.5503 66.7512 46.1507C66.0354 43.9155 54.7696 46.1507 57.9129 36.0524Z" fill="white"/>
<path d="M50.5934 52.8234C51.0414 51.3125 50.8921 49.8016 50.1453 48.895C49.3983 47.9883 48.3527 47.3841 47.0083 47.233L21.0166 46.9306C20.8672 46.9306 20.7179 46.7796 20.5685 46.7796C20.4192 46.6285 20.4192 46.4775 20.5685 46.3264C20.7179 46.0243 20.8672 45.8729 21.1659 45.8729L47.307 45.5708C50.444 45.4198 53.7304 42.8512 54.9252 39.8294L56.4192 35.901C56.4192 35.7496 56.5685 35.5986 56.4192 35.4475C54.7758 27.7417 47.9046 22 39.8381 22C32.3692 22 25.946 26.8351 23.7053 33.6345C22.2116 32.5768 20.4192 31.9723 18.3278 32.1236C14.7427 32.4257 11.9046 35.4475 11.4563 39.0738C11.307 39.9804 11.4563 40.8871 11.6059 41.7935C5.78012 41.9445 1 46.7796 1 52.8234C1 53.4277 1 53.8811 1.14934 54.4854C1.14934 54.7878 1.44803 54.9388 1.59766 54.9388H49.5477C49.8464 54.9388 50.1453 54.7878 50.1453 54.4854L50.5934 52.8234Z" fill="#F4811F"/>
<path d="M58.8091 35.9013H58.0621C57.9128 35.9013 57.7635 36.0524 57.6141 36.2034L56.5684 39.8298C56.1204 41.3406 56.2697 42.8518 57.0167 43.7582C57.7634 44.6648 58.8091 45.2691 60.1535 45.4204L65.6806 45.7225C65.83 45.7225 65.9793 45.8736 66.1287 45.8736C66.278 46.0246 66.278 46.1757 66.1287 46.3268C65.9793 46.6292 65.83 46.7802 65.531 46.7802L59.8548 47.0824C56.7178 47.2334 53.4316 49.802 52.2366 52.8238L51.9376 54.1839C51.7883 54.335 51.9376 54.6371 52.2366 54.6371H71.9545C72.2532 54.6371 72.4025 54.486 72.4025 54.1839C72.7012 52.9751 72.9999 51.6153 72.9999 50.2552C72.9999 42.3983 66.5767 35.9013 58.8091 35.9013Z" fill="#FAAD3F"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.9 KiB

Двоичные данные
Workbooks/Images/Preview/CloudflareOverviewBlack01.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 55 KiB

Двоичные данные
Workbooks/Images/Preview/CloudflareOverviewBlack02.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 38 KiB

Двоичные данные
Workbooks/Images/Preview/CloudflareOverviewWhite01.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 56 KiB

Двоичные данные
Workbooks/Images/Preview/CloudflareOverviewWhite02.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Workbooks/Images/Preview/workbook-iotassetdiscovery-screenshot-Black.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 193 KiB

Двоичные данные
Workbooks/Images/Preview/workbook-iotassetdiscovery-screenshot-White.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 178 KiB

