Merge remote-tracking branch 'origin/master' into redcanary_solution
This commit is contained in:
rc-iwoodley
Коммит
f6208271fa
|
|
@ -0,0 +1,69 @@
|
|||
{
|
||||
"Name": "AIShield",
|
||||
"Properties": [
|
||||
{
|
||||
"Name": "TenantId",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "SourceSystem",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "MG",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ManagementGroupName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "TimeGenerated",
|
||||
"Type": "DateTime"
|
||||
},
|
||||
{
|
||||
"Name": "Computer",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "RawData",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "Message",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ServiceName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "AssetId",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "SourceName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "Severity",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "AttackName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "EventTimestamp",
|
||||
"Type": "DateTime"
|
||||
},
|
||||
{
|
||||
"Name": "Type",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "_ResourceId",
|
||||
"Type": "String"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
{
|
||||
"name": "JiraAudit",
|
||||
"Properties": [
|
||||
{
|
||||
"Name": "TimeGenerated",
|
||||
"Type": "DateTime"
|
||||
},
|
||||
{
|
||||
"Name": "EventVendor",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "EventProduct",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "EventId",
|
||||
"Type": "Double"
|
||||
},
|
||||
{
|
||||
"Name": "EventMessage",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "SrcIpAddr",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "UserName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "UserSid",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "EventCreationTime",
|
||||
"Type": "DateTime"
|
||||
},
|
||||
{
|
||||
"Name": "EventSource",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ObjectItemId",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ObjectItemName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ObjectItemTypeName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ChangedValues",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "AssociatedItems",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ObjectItemParentId",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "ObjectItemParentName",
|
||||
"Type": "String"
|
||||
},
|
||||
{
|
||||
"Name": "EventCategoryType",
|
||||
"Type": "String"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -28,6 +28,7 @@
|
|||
"BetterMTD",
|
||||
"BeyondSecuritybeSECURE",
|
||||
"BlackberryCylancePROTECT",
|
||||
"BoschAIShield",
|
||||
"BoxDataConnector",
|
||||
"BroadcomSymantecDLP",
|
||||
"CEF",
|
||||
|
|
@ -73,6 +74,7 @@
|
|||
"InfobloxCloudDataConnector",
|
||||
"InfobloxNIOS",
|
||||
"IoT",
|
||||
"JiraAuditAPI",
|
||||
"JuniperSRX",
|
||||
"LastPass",
|
||||
"LookoutAPI",
|
||||
|
|
|
|||
|
|
@ -1,248 +0,0 @@
|
|||
ColumnName,ColumnType,Class,Schema
|
||||
_ResourceId,string,Mandatory,NetworkSession
|
||||
Type,string,Mandatory,NetworkSession
|
||||
EventMessage,string,Optional,NetworkSession
|
||||
EventCount,int,Mandatory,NetworkSession
|
||||
EventStartTime,datetime,Mandatory,NetworkSession
|
||||
EventEndTime,datetime,Alias,NetworkSession
|
||||
EventType,string,Mandatory,NetworkSession
|
||||
EventSubType,string,Optional,NetworkSession
|
||||
EventResult,string,Mandatory,NetworkSession
|
||||
EventResultDetails,string,Optional,NetworkSession
|
||||
EventOriginalResultDetails,string,Optional,NetworkSession
|
||||
EventSeverity,string,Mandatory,NetworkSession
|
||||
EventOriginalSeverity,string,Optional,NetworkSession
|
||||
EventOriginalUid,string,Optional,NetworkSession
|
||||
EventOriginalType,string,Optional,NetworkSession
|
||||
EventProduct,string,Mandatory,NetworkSession
|
||||
EventProductVersion,string,Optional,NetworkSession
|
||||
EventVendor,string,Mandatory,NetworkSession
|
||||
EventSchema,string,Mandatory,NetworkSession
|
||||
EventSchemaVersion,string,Mandatory,NetworkSession
|
||||
EventReportUrl,string,Optional,NetworkSession
|
||||
Dvc,string,Alias,NetworkSession
|
||||
DvcIpAddr,string,Recommended,NetworkSession
|
||||
DvcHostname,string,Mandatory,NetworkSession
|
||||
DvcDomain,string,Recommended,NetworkSession
|
||||
DvcDomainType,string,Recommended,NetworkSession
|
||||
DvcFQDN,string,Optional,NetworkSession
|
||||
DvcId,string,Optional,NetworkSession
|
||||
DvcIdType,string,Optional,NetworkSession
|
||||
DstIpAddr,string,Recommended,NetworkSession
|
||||
DstPortNumber,int,Optional,NetworkSession
|
||||
DstHostname,string,Recommended,NetworkSession
|
||||
Hostname,string,Alias,NetworkSession
|
||||
DstDomain,string,Recommended,NetworkSession
|
||||
DstDomainType,string,Recommended,NetworkSession
|
||||
DstFQDN,string,Optional,NetworkSession
|
||||
DstDvcId,string,Optional,NetworkSession
|
||||
DstDvcIdType,string,Optional,NetworkSession
|
||||
DstDeviceType,string,Optional,NetworkSession
|
||||
DstUserId,string,Optional,NetworkSession
|
||||
DstUserIdType,string,Optional,NetworkSession
|
||||
DstUsername,string,Optional,NetworkSession
|
||||
User,string,Alias,NetworkSession
|
||||
DstUsernameType,string,Alias,NetworkSession
|
||||
DstUserType,string,Optional,NetworkSession
|
||||
DstOriginalUserType,string,Optional,NetworkSession
|
||||
DstUserDomain,string,Optional,NetworkSession
|
||||
DstAppName,string,Optional,NetworkSession
|
||||
DstAppId,string,Optional,NetworkSession
|
||||
DstAppType,string,Optional,NetworkSession
|
||||
DstZone,string,Optional,NetworkSession
|
||||
DstInterfaceName,string,Optional,NetworkSession
|
||||
DstInterfaceGuid,string,Optional,NetworkSession
|
||||
DstMacAddr,string,Optional,NetworkSession
|
||||
DstGeoCountry,string,Optional,NetworkSession
|
||||
DstGeoCity,string,Optional,NetworkSession
|
||||
DstGeoLatitude,real,Optional,NetworkSession
|
||||
DstGeoLongitude,real,Optional,NetworkSession
|
||||
SrcIpAddr,string,Recommended,NetworkSession
|
||||
SrcPortNumber,int,Optional,NetworkSession
|
||||
SrcHostname,string,Recommended,NetworkSession
|
||||
SrcDomain,string,Recommended,NetworkSession
|
||||
SrcDomainType,string,Recommended,NetworkSession
|
||||
SrcFQDN,string,Optional,NetworkSession
|
||||
SrcDvcId,string,Optional,NetworkSession
|
||||
SrcDvcIdType,string,Optional,NetworkSession
|
||||
SrcDeviceType,string,Optional,NetworkSession
|
||||
SrcUserId,string,Optional,NetworkSession
|
||||
SrcUserIdType,string,Optional,NetworkSession
|
||||
SrcUsername,string,Optional,NetworkSession
|
||||
SrcUsernameType,string,Alias,NetworkSession
|
||||
SrcUserType,string,Optional,NetworkSession
|
||||
SrcOriginalUserType,string,Optional,NetworkSession
|
||||
SrcUserDomain,string,Optional,NetworkSession
|
||||
SrcAppName,string,Optional,NetworkSession
|
||||
SrcAppId,string,Optional,NetworkSession
|
||||
IpAddr,string,Alias,NetworkSession
|
||||
SrcAppType,string,Optional,NetworkSession
