Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

GitHub solution package 1.0.49

This commit is contained in:
NikTripathi 2022-05-25 15:38:30 +05:30
Родитель 9bf01a76ab
Коммит f5e9151802
8 изменённых файлов: 108 добавлений и 134 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/GitHub/Package/1.0.49.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

25
Solutions/GitHub/Package/createUiDefinition.json
Просмотреть файл

@ -119,7 +119,10 @@
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
"type": "Microsoft.Common.TextBlock",
"options": {
"text": ""
}
},
{
"name": "workbook1-name",
@ -160,7 +163,7 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - A payment method was removed",
"label": "(Preview) GitHub - A payment method was removed",
"elements": [
{
"name": "analytic1-text",
@ -188,7 +191,7 @@
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - Oauth application - a client secret was removed",
"label": "(Preview) GitHub - Oauth application - a client secret was removed",
"elements": [
{
"name": "analytic3-text",
@ -202,7 +205,7 @@
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - Repository was created",
"label": "(Preview) GitHub - Repository was created",
"elements": [
{
"name": "analytic4-text",
@ -216,7 +219,7 @@
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - Repository was destroyed",
"label": "(Preview) GitHub - Repository was destroyed",
"elements": [
{
"name": "analytic5-text",
@ -244,7 +247,7 @@
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User visibility Was changed",
"label": "(Preview) GitHub - User visibility Was changed",
"elements": [
{
"name": "analytic7-text",
@ -258,7 +261,7 @@
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User was added to the organization",
"label": "(Preview) GitHub - User was added to the organization",
"elements": [
{
"name": "analytic8-text",
@ -272,7 +275,7 @@
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User was blocked",
"label": "(Preview) GitHub - User was blocked",
"elements": [
{
"name": "analytic9-text",
@ -286,7 +289,7 @@
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User was invited to the repository",
"label": "(Preview) GitHub - User was invited to the repository",
"elements": [
{
"name": "analytic10-text",
@ -300,7 +303,7 @@
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - pull request was created",
"label": "(Preview) GitHub - pull request was created",
"elements": [
{
"name": "analytic11-text",
@ -314,7 +317,7 @@
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - pull request was merged",
"label": "(Preview) GitHub - pull request was merged",
"elements": [
{
"name": "analytic12-text",