449
Workbooks/IoTAssetDiscovery.json Normal file
Просмотреть файл

@ -0,0 +1,449 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "# IoT Devices asset discovery from Firewall logs By Azure Defender for IoT\r\n**IoT devices are becoming a major security risk.**\r\n\r\nAs a **first step** to address this risk, you need to **get better visabillity** of your **IoT Devices** in the network.\r\n\r\nBy analyzing firewall logs we can identify partially what IoT devices are in your netwrok.\r\n\r\nThis is a very basic and partial anlysis of your security posture of IoT devices in your network. But, can help you see what are those IoT devices and understand their potential risk to your network. \r\n\r\nTo protect your IoT assets, get detailed inventory data, real time threat detection and risk assessment, we recommend using **[Azure Defender for IoT](https://azure.microsoft.com/services/azure-defender-for-iot/)**"
},
"customWidth": "85",
"name": "text - 7"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "97daa1ce-fea0-4742-bc3d-986e9dd5da80",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 1209600000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "15",
"name": "parameters - 4"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "5ddc812c-1dd9-4e4f-84a4-ab9f9a5e7def",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Destination coutries communication",
"subTarget": "countries",
"style": "link"
},
{
"id": "de777322-ac20-48b9-8fd3-adf7b17e853b",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "IoT Device details",
"subTarget": "details",
"style": "link"
},
{
"id": "bb0011be-d85f-4c50-b9a9-8f1cce576124",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "IoT malicios indiactions",
"subTarget": "malicious",
"style": "link"
}
]
},
"name": "links - 9"
},
{
"type": 1,
"content": {
"json": "## IoT Devices details\r\n\r\n---\r\n"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "details"
},
"name": "text - 10"
},
{
"type": 1,
"content": {
"json": "## IoT Devices communicating externally to diffrent countries\r\n\r\n---\r\n"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "countries"
},
"name": "text - 6"
},
{
"type": 1,
"content": {
"json": "## IoT Devices communicating with malicios sources\r\n\r\n---"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "malicious"
},
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange} \r\n|extend dstcountry = extract(\"dstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|where dstcountry != 'Reserved' and dstcountry != ''\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\");\r\nIoTData\r\n|summarize sum(SentBytes), sum(ReceivedBytes), Protocols = make_set(ApplicationProtocol), Countries = make_set(dstcountry) by SourceIP, Type = devtype, Vendor = srchwvendor, DestinationIP\r\n| join ThreatIntelligenceIndicator on $left.DestinationIP == $right.NetworkSourceIP \r\n| project SourceIP, Type, Vendor, TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes, Protocols, Countries, ThreatType, ThreatSeverity, MaliciousIP = DestinationIP, ConfidenceScore",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TotalBndwitdh",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "malicious"
},
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange} \r\n|extend dstcountry = extract(\"dstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|where dstcountry != 'Reserved' and dstcountry != ''\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\");\r\nIoTData\r\n|summarize sum(SentBytes), sum(ReceivedBytes) by dstcountry | extend TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes\r\n| project Country = dstcountry",
"size": 0,
"title": "Country list",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Country",
"exportParameterName": "dstcountry",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "countries"
},
"customWidth": "20",
"name": "query - 11",
"styleSettings": {
"margin": "20"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange} \r\n|extend dstcountry = extract(\"dstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\");\r\nIoTData\r\n|where dstcountry != 'Reserved' and dstcountry != ''\r\n| where dstcountry == tostring('{dstcountry}') or 'All' == '{dstcountry}'\r\n|summarize sum(SentBytes), sum(ReceivedBytes) by dstcountry | extend TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes",
"size": 0,
"title": "Country map",
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "dstcountry",
"sizeSettings": "sum_SentBytes",
"sizeAggregation": "Sum",
"legendMetric": "sum_SentBytes",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "sum_SentBytes",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "countries"
},
"customWidth": "80",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange} \r\n|extend dstcountry = extract(\"dstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\");\r\nIoTData\r\n|where dstcountry != 'Reserved' and dstcountry != ''\r\n| where dstcountry == tostring('{dstcountry}') or 'All' == '{dstcountry}'\r\n|summarize sum(SentBytes), sum(ReceivedBytes), Protocols = make_set(ApplicationProtocol), Countries = make_set(dstcountry) by SourceIP, Type = devtype, Vendor = srchwvendor\r\n| project SourceIP, Type, Vendor, TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes, Protocols, Countries",
"size": 0,
"title": "All devices by country",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TotalBndwitdh",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "countries"
},
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange} \r\n|extend dstcountry = extract(\"dstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\");\r\nIoTData\r\n|summarize sum(SentBytes), sum(ReceivedBytes) by devtype\r\n| project Type = iff(devtype == \"\", \"Unknown\", devtype), TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes, TotalReceivedBytes = sum_ReceivedBytes, TotalSentBytes = sum_SentBytes, devtype",
"size": 0,
"title": "Devices by device type",
"noDataMessage": "Devices traffic by vendor",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "devtype",
"exportParameterName": "devtype",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TotalBndwitdh",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "TotalReceivedBytes",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "TotalSentBytes",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "devtype",
"formatter": 5,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "details"
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange};\r\nIoTData \r\n|extend dstcountry = extract(\"FTNTFGTdstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend vd = extract(\"vd=([^;]+)\", 1,AdditionalExtensions)\r\n|extend dev_somthin = strcat(devtype,\"->\",dstcountry)\r\n|extend devcategory = extract(\"devcategory=([^;]+)\", 1,AdditionalExtensions)\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\")\r\n|summarize sum(SentBytes), sum(ReceivedBytes) by srchwvendor\r\n| project Vendor = iff(srchwvendor == \"\", \"Unknown\", srchwvendor), TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes, TotalReceivedBytes = sum_ReceivedBytes, TotalSentBytes = sum_SentBytes, srchwvendor",
"size": 0,
"title": "Devices by vendor",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "srchwvendor",
"exportParameterName": "srchwvendor",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TotalBndwitdh",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal"
}
}
},
{
"columnMatch": "TotalReceivedBytes",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "TotalSentBytes",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
},
{
"columnMatch": "srchwvendor",
"formatter": 5,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "details"
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let IoTData = CommonSecurityLog \r\n|where DeviceVendor == \"Fortinet\"\r\n|where TimeGenerated {TimeRange} \r\n|extend dstcountry = extract(\"dstcountry=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwvendor = extract(\"srchwvendor=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srchwversion = extract(\"srchwversion=([^;]+)\", 1,AdditionalExtensions)\r\n|extend devtype = extract(\"devtype=([^;]+)\", 1,AdditionalExtensions)\r\n|extend osname = extract(\"osname=([^;]+)\", 1,AdditionalExtensions)\r\n|extend srcswversion = extract(\"srcswversion=([^;]+)\", 1,AdditionalExtensions)\r\n|where srchwvendor in (\"Yealink\",\"Vivotek\",\"Hisense\",\"Zebra\",\"Konica Minolta\",\"Brother\",\"Vizio\",\"Avaya\",\"Roku\",\"Ricoh\",\"Hikvision\",\"Mitel\",\"Epson\",\"Kyocera\",\"ShoreTel\",\"Ubiquiti\",\"LaCie\" ,\"Canon\" ,\"Polycom\", \"Asix\" ,\"Dahua\") \r\nor devtype in (\"Television\",\"IP Camera\",\"IP Phone\",\"Printer\",\"Raspberry Pi\") or osname in (\"Tizen\",\"Web0S\");\r\nIoTData\r\n| where devtype == '{devtype}' or 'All' == '{devtype}'\r\n| where srchwvendor == '{srchwvendor}' or 'All' == '{srchwvendor}'\r\n| extend dstcountry = iff(dstcountry == \"\" or dstcountry == \"Reserved\", \"Internal\", dstcountry)\r\n|summarize sum(SentBytes), sum(ReceivedBytes), Protocols = make_set(ApplicationProtocol), Countries = make_set(dstcountry) by SourceIP, devtype, srchwvendor\r\n| project SourceIP, Type = iff(devtype == \"\", \"Unknown\", devtype), Vendor = iff(srchwvendor == \"\", \"Unknown\", srchwvendor), TotalBndwitdh = sum_ReceivedBytes + sum_SentBytes, Protocols, Countries",
"size": 0,
"title": "All devices",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "TotalBndwitdh",
"formatter": 0,
"numberFormat": {
"unit": 2,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "details"
},
"name": "query - 11"
}
],
"fromTemplateId": "sentinel-IoTAssetDiscovery",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