|
||||
SrcZone,string,Optional,NetworkSession
|
||||
SrcInterfaceName,string,Optional,NetworkSession
|
||||
SrcInterfaceGuid,string,Optional,NetworkSession
|
||||
SrcMacAddr,string,Optional,NetworkSession
|
||||
SrcGeoCountry,string,Optional,NetworkSession
|
||||
SrcGeoCity,string,Optional,NetworkSession
|
||||
SrcGeoLatitude,real,Optional,NetworkSession
|
||||
SrcGeoLongitude,real,Optional,NetworkSession
|
||||
NetworkApplicationProtocol,string,Optional,NetworkSession
|
||||
NetworkProtocol,string,Optional,NetworkSession
|
||||
NetworkDirection,string,Optional,NetworkSession
|
||||
NetworkDuration,int,Optional,NetworkSession
|
||||
Duration,int,Alias,NetworkSession
|
||||
NetworkIcmpCode,int,Optional,NetworkSession
|
||||
NetworkIcmpType,string,Optional,NetworkSession
|
||||
DstBytes,int,Optional,NetworkSession
|
||||
SrcBytes,int,Optional,NetworkSession
|
||||
NetworkBytes,int,Optional,NetworkSession
|
||||
DstPackets,int,Optional,NetworkSession
|
||||
SrcPackets,int,Optional,NetworkSession
|
||||
NetworkPackets,int,Optional,NetworkSession
|
||||
NetworkSessionId,string,Optional,NetworkSession
|
||||
SessionId,string,Alias,NetworkSession
|
||||
DstNatIpAddr,string,Optional,NetworkSession
|
||||
DstNatPortNumber,int,Optional,NetworkSession
|
||||
SrcNatIpAddr,string,Optional,NetworkSession
|
||||
SrcNatPortNumber,int,Optional,NetworkSession
|
||||
DvcInboundInterface,string,Optional,NetworkSession
|
||||
DvcOutboundInterface,string,Optional,NetworkSession
|
||||
Url,string,Optional,NetworkSession
|
||||
UrlCategory,string,Optional,NetworkSession
|
||||
UrlOriginal,string,Optional,NetworkSession
|
||||
HttpVersion,string,Optional,NetworkSession
|
||||
HttpRequestMethod,string,Optional,NetworkSession
|
||||
HttpStatusCode,string,Alias,NetworkSession
|
||||
HttpContentType,string,Optional,NetworkSession
|
||||
HttpContentFormat,string,Optional,NetworkSession
|
||||
HttpReferrer,string,Optional,NetworkSession
|
||||
HttpUserAgent,string,Optional,NetworkSession
|
||||
UserAgent,string,Alias,NetworkSession
|
||||
HttpRequestXff,string,Optional,NetworkSession
|
||||
HttpRequestTime,int,Optional,NetworkSession
|
||||
HttpResponseTime,int,Optional,NetworkSession
|
||||
FileName,string,Optional,NetworkSession
|
||||
FileMD5,string,Optional,NetworkSession
|
||||
FileSHA1,string,Optional,NetworkSession
|
||||
FileSHA256,string,Optional,NetworkSession
|
||||
FileSHA512,string,Optional,NetworkSession
|
||||
FileSize,string,Optional,NetworkSession
|
||||
FileContentType,string,Optional,NetworkSession
|
||||
NetworkRuleName,string,Optional,NetworkSession
|
||||
NetworkRuleNumber,int,Optional,NetworkSession
|
||||
Rule,string,Optional,NetworkSession
|
||||
DvcAction,string,Optional,NetworkSession
|
||||
DvcOriginalAction,string,Optional,NetworkSession
|
||||
ThreatId,string,Optional,NetworkSession
|
||||
ThreatName,string,Optional,NetworkSession
|
||||
ThreatCategory,string,Optional,NetworkSession
|
||||
ThreatRiskLevel,int,Optional,NetworkSession
|
||||
ThreatRiskLevelOriginal,string,Optional,NetworkSession
|
||||
_ResourceId,string,Optional,Dns
|
||||
AdditionalFields,dynamic,Optional,Dns
|
||||
DnsFlags,string,Optional,Dns
|
||||
DnsFlagsAuthoritative,bool,Optional,Dns
|
||||
DnsFlagsCheckingDisabled,bool,Optional,Dns
|
||||
DnsFlagsRecursionAvailable,bool,Optional,Dns
|
||||
DnsFlagsRecursionDesired,bool,Optional,Dns
|
||||
DnsFlagsTruncates,bool,Optional,Dns
|
||||
DnsFlagsZ,bool,Optional,Dns
|
||||
DnsNetworkDuration,int,Optional,Dns
|
||||
DnsQuery,string,Recommended,Dns
|
||||
DnsQueryClass,int,Optional,Dns
|
||||
DnsQueryClassName,string,Recommended,Dns
|
||||
DnsQueryType,int,Optional,Dns
|
||||
DnsQueryTypeName,string,Optional,Dns
|
||||
DnsResponseCode,int,Optional,Dns
|
||||
DnsResponseCodeName,string,Mandatory,Dns
|
||||
DnsResponseName,string,Optional,Dns
|
||||
DnsSessionId,string,Optional,Dns
|
||||
Domain,string,Optional,Dns
|
||||
DomainCategory,string,Optional,Dns
|
||||
Dst,string,Alias,Dns
|
||||
DstDeviceType,string,Optional,Dns
|
||||
DstDomain,string,Optional,Dns
|
||||
DstDomainType,string,Optional,Dns
|
||||
DstDvcId,string,Optional,Dns
|
||||
DstDvcIdType,string,Optional,Dns
|
||||
DstFQDN,string,Optional,Dns
|
||||
DstGeoCity,string,Optional,Dns
|
||||
DstGeoCountry,string,Optional,Dns
|
||||
DstGeoLatitude,real,Optional,Dns
|
||||
DstGeoLongitude,real,Optional,Dns
|
||||
DstGeoRegion,string,Optional,Dns
|
||||
DstHostname,string,Optional,Dns
|
||||
DstIpAddr,string,Optional,Dns
|
||||
DstPortNumber,int,Optional,Dns
|
||||
DstRiskLevel,int,Optional,Dns
|
||||
Duration,int,Alias,Dns
|
||||
Dvc,string,Mandatory,Dns
|
||||
DvcAction,string,Optional,Dns
|
||||
DvcDomain,string,Recommended,Dns
|
||||
DvcDomainType,string,Recommended,Dns
|
||||
DvcHostname,string,Recommended,Dns
|
||||
DvcId,string,Optional,Dns
|
||||
DvcIpAddr,string,Recommended,Dns
|
||||
EventCount,int,Mandatory,Dns
|
||||
EventEndTime,datetime,Mandatory,Dns
|
||||
EventMessage,string,Optional,Dns
|
||||
EventOriginalType,string,Optional,Dns
|
||||
EventOriginalUid,string,Optional,Dns
|
||||
EventProduct,string,Mandatory,Dns
|
||||
EventProductVersion,string,Optional,Dns
|
||||
EventReportUrl,string,Optional,Dns
|
||||
EventResult,string,Mandatory,Dns
|
||||
EventResultDetails,string,Mandatory,Dns
|
||||
EventSchema,string,Mandatory,Dns
|
||||
EventSchemaVersion,string,Mandatory,Dns
|
||||
EventSeverity,string,Optional,Dns
|
||||
EventStartTime,datetime,Mandatory,Dns
|
||||
EventSubType,string,Optional,Dns
|
||||
EventType,string,Mandatory,Dns
|
||||
EventVendor,string,Mandatory,Dns
|
||||
Flags,string,Optional,Dns
|
||||
Hostname,string,Alias,Dns
|
||||
IpAddr,string,Alias,Dns
|
||||
NetworkProtocol,string,Optional,Dns
|
||||
Process,string,Alias,Dns
|
||||
Query,string,Optional,Dns
|
||||
QueryClass,int,Optional,Dns
|
||||
QueryClassName,string,Optional,Dns
|
||||
QueryType,int,Optional,Dns
|
||||
QueryTypeName,string,Optional,Dns
|
||||
ResponseCode,int,Optional,Dns
|
||||
ResponseCodeName,string,Optional,Dns
|
||||
ResponseName,string,Optional,Dns
|
||||
SessionId,string,Alias,Dns
|
||||
Src,string,Alias,Dns
|
||||
SrcDeviceType,string,Optional,Dns
|
||||
SrcDomain,string,Recommended,Dns
|
||||
SrcDomainType,string,Recommended,Dns
|
||||
SrcDvcId,string,Optional,Dns
|
||||
SrcDvcIdType,string,Optional,Dns
|
||||
SrcFQDN,string,Optional,Dns
|
||||
SrcGeoCity,string,Optional,Dns
|
||||
SrcGeoCountry,string,Optional,Dns
|
||||
SrcGeoLatitude,real,Optional,Dns
|
||||
SrcGeoLongitude,real,Optional,Dns
|
||||
SrcGeoRegion,string,Optional,Dns
|
||||
SrcHostname,string,Recommended,Dns
|
||||
SrcIpAddr,string,Mandatory,Dns
|
||||
SrcOriginalUserType,string,Optional,Dns
|
||||
SrcPortNumber,int,Optional,Dns
|
||||
SrcProcessGuid,string,Optional,Dns
|
||||
SrcProcessId,string,Optional,Dns
|
||||
SrcProcessName,string,Optional,Dns
|
||||
SrcRiskLevel,int,Optional,Dns
|
||||
SrcUserDomain,string,Optional,Dns
|
||||
SrcUserId,string,Optional,Dns
|
||||
SrcUserIdType,string,Optional,Dns
|
||||
SrcUsername,string,Optional,Dns
|
||||
SrcUsernameType,string,Optional,Dns