102
Solutions/GitHub/Package/mainTemplate.json
Просмотреть файл

@ -149,7 +149,7 @@
},
"connector1-name": {
"type": "string",
"defaultValue": "3c4aacd5-4257-44f4-8a8f-e576e0278e10"
"defaultValue": "a9706380-0e55-4b7f-8b6f-7bd7d5914956"
}
},
"variables": {
@ -216,7 +216,7 @@
"apiVersion": "2021-08-01",
"properties": {
"displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## GitHub - Security\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9923eb9-9a02-4a48-bb72-e9be338eeb3b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditLogPolling_CL \\n| extend TimeGenerated = created_at_d\\n| where action_s == \\\"org.add_member\\\" or action_s == \\\"org.remove_member\\\"\\n| extend MemberName = actor_s\\n| extend Action = iif(action_s==\\\"org.add_member\\\", \\\"Added\\\", \\\"Removed\\\")\\n| extend Organization = org_s\\n| sort by TimeGenerated desc\\n| project MemberName, Action, Organization\\n\",\"size\":1,\"title\":\"Members Added or Removed\",\"timeContext\":{\"durationMs\":11318400000,\"endTime\":\"2021-08-10T16:00:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"membersaddedorremoved\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditLogPolling_CL \\r\\n| extend TimeGenerated = created_at_d\\r\\n| where action_s == \\\"repo.create\\\"\\r\\n| extend RepoName = repo_s\\r\\n| extend Actor = actor_s\\r\\n| extend Private = visibility_s\\r\\n| sort by TimeGenerated desc\\r\\n| project RepoName, Actor, Private\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Repositories Created\",\"timeContext\":{\"durationMs\":15116400000,\"endTime\":\"2021-08-10T16:04:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"repositoriescreated\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditLogPolling_CL\\r\\n| extend TimeGenerated = created_at_d\\r\\n| where action_s == \\\"team.add_repository\\\" or action_s == \\\"team.remove_repository\\\"\\r\\n| extend Organization = org_s\\r\\n| extend RepoName = repo_s\\r\\n| extend Action = iif(action_s==\\\"team.add_repository\\\", \\\"Added\\\", \\\"Removed\\\")\\r\\n| sort by TimeGenerated desc\\r\\n| project Organization, RepoName, Action\",\"size\":0,\"title\":\"Teams Added/Removed Repository\",\"timeContext\":{\"durationMs\":37411200000,\"endTime\":\"2021-08-10T16:06:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"teamsaddedremovedtorepository\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditLogPolling_CL \\r\\n| extend TimeGenerated = created_at_d\\r\\n| where action_s == \\\"repo.access\\\" and visibility_s == \\\"PUBLIC\\\"\\r\\n| extend Organiation = org_s\\r\\n| extend Repo = repo_s\\r\\n| extend Actor = actor_s\\r\\n| sort by TimeGenerated desc\\r\\n| project Organiation, Repo, Actor\\r\\n\",\"size\":0,\"title\":\"Private Repos made Public\",\"timeContext\":{\"durationMs\":19263600000,\"endTime\":\"2021-08-10T16:08:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"privatereposmadepublic\"}],\"fromTemplateId\":\"sentinel-GitHubSecurity\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## GitHub - Security\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9923eb9-9a02-4a48-bb72-e9be338eeb3b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\n| where Action == \\\"org.add_member\\\" or Action == \\\"org.remove_member\\\"\\n| extend Action = iif(Action==\\\"org.add_member\\\", \\\"Added\\\", \\\"Removed\\\")\\n| sort by TimeGenerated desc\\n| project MemberName=Actor, Action, Organization\\n\",\"size\":1,\"title\":\"Members Added or Removed\",\"timeContext\":{\"durationMs\":11318400000,\"endTime\":\"2021-08-10T16:00:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"membersaddedorremoved\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\r\\n| where Action == \\\"repo.create\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project Repository, Actor, Visibility\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"title\":\"Repositories Created\",\"timeContext\":{\"durationMs\":15116400000,\"endTime\":\"2021-08-10T16:04:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"repositoriescreated\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\r\\n| where Action == \\\"team.add_repository\\\" or Action == \\\"team.remove_repository\\\"\\r\\n| extend Action = iif(Action==\\\"team.add_repository\\\", \\\"Added\\\", \\\"Removed\\\")\\r\\n| sort by TimeGenerated desc\\r\\n| project Organization, Repository, Action\",\"size\":0,\"title\":\"Teams Added/Removed Repository\",\"timeContext\":{\"durationMs\":37411200000,\"endTime\":\"2021-08-10T16:06:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"teamsaddedremovedtorepository\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"GitHubAuditData \\r\\n| where Action == \\\"repo.access\\\" and Visibility == \\\"PUBLIC\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| project Organization, Repository, Actor\\r\\n\",\"size\":0,\"title\":\"Private Repos made Public\",\"timeContext\":{\"durationMs\":19263600000,\"endTime\":\"2021-08-10T16:08:00Z\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"privatereposmadepublic\"}],\"fromTemplateId\":\"sentinel-GitHubSecurity\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('_workbook-source')]",
"category": "sentinel"
@ -247,8 +247,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -281,8 +281,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -315,8 +315,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -349,8 +349,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -383,8 +383,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -417,8 +417,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -451,8 +451,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -485,8 +485,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -519,8 +519,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -553,8 +553,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -587,8 +587,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -621,8 +621,8 @@
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
@ -866,7 +866,7 @@
"title": "GitHub Enterprise Audit Log",
"publisher": "GitHub",
"descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.",
"graphQueriesTableName": "GitHubAuditLogPolling_CL",
"graphQueriesTableName": "GitHubAuditData",
"graphQueries": [
{
"metricName": "Total events received",
@ -980,7 +980,7 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.0.48",
"version": "1.0.49",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
@ -1005,117 +1005,117 @@
{
"kind": "Workbook",
"contentId": "[variables('_GithubWorkbook_workbook')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - A payment method was removed_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - Activities from Infrequent Country_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - Oauth application - a client secret was removed_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - Repository was created_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - Repository was destroyed_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - User visibility Was changed_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - User was added to the organization_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - User was blocked_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - User was invited to the repository _AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - pull request was created_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_Preview GitHub - pull request was merged_AnalyticalRules')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_First Time User Invite and Add Member to Org_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_Inactive or New Account Usage_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_Mass Deletion of Repositories _HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_Oauth App Restrictions Disabled_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_Org Repositories Default Permissions Change_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_Repository Permission Switched to Public_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_User First Time Repository Delete Activity_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('_User Grant Access and Grants Other Access_HuntingQueries')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "Parser",
"contentId": "[variables('_GitHubAuditData_Parser')]",
"version": "1.0.48"
"version": "1.0.49"
},
{
"kind": "DataConnector",
"contentId": "[variables('_Connector')]",
"version": "1.0.48"
"version": "1.0.49"
}
]
},

2
Solutions/GitHub/data/Solution_GitHub.json
Просмотреть файл

@ -38,5 +38,5 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\GitHub",
"Version": "1.0.48"
"Version": "1.0.49"
}