28
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -572,6 +572,19 @@
"subtitle": "",
"provider": "Microsoft"
},
{
"workbookKey": "IoTAssetDiscovery",
"logoFileName": "IoTIcon.svg",
"description": "IoT Devices asset discovery from Firewall logs By Azure Defender for IoT",
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "Fortinet" ],
"previewImagesFileNames": [ "workbook-iotassetdiscovery-screenshot-Black.PNG", "workbook-iotassetdiscovery-screenshot-White.PNG" ],
"version": "1.0",
"title": "IoT Asset Discovery",
"templateRelativePath": "IoTAssetDiscovery.json",
"subtitle": "",
"provider": "Microsoft"
},
{
"workbookKey": "ForcepointCASBWorkbook",
"logoFileName": "FP_Green_Emblem_RGB-01.svg",
@ -1159,7 +1172,7 @@
"logoFileName": "Darktrace.svg",
"description": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector",
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "DarktraceDarktrace" ],
"dataConnectorsDependencies": [ "Darktrace" ],
"previewImagesFileNames": [ "AIA-DarktraceSummaryWhite.png", "AIA-DarktraceSummaryBlack.png" ],
"version": "1.1",
"title": "AI Analyst Darktrace Model Breach Summary",
@ -1309,5 +1322,18 @@
"templateRelativePath": "pfsense.json",
"subtitle": "",
"provider": "Azure Sentinel community"
},
{
"workbookKey": "CloudflareWorkbook",
"logoFileName": "cloudflare.svg",
"description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.",
"dataTypesDependencies": [ "Cloudflare_CL" ],
"dataConnectorsDependencies": [ "CloudflareDataConnector" ],
"previewImagesFileNames": ["CloudflareOverviewWhite01.png", "CloudflareOverviewWhite02.png", "CloudflareOverviewBlack01.png", "CloudflareOverviewBlack02.png"],
"version": "1.0",
"title": "Cloudflare",
"templateRelativePath": "Cloudflare.json",
"subtitle": "",
"provider": "Cloudflare"
}
]