|
||||
SrcUserType,string,Optional,Dns
|
||||
TenantId,string,Optional,Dns
|
||||
ThreatCategory,string,Optional,Dns
|
||||
TimeGenerated,datetime,Optional,Dns
|
||||
TransactionIdHex,string,Recommended,Dns
|
||||
Type,string,Optional,Dns
|
||||
UrlCategory,string,Optional,Dns
|
||||
User,string,Alias,Dns
|
||||
|
|
|
@ -1,39 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimSchemaTester",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Schema tester",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimSchemaTester",
|
||||
"query": "let ASimNetworkSessionFields = externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string)\r\n [@\"https:\/\/raw.githubusercontent.com\/Azure\/Azure-Sentinel\/master\/ASIM\/dev\/ASimSchemaTester\/ASimSchemaTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\r\n | where Schema =~ selected_schema;\r\n T \r\n | join kind=fullouter ASimNetworkSessionFields on ColumnName\r\n | extend Result = case(\r\n ColumnName == \"\" and Class == \"Mandatory\", strcat (\"(0) Error: Missing mandatory field [\", ColumnName1, \"]\"),\r\n ColumnName == \"\" and Class == \"Recommended\", strcat (\"(1) Warning: Missing recommended field [\", ColumnName1, \"]\"),\r\n ColumnName == \"\" and Class == \"Alias\", strcat (\"(1) Warning: Missing alias [\", ColumnName1, \"]\"),\r\n ColumnName == \"\" and Class == \"Optional\", strcat (\"(2) Info: Missing optional field [\", ColumnName1, \"]\"),\r\n ColumnName1 == \"\", strcat (\"(2) Info: extra unnormalized column [\", ColumnName, \"]\"),\r\n ColumnType != ColumnType1, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently \", ColumnType, \" and should be \", ColumnType1),\r\n 'None'\r\n )\r\n | where Result != \"None\" | sort by Result asc | project Result\r\n",
|
||||
"version": 1,
|
||||
"functionParameters": "T: (ColumnName: string, ColumnType:string), selected_schema:string"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
# Deploy the ASIM schema tester
|
||||
|
||||
This templates deploy the ASIM schema tester. For more information on using the tester refer to the document [Develop an ASIM parser]. To learn more about ASIM, refer to [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM).
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimSchemaTester%2FASimSchemaTester.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimSchemaTester%2FASimSchemaTester.json)
|
||||
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimDataTester",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Data tester",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimDataTester",
|
||||
"query": "let MACaddr_regex = @'^[a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}$';\r\n let FQDN_regex = @'^(?:([a-zA-Z0-9-]+)\\.)?([a-zA-Z0-9-]{1,61})\\.([a-zA-Z0-9]{2,7})$';\r\n let Hostname_regex = @'^[a-zA-Z0-9-]{1,61}$';\r\n let MD5_regex = @'[a-zA-Z0-0]{32}';\r\n let SHA1_regex = @'[a-zA-Z0-0]{40}';\r\n let SHA256_regex = @'[a-zA-Z0-0]{64}';\r\n let SHA512_regex = @'[a-zA-Z0-0]{128}';\r\n let DnsQueryTypeName = materialize (externaldata (value: string)\r\n [@\"https:\/\/www.iana.org\/assignments\/dns-parameters\/dns-parameters-4.csv\"] with (format=\"csv\", IgnoreFirstRecord=true));\r\n let DnsResponseCodeName = materialize (externaldata (code: string, value: string)\r\n [@\"https:\/\/www.iana.org\/assignments\/dns-parameters\/dns-parameters-6.csv\"] with (format=\"csv\", IgnoreFirstRecord=true) | project value);\r\n let DnsQueryClassName = materialize (externaldata (dec: string, dex: string, value: string)\r\n [@\"https:\/\/www.iana.org\/assignments\/dns-parameters\/dns-parameters-2.csv\"] with (format=\"csv\", IgnoreFirstRecord=true) | project value);\r\n let ASimFields = materialize (externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string, LogicalType:string, ListOfValues: string)\r\n [@\"https:\/\/raw.githubusercontent.com\/Azure\/Azure-Sentinel\/master\/ASIM\/dev\/ASimTester\/ASimTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\r\n | where Schema =~ selected_schema);\r\n T \r\n | extend f=pack_all() \r\n | mv-expand f\r\n | project f \r\n | extend ColumnName = tostring(bag_keys(f)[0])\r\n | extend value = f[ColumnName]\r\n | extend type=gettype(value)\r\n | distinct ColumnName, tostring(value), type\r\n | lookup ASimFields on ColumnName\r\n | extend Result = case( \r\n ColumnType != \"\" and type != \"null\" and ColumnType != type, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently [\", type, \"] and should be [\", ColumnType, \"]\"),\r\n Class == \"Mandatory\" and value == \"\", strcat (\"(0) Error: Missing mandatory field [\", ColumnName, \"]\"),\r\n Class == \"Recommended\" and value == \"\", strcat (\"(1) Warning: Missing recommended field [\", ColumnName, \"]\"),\r\n Class == \"Alias\" and value == \"\", strcat (\"(1) Warning: Missing alias [\", ColumnName, \"]\"),\r\n LogicalType == \"Enumerated\" and ListOfValues != \"\" and ListOfValues !has value, \"Invalid Value\",\r\n (LogicalType == \"MAC Address\") and (value != \"\") and not (value matches regex MACaddr_regex), \"Invalid Value\", \r\n (LogicalType == \"IP Address\") and (value != \"\") and not(ipv4_is_match(value, \"0.0.0.0\",0)) and not(ipv6_is_match(value, \"::1\",0)), \"Invalid Value\",\r\n (LogicalType == \"FQDN\") and (value != \"\") and not (value matches regex FQDN_regex), \"Invalid Value\",\r\n (LogicalType == \"GUID\") and (value != \"\") and isnull(toguid(value)), \"Invali d Value\",\r\n (LogicalType == \"Hostname\") and (value != \"\") and not (value matches regex Hostname_regex), \"Invalid Value\", \r\n (LogicalType == \"RiskLevel\") and (value != \"\") and (toint(value) < 0 or toint(value) > 100), \"Invalid Value\",\r\n (LogicalType == \"DnsQueryClassName\") and (value != \"\") and value !in (DnsQueryClassName), \"Invalid Value\",\r\n (LogicalType == \"DnsResponseCodeName\") and (value != \"\") and value !in (DnsResponseCodeName), \"Invalid Value\",\r\n (LogicalType == \"DnsQueryTypeName\") and (value != \"\") and value !in (DnsQueryTypeName), \"Invalid Value\",\r\n (LogicalType == \"MD5\") and (value != \"\") and not (value matches regex MD5_regex), \"Invalid Value\", \r\n (LogicalType == \"SHA1\") and (value != \"\") and not (value matches regex SHA1_regex), \"Invalid Value\", \r\n (LogicalType == \"SHA256\") and (value != \"\") and not (value matches regex SHA256_regex), \"Invalid Value\", \r\n (LogicalType == \"SHA512\") and (value != \"\") and not (value matches regex SHA512_regex), \"Invalid Value\", \r\n 'None'\r\n )\r\n | where Result != \"None\"\r\n | summarize values = make_set(value, 10) by Result, ColumnName\r\n | extend Result = iif (Result == \"Invalid Value\", strcat (\"(0) Error: Invalid value(s) (up to 10 listed) for field [\", ColumnName, \"]: \", tostring(values)), Result)\r\n | distinct Result\r\n | sort by Result asc\r\n",
|
||||
"version": 1,
|
||||
"functionParameters": "T:( TenantId:string ), selected_schema:string"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimSchemaTester",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "ASIM Schema tester",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimSchemaTester",