42
Tools/Create-Azure-Sentinel-Solution/input/Solution_GitHub.json Normal file
Просмотреть файл

@ -0,0 +1,42 @@
{
"Name": "GitHub",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/GitHub.svg\"width=\"75px\"height=\"75px\">",
"Description": "",
"Workbooks": [
"Workbooks/GithubWorkbook.json"
],
"Analytic Rules": [
"Detections/(Preview) GitHub - A payment method was removed.yaml",
"Detections/(Preview) GitHub - Activities from Infrequent Country.yaml",
"Detections/(Preview) GitHub - Oauth application - a client secret was removed.yaml",
"Detections/(Preview) GitHub - Repository was created.yaml",
"Detections/(Preview) GitHub - Repository was destroyed.yaml",
"Detections/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
"Detections/(Preview) GitHub - User visibility Was changed.yaml",
"Detections/(Preview) GitHub - User was added to the organization.yaml",
"Detections/(Preview) GitHub - User was blocked.yaml",
"Detections/(Preview) GitHub - User was invited to the repository .yaml",
"Detections/(Preview) GitHub - pull request was created.yaml",
"Detections/(Preview) GitHub - pull request was merged.yaml"
],
"Hunting Queries": [
"Hunting Queries/First Time User Invite and Add Member to Org.yaml",
"Hunting Queries/Inactive or New Account Usage.yaml",
"Hunting Queries/Mass Deletion of Repositories .yaml",
"Hunting Queries/Oauth App Restrictions Disabled.yaml",
"Hunting Queries/Org Repositories Default Permissions Change.yaml",
"Hunting Queries/Repository Permission Switched to Public.yaml",
"Hunting Queries/User First Time Repository Delete Activity.yaml",
"Hunting Queries/User Grant Access and Grants Other Access.yaml"
],
"Parsers": [
"Parsers/GitHubAuditData.txt"
],
"Data Connectors": [
"Data Connectors/azuredeploy_GitHub_native_poller_connector.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\GitHub",
"Version": "1.0.49"
}

23
Tools/Create-Azure-Sentinel-Solution/input/Solution_Infoblox.json
Просмотреть файл

@ -1,23 +0,0 @@
{
"Name": "Infoblox Cloud Data Connector",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).",
"WorkbookDescription": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.",
"Workbooks": ["Workbooks/InfobloxCDCB1TDWorkbook.json"],
"Analytic Rules": [
"Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml",
"Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml",
"Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml"
],
"Data Connectors": [
"Data Connectors/InfobloxCloudDataConnector.json"
],
"Parsers": [
"Parsers/InfobloxCDC.txt"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
"Version": "2.0.1"
}

20
Tools/Create-Azure-Sentinel-Solution/input/Solution_NISTSP80053.json
Просмотреть файл

@ -1,20 +0,0 @@
{
"Name": "NISTSP80053",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
"Description": "This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 R4 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡[National Institute of Standards and Technology (NIST)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2015-01-22). This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. This workbook does not address all controls within the framework. It should be considered a supplemental tool to gain visibility of technical controls within cloud, multi-cloud, and hybrid networks. For the full listing of respective controls, see the💡[Microsoft Cloud Service Trust Portal](https://servicetrust.microsoft.com/)",
"Analytic Rules": [
"Analytic Rules/NISTSP80053PostureChanged.yaml"
],
"Playbooks": [
"Playbooks/Notify_GovernanceComplianceTeam.json",
"Playbooks/Open_DevOpsTaskRecommendation.json",
"Playbooks/Open_JIRATicketRecommendation.json"
],
"Workbooks" : [
"Workbooks/NISTSP80053.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\NISTSP80053",
"Version": "1.0.3"
}

28
Tools/Create-Azure-Sentinel-Solution/input/Solution_RecordedFuture.json
Просмотреть файл

@ -1,28 +0,0 @@
{
"Name": "Recorded Future",
"Author": "Ruchita Dubey - v-rucdu@microsoft.com",
"Description": "[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.",
"Analytic Rules": [
"Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml",
"Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml",
"Analytic Rules/RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml",
"Analytic Rules/RecordedFutureIPMalwareC2inAzureActivityEvents.yaml",
"Analytic Rules/RecordedFutureIPMalwareC2inDNSEvents.yaml",
"Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml"
],
"Playbooks": [
"Playbooks/RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor.json",
"Playbooks/RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor.json",
"Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash.json",
"Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor.json",
"Playbooks/RecordedFuture-ImportToSentinel.json",
"Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor.json"
],
"Workbooks": [
"Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
"Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json"
],
"BasePath": "C:\\GitHub\\azure\\Solutions\\Recorded Future",
"Version": "1.0.1",
"Metadata": "SolutionMetadata.json"
}