|
||||
"query": "let ASimFields = externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string)\r\n [@\"https:\/\/raw.githubusercontent.com\/Azure\/Azure-Sentinel\/master\/ASIM\/dev\/ASimTester\/ASimTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\r\n | where Schema =~ selected_schema;\r\n T \r\n | join kind=fullouter ASimFields on ColumnName\r\n | extend Result = case(\r\n ColumnName == \"\" and Class == \"Mandatory\", strcat (\"(0) Error: Missing mandatory field [\", ColumnName1, \"]\"),\r\n ColumnName == \"\" and Class == \"Recommended\", strcat (\"(1) Warning: Missing recommended field [\", ColumnName1, \"]\"),\r\n ColumnName == \"\" and Class == \"Alias\", strcat (\"(1) Warning: Missing alias [\", ColumnName1, \"]\"),\r\n ColumnName == \"\" and Class == \"Optional\", strcat (\"(2) Info: Missing optional field [\", ColumnName1, \"]\"),\r\n ColumnName1 == \"\", strcat (\"(2) Info: extra unnormalized column [\", ColumnName, \"]\"),\r\n ColumnType != ColumnType1, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently \", ColumnType, \" and should be \", ColumnType1),\r\n 'None'\r\n )\r\n | where Result != \"None\" | sort by Result asc | project Result\r\n",
|
||||
"version": 1,
|
||||
"functionParameters": "T: (ColumnName: string, ColumnType:string), selected_schema:string"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,363 @@
|
|||
ColumnName,ColumnType,Class,Schema,LogicalType,ListOfValues
|
||||
_ResourceId,string,Mandatory,NetworkSession,,
|
||||
Type,string,Mandatory,NetworkSession,,
|
||||
EventMessage,string,Optional,NetworkSession,,
|
||||
EventCount,int,Mandatory,NetworkSession,,
|
||||
EventStartTime,datetime,Mandatory,NetworkSession,,
|
||||
EventEndTime,datetime,Alias,NetworkSession,,
|
||||
EventType,string,Mandatory,NetworkSession,Enumarated,NetworkSession
|
||||
EventSubType,string,Optional,NetworkSession,Enumarated,Start|End|
|
||||
EventResult,string,Mandatory,NetworkSession,Enumerated,Success|Partial|Failure|NA
|
||||
EventResultDetails,string,Optional,NetworkSession,,
|
||||
EventOriginalResultDetails,string,Optional,NetworkSession,,
|
||||
EventSeverity,string,Mandatory,NetworkSession,Enumerated,Informational|Low|Medium|High
|
||||
EventOriginalSeverity,string,Optional,NetworkSession,,
|
||||
EventOriginalUid,string,Optional,NetworkSession,,
|
||||
EventOriginalType,string,Optional,NetworkSession,,
|
||||
EventProduct,string,Mandatory,NetworkSession,Enumerated,
|
||||
EventProductVersion,string,Optional,NetworkSession,,
|
||||
EventVendor,string,Mandatory,NetworkSession,Enumerated,
|
||||
EventSchema,string,Mandatory,NetworkSession,Enumarated,NetworkSession
|
||||
EventSchemaVersion,string,Mandatory,NetworkSession,SchemaVersion,
|
||||
EventReportUrl,string,Optional,NetworkSession,URL,
|
||||
Dvc,string,Alias,NetworkSession,,
|
||||
DvcIpAddr,string,Recommended,NetworkSession,IP Address,
|
||||
DvcHostname,string,Mandatory,NetworkSession,Hostname,
|
||||
DvcDomain,string,Recommended,NetworkSession,FQDN,
|
||||
DvcDomainType,string,Recommended,NetworkSession,Enumerated,Windows|FQDN
|
||||
DvcFQDN,string,Optional,NetworkSession,FQDN,
|
||||
DvcId,string,Optional,NetworkSession,,
|
||||
DvcIdType,string,Optional,NetworkSession,Enumerated,AzureResourceId|MDEid
|
||||
DstIpAddr,string,Recommended,NetworkSession,IP Address,
|
||||
DstPortNumber,int,Optional,NetworkSession,,
|
||||
DstHostname,string,Recommended,NetworkSession,Hostname,
|
||||
Hostname,string,Alias,NetworkSession,Hostname,
|
||||
DstDomain,string,Recommended,NetworkSession,FQDN,
|
||||
DstDomainType,string,Recommended,NetworkSession,Enumerated,Windows|FQDN
|
||||
DstFQDN,string,Optional,NetworkSession,FQDN,
|
||||
DstDvcId,string,Optional,NetworkSession,,
|
||||
DstDvcIdType,string,Optional,NetworkSession,Enumerated,AzureResourceId|MDEid
|
||||
DstDeviceType,string,Optional,NetworkSession,Enumerated,Computer|Mobile Device|IOT Device|Other
|
||||
DstUserId,string,Optional,NetworkSession,,
|
||||
DstUserIdType,string,Optional,NetworkSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
|
||||
DstUsername,string,Optional,NetworkSession,Username,
|
||||
User,string,Alias,NetworkSession,Username,
|
||||
DstUsernameType,string,Alias,NetworkSession,Enumerated,UPN|Windows|DN|Simple
|
||||
DstUserType,string,Optional,NetworkSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
|
||||
DstOriginalUserType,string,Optional,NetworkSession,,
|
||||
DstUserDomain,string,Optional,NetworkSession,FQDN,
|
||||
DstAppName,string,Optional,NetworkSession,,
|
||||
DstAppId,string,Optional,NetworkSession,,
|
||||
DstAppType,string,Optional,NetworkSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
|
||||
DstZone,string,Optional,NetworkSession,,
|
||||
DstInterfaceName,string,Optional,NetworkSession,,
|
||||
DstInterfaceGuid,string,Optional,NetworkSession,GUID,
|
||||
DstMacAddr,string,Optional,NetworkSession,MAC address,
|
||||
DstGeoCountry,string,Optional,NetworkSession,Country,
|
||||
DstGeoRegion,string,Optional,NetworkSession,Region,
|
||||
DstGeoCity,string,Optional,NetworkSession,City,
|
||||
DstGeoLatitude,real,Optional,NetworkSession,,
|
||||
DstGeoLongitude,real,Optional,NetworkSession,,
|
||||
SrcIpAddr,string,Recommended,NetworkSession,IP Address,
|
||||
SrcPortNumber,int,Optional,NetworkSession,,
|
||||
SrcHostname,string,Recommended,NetworkSession,Hostname,
|
||||
SrcDomain,string,Recommended,NetworkSession,FQDN,
|
||||
SrcDomainType,string,Recommended,NetworkSession,Enumerated,Windows|FQDN
|
||||
SrcFQDN,string,Optional,NetworkSession,FQDN,
|
||||
SrcDvcId,string,Optional,NetworkSession,,
|
||||
SrcDvcIdType,string,Optional,NetworkSession,Enumerated,AzureResourceId|MDEid
|
||||
SrcDeviceType,string,Optional,NetworkSession,Enumerated,Computer|Mobile Device|IOT Device|Other
|
||||
SrcUserId,string,Optional,NetworkSession,,
|
||||
SrcUserIdType,string,Optional,NetworkSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
|
||||
SrcUsername,string,Optional,NetworkSession,Username,
|
||||
SrcUsernameType,string,Alias,NetworkSession,Enumerated,UPN|Windows|DN|Simple
|
||||
SrcUserType,string,Optional,NetworkSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
|
||||
SrcOriginalUserType,string,Optional,NetworkSession,,
|
||||
SrcUserDomain,string,Optional,NetworkSession,FQDN,
|
||||
SrcAppName,string,Optional,NetworkSession,,
|
||||
SrcAppId,string,Optional,NetworkSession,,
|
||||
IpAddr,string,Alias,NetworkSession,IP Address,
|
||||
SrcAppType,string,Optional,NetworkSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
|
||||
SrcZone,string,Optional,NetworkSession,,
|
||||
SrcInterfaceName,string,Optional,NetworkSession,,
|
||||
SrcInterfaceGuid,string,Optional,NetworkSession,GUID,
|
||||
SrcMacAddr,string,Optional,NetworkSession,MAC address,
|
||||
SrcGeoCountry,string,Optional,NetworkSession,Country,
|
||||
SrcGeoCity,string,Optional,NetworkSession,City,
|
||||
SrcGeoLatitude,real,Optional,NetworkSession,,
|
||||
SrcGeoLongitude,real,Optional,NetworkSession,,
|
||||
NetworkApplicationProtocol,string,Optional,NetworkSession,Enumerated,
|
||||
NetworkProtocol,string,Optional,NetworkSession,Enumerated,
|
||||
NetworkDirection,string,Optional,NetworkSession,Enumerated,Inbound|Outbound|Listen
|
||||
NetworkDuration,int,Optional,NetworkSession,,
|
||||
Duration,int,Alias,NetworkSession,,
|
||||
NetworkIcmpCode,int,Optional,NetworkSession,,
|
||||
NetworkIcmpType,string,Optional,NetworkSession,Enumerated,
|
||||
DstBytes,int,Optional,NetworkSession,,
|
||||
SrcBytes,int,Optional,NetworkSession,,
|
||||
NetworkBytes,int,Optional,NetworkSession,,
|
||||
DstPackets,int,Optional,NetworkSession,,
|
||||
SrcPackets,int,Optional,NetworkSession,,
|
||||
NetworkPackets,int,Optional,NetworkSession,,
|
||||
NetworkSessionId,string,Optional,NetworkSession,,
|
||||
SessionId,string,Alias,NetworkSession,,
|
||||
DstNatIpAddr,string,Optional,NetworkSession,IP Address,
|
||||
DstNatPortNumber,int,Optional,NetworkSession,,
|
||||
SrcNatIpAddr,string,Optional,NetworkSession,IP Address,
|
||||
SrcNatPortNumber,int,Optional,NetworkSession,,
|
||||
DvcInboundInterface,string,Optional,NetworkSession,,
|
||||
DvcOutboundInterface,string,Optional,NetworkSession,,
|
||||
NetworkRuleName,string,Optional,NetworkSession,,
|
||||
NetworkRuleNumber,int,Optional,NetworkSession,,
|
||||
Rule,string,Optional,NetworkSession,,
|
||||
DvcAction,string,Optional,NetworkSession,Enumerated,Allow|Deny|Drop|Drop ICMP|Reset|Reset Source|Reset Destination|Encrypt| Decrypt|VPNroute
|
||||
DvcOriginalAction,string,Optional,NetworkSession,,
|
||||
ThreatId,string,Optional,NetworkSession,,
|
||||
ThreatName,string,Optional,NetworkSession,,
|
||||
ThreatCategory,string,Optional,NetworkSession,,
|
||||
ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,
|
||||
Src,string,Alias,NetworkSession,,
|
||||
Dst,string,Alias,NetworkSession,,
|
||||
ThreatRiskLevelOriginal,string,Optional,NetworkSession,,
|
||||
_ResourceId,string,Optional,Dns,,
|
||||
AdditionalFields,dynamic,Optional,Dns,,
|
||||
DnsFlags,string,Optional,Dns,,
|
||||
DnsFlagsAuthoritative,bool,Optional,Dns,,
|
||||
DnsFlagsCheckingDisabled,bool,Optional,Dns,,
|
||||
DnsFlagsRecursionAvailable,bool,Optional,Dns,,
|
||||
DnsFlagsRecursionDesired,bool,Optional,Dns,,
|
||||
DnsFlagsTruncates,bool,Optional,Dns,,
|
||||
DnsFlagsZ,bool,Optional,Dns,,
|
||||
DnsNetworkDuration,int,Optional,Dns,,
|
||||
DnsQuery,string,Recommended,Dns,FQDN,
|
||||
DnsQueryClass,int,Optional,Dns,,
|
||||
DnsQueryClassName,string,Recommended,Dns,DnsQueryClassName,
|
||||
DnsQueryType,int,Optional,Dns,,
|
||||
DnsQueryTypeName,string,Optional,Dns,DnsQueryTypeName,
|
||||
DnsResponseCode,int,Optional,Dns,,
|
||||
DnsResponseCodeName,string,Mandatory,Dns,DnsResponseCodeName,
|
||||
DnsResponseName,string,Optional,Dns,,
|
||||
DnsSessionId,string,Optional,Dns,,
|
||||
Domain,string,Optional,Dns,FQDN,
|
||||
DomainCategory,string,Optional,Dns,,
|
||||
Dst,string,Alias,Dns,,
|
||||
DstDeviceType,string,Optional,Dns,Enumerated,Computer|Mobile Device|IOT Device|Other
|
||||
DstDomain,string,Optional,Dns,FQDN,
|
||||
DstDomainType,string,Optional,Dns,Enumerated,Windows|FQDN
|
||||
DstDvcId,string,Optional,Dns,,
|
||||
DstDvcIdType,string,Optional,Dns,Enumerated,AzureResourceId|MDEid
|
||||
DstFQDN,string,Optional,Dns,,
|
||||
DstGeoCity,string,Optional,Dns,City,
|
||||
DstGeoCountry,string,Optional,Dns,Country,
|
||||
DstGeoLatitude,real,Optional,Dns,,
|
||||
DstGeoLongitude,real,Optional,Dns,,
|
||||
DstGeoRegion,string,Optional,Dns,Region,
|
||||
DstHostname,string,Optional,Dns,,
|
||||
DstIpAddr,string,Optional,Dns,IP Address,
|
||||
DstPortNumber,int,Optional,Dns,,
|
||||
DstRiskLevel,int,Optional,Dns,,
|
||||
Duration,int,Alias,Dns,,
|
||||
Dvc,string,Mandatory,Dns,,
|
||||
DvcAction,string,Optional,Dns,,
|
||||
DvcDomain,string,Recommended,Dns,FQDN,
|
||||
DvcDomainType,string,Recommended,Dns,Enumerated,Windows|FQDN
|
||||
DvcHostname,string,Recommended,Dns,Hostname,
|
||||
DvcId,string,Optional,Dns,,
|
||||
DvcIpAddr,string,Recommended,Dns,IP Address,
|
||||
EventCount,int,Mandatory,Dns,,
|
||||
EventEndTime,datetime,Mandatory,Dns,,
|
||||
EventMessage,string,Optional,Dns,,
|
||||
EventOriginalType,string,Optional,Dns,,
|
||||
EventOriginalUid,string,Optional,Dns,,
|
||||
EventProduct,string,Mandatory,Dns,Enumerated,
|
||||
EventProductVersion,string,Optional,Dns,,
|
||||
EventReportUrl,string,Optional,Dns,URL,
|
||||
EventResult,string,Mandatory,Dns,Enumerated,Success|Partial|Failure|NA
|
||||
EventResultDetails,string,Mandatory,Dns,Enumerated,
|
||||
EventSchema,string,Mandatory,Dns,Enumerated,Dms
|
||||
EventSchemaVersion,string,Mandatory,Dns,SchemaVersion,
|
||||
EventSeverity,string,Optional,Dns,Enumerated,Informational|Low|Medium|High
|
||||
EventStartTime,datetime,Mandatory,Dns,,
|
||||
EventSubType,string,Optional,Dns,Enumerated,request|response
|
||||
EventType,string,Mandatory,Dns,Enumerated,Query|Status|Notify|Update|DNS Stateful Operations
|
||||
EventVendor,string,Mandatory,Dns,Enumerated,
|
||||
Flags,string,Optional,Dns,,
|
||||
Hostname,string,Alias,Dns,Hostname,
|
||||
IpAddr,string,Alias,Dns,IP Address,
|
||||
NetworkProtocol,string,Optional,Dns,Enumerated,TCP|UDP
|
||||
Process,string,Alias,Dns,,
|
||||
SessionId,string,Alias,Dns,,
|
||||
Src,string,Alias,Dns,,
|
||||
SrcDeviceType,string,Optional,Dns,Enumerated,Computer|Mobile Device|IOT Device|Other
|
||||
SrcDomain,string,Recommended,Dns,,
|
||||
SrcDomainType,string,Recommended,Dns,Enumerated,Windows|FQDN
|
||||
SrcDvcId,string,Optional,Dns,,
|
||||
SrcDvcIdType,string,Optional,Dns,Enumerated,AzureResourceId|MDEid
|
||||
SrcFQDN,string,Optional,Dns,FQDN,
|
||||
SrcGeoCity,string,Optional,Dns,,
|
||||
SrcGeoCountry,string,Optional,Dns,Country,
|
||||
SrcGeoLatitude,real,Optional,Dns,City,
|
||||
SrcGeoLongitude,real,Optional,Dns,,
|
||||
SrcGeoRegion,string,Optional,Dns,Region,
|
||||
SrcHostname,string,Recommended,Dns,Hostname,
|
||||
SrcIpAddr,string,Mandatory,Dns,IP Address,
|
||||
SrcOriginalUserType,string,Optional,Dns,,
|
||||
SrcPortNumber,int,Optional,Dns,,
|
||||
SrcProcessGuid,string,Optional,Dns,GUID,
|
||||
SrcProcessId,string,Optional,Dns,,
|
||||
SrcProcessName,string,Optional,Dns,,
|
||||
SrcRiskLevel,int,Optional,Dns,,
|
||||
SrcUserDomain,string,Optional,Dns,FQDN,
|
||||
SrcUserId,string,Optional,Dns,,
|
||||
SrcUserIdType,string,Optional,Dns,Enumerated, SID|UIS|AADID|OktaId|AWSId
|
||||
SrcUsername,string,Optional,Dns,Username,
|
||||
SrcUsernameType,string,Optional,Dns,Enumerated,UPN|Windows|DN|Simple
|
||||
SrcUserType,string,Optional,Dns,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
|
||||
TenantId,string,Optional,Dns,,
|
||||
ThreatCategory,string,Optional,Dns,,
|
||||
TimeGenerated,datetime,Optional,Dns,,
|
||||
TransactionIdHex,string,Recommended,Dns,Hexadecimal,
|
||||
Type,string,Optional,Dns,,
|
||||
UrlCategory,string,Optional,Dns,,
|
||||
User,string,Alias,Dns,Username,
|
||||
_ResourceId,string,Mandatory,WebSession,,
|
||||
Type,string,Mandatory,WebSession,,
|
||||
EventMessage,string,Optional,WebSession,,
|
||||
EventCount,int,Mandatory,WebSession,,
|
||||
EventStartTime,datetime,Mandatory,WebSession,,
|
||||
EventEndTime,datetime,Alias,WebSession,,
|
||||
EventType,string,Mandatory,WebSession,Enumarated,HTTPsession
|
||||
EventSubType,string,Optional,WebSession,,
|
||||
EventResult,string,Mandatory,WebSession,Enumerated,Success|Partial|Failure|NA
|
||||
EventResultDetails,string,Optional,WebSession,Enumerated,
|
||||
EventOriginalResultDetails,string,Optional,WebSession,,
|
||||
EventSeverity,string,Mandatory,WebSession,Enumerated,Informational|Low|Medium|High
|
||||
EventOriginalSeverity,string,Optional,WebSession,,
|
||||
EventOriginalUid,string,Optional,WebSession,,
|
||||
EventOriginalType,string,Optional,WebSession,,
|
||||
EventProduct,string,Mandatory,WebSession,Enumerated,
|
||||
EventProductVersion,string,Optional,WebSession,,
|
||||
EventVendor,string,Mandatory,WebSession,Enumerated,
|
||||
EventSchema,string,Mandatory,WebSession,Enumarated,WebSession
|
||||
EventSchemaVersion,string,Mandatory,WebSession,SchemaVersion,
|
||||
EventReportUrl,string,Optional,WebSession,URL,
|
||||
Dvc,string,Alias,WebSession,,
|
||||
DvcIpAddr,string,Recommended,WebSession,IP Address,
|
||||
DvcHostname,string,Mandatory,WebSession,Hostname,
|
||||
DvcDomain,string,Recommended,WebSession,FQDN,
|
||||
DvcDomainType,string,Recommended,WebSession,Enumerated,Windows|FQDN
|
||||
DvcFQDN,string,Optional,WebSession,FQDN,
|
||||
DvcId,string,Optional,WebSession,,
|
||||
DvcIdType,string,Optional,WebSession,Enumerated,AzureResourceId|MDEid
|
||||
DstIpAddr,string,Recommended,WebSession,IP Address,
|
||||
DstPortNumber,int,Optional,WebSession,,
|
||||
DstHostname,string,Recommended,WebSession,Hostname,
|
||||
Hostname,string,Alias,WebSession,Hostname,
|
||||
DstDomain,string,Recommended,WebSession,FQDN,
|
||||
DstDomainType,string,Recommended,WebSession,Enumerated,Windows|FQDN
|
||||
DstFQDN,string,Optional,WebSession,FQDN,
|
||||
DstDvcId,string,Optional,WebSession,,
|
||||
DstDvcIdType,string,Optional,WebSession,Enumerated,AzureResourceId|MDEid
|
||||
DstDeviceType,string,Optional,WebSession,Enumerated,Computer|Mobile Device|IOT Device|Other
|
||||
DstUserId,string,Optional,WebSession,,
|
||||
DstUserIdType,string,Optional,WebSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
|
||||
DstUsername,string,Optional,WebSession,Username,
|
||||
User,string,Alias,WebSession,Username,
|
||||
DstUsernameType,string,Alias,WebSession,Enumerated,UPN|Windows|DN|Simple
|
||||
DstUserType,string,Optional,WebSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
|
||||
DstOriginalUserType,string,Optional,WebSession,,
|
||||
DstUserDomain,string,Optional,WebSession,FQDN,
|
||||
DstAppName,string,Optional,WebSession,,
|
||||
DstAppId,string,Optional,WebSession,,
|
||||
DstAppType,string,Optional,WebSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
|
||||
DstZone,string,Optional,WebSession,,
|
||||
DstInterfaceName,string,Optional,WebSession,,
|
||||
DstInterfaceGuid,string,Optional,WebSession,GUID,
|
||||
DstMacAddr,string,Optional,WebSession,MAC address,
|
||||
DstGeoCountry,string,Optional,WebSession,Country,
|
||||
DstGeoRegion,string,Optional,WebSession,Region,
|
||||
DstGeoCity,string,Optional,WebSession,City,
|
||||
DstGeoLatitude,real,Optional,WebSession,,
|
||||
DstGeoLongitude,real,Optional,WebSession,,
|
||||
SrcIpAddr,string,Recommended,WebSession,IP Address,
|
||||
SrcPortNumber,int,Optional,WebSession,,
|
||||
SrcHostname,string,Recommended,WebSession,Hostname,
|
||||
SrcDomain,string,Recommended,WebSession,FQDN,
|
||||
SrcDomainType,string,Recommended,WebSession,Enumerated,Windows|FQDN
|
||||
SrcFQDN,string,Optional,WebSession,FQDN,
|
||||
SrcDvcId,string,Optional,WebSession,,
|
||||
SrcDvcIdType,string,Optional,WebSession,Enumerated,AzureResourceId|MDEid
|
||||
SrcDeviceType,string,Optional,WebSession,Enumerated,Computer|Mobile Device|IOT Device|Other
|
||||
SrcUserId,string,Optional,WebSession,,
|
||||
SrcUserIdType,string,Optional,WebSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
|
||||
SrcUsername,string,Optional,WebSession,Username,
|
||||
SrcUsernameType,string,Alias,WebSession,Enumerated,UPN|Windows|DN|Simple
|
||||
SrcUserType,string,Optional,WebSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
|
||||
SrcOriginalUserType,string,Optional,WebSession,,
|
||||
SrcUserDomain,string,Optional,WebSession,FQDN,
|
||||
SrcAppName,string,Optional,WebSession,,
|
||||
SrcAppId,string,Optional,WebSession,,
|
||||
IpAddr,string,Alias,WebSession,IP Address,
|
||||
SrcAppType,string,Optional,WebSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
|
||||
SrcZone,string,Optional,WebSession,,
|
||||
SrcInterfaceName,string,Optional,WebSession,,
|
||||
SrcInterfaceGuid,string,Optional,WebSession,GUID,
|
||||
SrcMacAddr,string,Optional,WebSession,MAC address,
|
||||
SrcGeoCountry,string,Optional,WebSession,Country,
|
||||
SrcGeoCity,string,Optional,WebSession,City,
|
||||
SrcGeoLatitude,real,Optional,WebSession,,
|
||||
SrcGeoLongitude,real,Optional,WebSession,,
|
||||
NetworkApplicationProtocol,string,Optional,WebSession,Enumerated,
|
||||
NetworkProtocol,string,Optional,WebSession,Enumerated,
|
||||
NetworkDirection,string,Optional,WebSession,Enumerated,Inbound|Outbound|Listen
|
||||
NetworkDuration,int,Optional,WebSession,,
|
||||
Duration,int,Alias,WebSession,,
|
||||
NetworkIcmpCode,int,Optional,WebSession,,
|
||||
NetworkIcmpType,string,Optional,WebSession,Enumerated,
|
||||
DstBytes,int,Optional,WebSession,,
|
||||
SrcBytes,int,Optional,WebSession,,
|
||||
NetworkBytes,int,Optional,WebSession,,
|
||||
DstPackets,int,Optional,WebSession,,
|
||||
SrcPackets,int,Optional,WebSession,,
|
||||
NetworkPackets,int,Optional,WebSession,,
|
||||
NetworkSessionId,string,Optional,WebSession,,
|
||||
SessionId,string,Alias,WebSession,,
|
||||
DstNatIpAddr,string,Optional,WebSession,IP Address,
|
||||
DstNatPortNumber,int,Optional,WebSession,,
|
||||
SrcNatIpAddr,string,Optional,WebSession,IP Address,
|
||||
SrcNatPortNumber,int,Optional,WebSession,,
|
||||
DvcInboundInterface,string,Optional,WebSession,,
|
||||
DvcOutboundInterface,string,Optional,WebSession,,
|
||||
Url,string,Optional,WebSession,URL,
|
||||
UrlCategory,string,Optional,WebSession,,
|
||||
UrlOriginal,string,Optional,WebSession,URL,
|
||||
HttpVersion,string,Optional,WebSession,,
|
||||
HttpRequestMethod,string,Optional,WebSession,,
|
||||
HttpStatusCode,string,Alias,WebSession,Enumerated,
|
||||
HttpContentType,string,Optional,WebSession,,
|
||||
HttpContentFormat,string,Optional,WebSession,,
|
||||
HttpReferrer,string,Optional,WebSession,,
|
||||
HttpUserAgent,string,Optional,WebSession,Useragent,
|
||||
UserAgent,string,Alias,WebSession,,
|
||||
HttpRequestXff,string,Optional,WebSession,,
|
||||
HttpRequestTime,int,Optional,WebSession,,
|
||||
HttpResponseTime,int,Optional,WebSession,,
|
||||
FileName,string,Optional,WebSession,,
|
||||
FileMD5,string,Optional,WebSession,MD5,
|
||||
FileSHA1,string,Optional,WebSession,SHA1,
|
||||
FileSHA256,string,Optional,WebSession,SHA256,
|
||||
FileSHA512,string,Optional,WebSession,SHA512,
|
||||
FileSize,int,Optional,WebSession,,
|
||||
FileContentType,string,Optional,WebSession,Enumerated,
|
||||
NetworkRuleName,string,Optional,WebSession,,
|
||||
NetworkRuleNumber,int,Optional,WebSession,,
|
||||
Rule,string,Optional,WebSession,,
|
||||
DvcAction,string,Optional,WebSession,Enumerated,Allow|Deny|Drop|Drop ICMP|Reset|Reset Source|Reset Destination|Encrypt| Decrypt|VPNroute
|
||||
DvcOriginalAction,string,Optional,WebSession,,
|
||||
ThreatId,string,Optional,WebSession,,
|
||||
ThreatName,string,Optional,WebSession,,
|
||||
ThreatCategory,string,Optional,WebSession,,
|
||||
ThreatRiskLevel,int,Optional,WebSession,RiskLevel,
|
||||
ThreatRiskLevelOriginal,string,Optional,WebSession,,
|
||||
Src,string,Alias,WebSession,,
|
||||
Dst,string,Alias,WebSession,,
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Specifies the Log Analytics Workspace Name."
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Specifies the Log Analytics Workspace Location."
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedAuthentication",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/ASIM/dev/ASimTestter/ASimDataTester.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedDns",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/ASIM/dev/ASimTestter/ASimSchemaTester.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# Deploy the ASIM tester
|
||||
|
||||
This templates deploy the ASIM tester. For more information on using the tester refer to the document [Develop an ASIM parser]. To learn more about ASIM, refer to [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM).
|
||||
|
||||
<br>
|
||||
|
||||
| Tool | Azure | Azure Gov |
|
||||
| ---- | ----- | --------- |
|
||||
| All | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimTester.json) | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimTester.json) |
|
||||
| Schema Tester | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimSchemaTester.json) | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimSchemaTester.json) |
|
||||
| Data Tester | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimDataTester.json) | [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimDataTester.json) |
|
||||
|
||||
|
|
@ -23,12 +23,19 @@ alias = parserYaml["ParserName"]
|
|||
query = parserYaml["ParserQuery"]
|
||||
product = parserYaml["Product"]["Name"]
|
||||
schema = parserYaml["Normalization"]["Schema"]
|
||||
params=parserYaml.get('ParserParams')
|
||||
|
||||
data_section=arm_template['resources'][0]['resources'][0]
|
||||
data_section['name'] = alias
|
||||
data_section['properties']['query'] = query
|
||||
data_section['properties']['FunctionAlias'] = alias
|
||||
data_section['properties']['displayName'] = title
|
||||
for param in params:
|
||||
if param['Type']=='string':
|
||||
param['Default'] = f"\'{param['Default']}\'"
|
||||
data_section['properties']['functionParameters'] = \
|
||||
', '.join([f'{param["Name"]}:{param["Type"]}={param["Default"]}' for param in params])
|
||||
|
||||
|
||||
with open(os.path.join(folder, f'{fname}'), 'w') as jf:
|
||||
json.dump(arm_template, jf, indent=2)
|
||||
|
|
@ -8,7 +8,7 @@ requiredDataConnectors:
|
|||
- connectorId: AzureActiveDirectory
|
||||
dataTypes:
|
||||
- SigninLogs
|
||||
queryFrequency: 1d
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
|
|
@ -19,17 +19,29 @@ relevantTechniques:
|
|||
tags:
|
||||
- AADSecOpsGuide
|
||||
query: |
|
||||
let queryfrequency = 1h;
|
||||
let queryperiod = 1d;
|
||||
AuditLogs
|
||||
| where OperationName =~ "Add user"
|
||||
| extend UPN = tostring(TargetResources[0].userPrincipalName)
|
||||
| join kind=inner (AuditLogs
|
||||
| where TimeGenerated > ago(queryfrequency)
|
||||
| where OperationName =~ "Delete user"
|
||||
| extend UPN = tostring(TargetResources[0].userPrincipalName)
|
||||
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN
|
||||
| extend timedelta = TimeGenerated1 - TimeGenerated
|
||||
| project-reorder TimeGenerated, TimeGenerated1, timedelta
|
||||
| where timedelta < timespan(24h) and timedelta > timespan(0h)
|
||||
| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress
|
||||
//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
|
||||
| extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResources[0].userPrincipalName))
|
||||
| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)
|
||||
| extend DeletedByApp = tostring(InitiatedBy.app.displayName)
|
||||
| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources
|
||||
| join kind=inner (
|
||||
AuditLogs
|
||||
| where TimeGenerated > ago(queryperiod)
|
||||
| where OperationName =~ "Add user"
|
||||
| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
|
||||
| project-rename Creation_TimeGenerated = TimeGenerated
|
||||
) on UserPrincipalName
|
||||
| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated
|
||||
| where TimeDelta between (time(0s) .. queryperiod)
|
||||
| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
|
||||
| extend CreatedByApp = tostring(InitiatedBy.app.displayName)
|
||||
| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources
|
||||
| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
|
@ -39,5 +51,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
kind: scheduled
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimNetworkSessionZscalerZIA",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Network Session ASIM parser for Zscaler ZIA",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkSessionZscalerZIA",
|
||||
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventCount=DeviceCustomNumber1, \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstBytes = ReceivedBytes, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n SrcBytes = SentBytes, \n NetworkDuration = DeviceCustomNumber1, \n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr\n| project-away \n DeviceCustom*\n};\nparser (disabled)",
|
||||
"version": 1,
|
||||
"functionParameters": "disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
# Zscaler ZIA ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Zscaler ZIA.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionzScalerZIA%2FASimNetworkSessionzScalerZIA.json)
|
||||
|
|
@ -111,6 +111,26 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedASimNetworkSessionzScalerZIA",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
|
|
@ -138,7 +158,7 @@
|
|||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
|
|
@ -230,6 +250,26 @@
|
|||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimNetworkSessionzScalerZIA",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"value": "[parameters('workspaceName')]"
|
||||
},
|
||||
"location": {
|
||||
"value": "[parameters('location')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
|
|
@ -1,13 +1,14 @@
|
|||
# Source agnostic ASIM Network Sessions Normalization Parser
|
||||
# Source agnostic ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Source agnostic. The parser is a part of the Advanced SIEM Information Model.
|
||||
This template deploys the ASIM NetworkSession schema parser for Source agnostic.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
|
|
@ -28,9 +28,9 @@
|
|||
"displayName": "Source Agnostic Network Session parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imNetworkSession",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult)",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*'"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -1,13 +1,14 @@
|
|||
# Microsoft ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Microsoft. The parser is a part of the Advanced SIEM Information Model.
|
||||
This template deploys the ASIM NetworkSession schema parser for Microsoft.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,13 +1,14 @@
|
|||
# M365 Defender ASIM NetworkSessions Normalization Parser
|
||||
# M365 Defender ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for M365 Defender. The parser is a part of the Advanced SIEM Information Model.
|
||||
This template deploys the ASIM NetworkSession schema parser for M365 Defender.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,14 +1,16 @@
|
|||
# Sysmon for Linux ASIM NetworkSessions Normalization Parser
|
||||
# Sysmon for Linux ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for Sysmon for Linux. The parser is a part of the Advanced SIEM Information Model.
|
||||
This template deploys the ASIM NetworkSession schema parser for Sysmon for Linux.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionMicrosoftLinuxSysmon%2FvimNetworkSessionMicrosoftLinuxSysmon.json)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,13 +1,14 @@
|
|||
# Microsoft Defender for IoT - Endpoint ASIM NetworkSessions Normalization Parser
|
||||
# Microsoft Defender for IoT - Endpoint ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Advanced SIEM Information Model.
|
||||
This template deploys the ASIM NetworkSession schema parser for Microsoft Defender for IoT - Endpoint.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,13 +1,14 @@
|
|||
# Windows Events Firewall ASIM NetworkSessions Normalization Parser
|
||||
# WindowsEventFirewall ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSessions schema parser for Windows Events Firewall. The parser is a part of the Advanced SIEM Information Model.
|
||||
This template deploys the ASIM NetworkSession schema parser for WindowsEventFirewall.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
|
||||
- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,16 @@
|
|||
# Zscaler ZIA ASIM NetworkSession Normalization Parser
|
||||
|
||||
This template deploys the ASIM NetworkSession schema parser for Zscaler ZIA.
|
||||
|
||||
The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
|
||||
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
|
||||
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionzScalerZIA%2FvimNetworkSessionzScalerZIA.json)
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspaceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"location": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces",
|
||||
"apiVersion": "2017-03-15-preview",
|
||||
"name": "[parameters('workspaceName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"resources": [
|
||||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimNetworkSessionZscalerZIA",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Network Session ASIM filtering parser for Zscaler ZIA",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimNetworkSessionZscalerZIA",
|
||||
"query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// -- Pre-filtering\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n and (array_length(srcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(SourceIP ,srcipaddr_has_any_prefix)) \n and (array_length(dstipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(DestinationIP ,dstipaddr_has_any_prefix))\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventCount=DeviceCustomNumber1, \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstBytes = ReceivedBytes, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n SrcBytes = SentBytes, \n NetworkDuration = DeviceCustomNumber1, \n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n RuleName = Activity \n// -- Calculated fields\n| extend\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr\n| project-away \n DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -15,6 +15,15 @@ References:
|
|||
Description: |
|
||||
ASIM Source Agnostic NetworkSession Parser
|
||||
ParserName: ASimNetworkSession
|
||||
EquivalentBuiltInParser: _ASim_NetworkSession
|
||||
Parsers:
|
||||
- _Im_NetworkSession_Empty
|
||||
- _ASim_NetworSession_Microsoft365Defender
|
||||
- _ASim_NetworkSession_LinuxSysmon
|
||||
- _ASim_NetworkSession_MD4IoT
|
||||
- _ASim_NetworkSession_MicrosoftWindowsEventFirewall
|
||||
- _ASim_NetworkSession_ZscalerZIA
|
||||
|
||||
ParserQuery: |
|
||||
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
|
||||
let ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
This Query Parser maps M365 Defender network events to the Advanced SIEM Information Model Network Session schema.
|
||||
ParserName: ASimNetworkSessionMicrosoft365Defender
|
||||
EquivalentBuiltInParser: _ASim_NetworSession_Microsoft365Defender
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
ASIM Sysmon for Linux Network Session Parser
|
||||
ParserName: ASimNetworkSessionLinuxSysmon
|
||||
EquivalentBuiltInParser: _ASim_NetworkSession_LinuxSysmon
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
ASIM Azure Defender for IoT Network Sessions Parser.
|
||||
ParserName: ASimNetworkSessionMD4IoT
|
||||
EquivalentBuiltInParser: _ASim_NetworkSession_MD4IoT
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ Description: |
|
|||
This Query Parser maps Microsoft Windows Firewall Events (WindowsEvent and SecurityEvent tables) to the Advanced SIEM Information Model Network Session schema.
|
||||
Event IDs which are parsed as part of this parser: 5150, 5151, 5152, 5153, 5154, 5155, 5156, 5167, 5158, 5159
|
||||
ParserName: ASimNetworkSessionMicrosoftWindowsEventFirewall
|
||||
EquivalentBuiltInParser: _ASim_NetworkSession_MicrosoftWindowsEventFirewall
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ References:
|
|||
Description: |
|
||||
This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
|
||||
ParserName: ASimNetworkSessionZscalerZIA
|
||||
EquivalentBuiltInParser: _ASim_NetworkSession_ZscalerZIA
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -15,6 +15,14 @@ References:
|
|||
Description: |
|
||||
ASIM Source Agnostic NetworkSession Parser
|
||||
ParserName: imNetworkSession
|
||||
EquivalentBuiltInParser: _Im_NetworkSession
|
||||
Parsers:
|
||||
- _Im_NetworkSession_Empty
|
||||
- _Im_NetworkSession_Microsoft365Defender
|
||||
- _Im_NetworkSession_LinuxSysmon
|
||||
- _Im_NetworkSession_MD4IoT
|
||||
- _Im_NetworkSession_MicrosoftWindowsEventFirewall
|
||||
- _Im_NetworkSession_ZscalerZIA
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -45,7 +53,7 @@ ParserParams:
|
|||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: "'*'"
|
||||
Default: '*'
|
||||
|
||||
ParserQuery: |
|
||||
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
|
||||
|
|
|
|||
|
|
@ -15,6 +15,8 @@ References:
|
|||
Description: |
|
||||
The purpose of this function is to generate and guarantee the schema columns
|
||||
ParserName: vimNetworkSessionEmpty
|
||||
EquivalentBuiltInParser: _Im_NetworkSession_Empty
|
||||
|
||||
ParserQuery: |
|
||||
let parser=datatable(
|
||||
TimeGenerated:datetime
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
This Query Parser maps M365 Defender network events to the Advanced SIEM Information Model Network Session schema.
|
||||
ParserName: vimNetworkSessionMicrosoft365Defender
|
||||
EquivalentBuiltInParser: _Im_NetworkSession_Microsoft365Defender
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -45,7 +46,7 @@ ParserParams:
|
|||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: "'*'"
|
||||
Default: '*'
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
|
|
@ -250,4 +251,4 @@ ParserQuery: |
|
|||
Src = SrcIpAddr,
|
||||
Dst = DstIpAddr
|
||||
};
|
||||
M365Defender(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)
|
||||
M365Defender(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)
|
||||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
ASIM Sysmon for Linux Network Session Parser
|
||||
ParserName: vimNetworkSessionLinuxSysmon
|
||||
EquivalentBuiltInParser: _Im_NetworkSession_LinuxSysmon
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -45,7 +46,7 @@ ParserParams:
|
|||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: "'*'"
|
||||
Default: '*'
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
ASIM Azure Defender for IoT Network Sessions Parser.
|
||||
ParserName: vimNetworkSessionMD4IoT
|
||||
EquivalentBuiltInParser: _Im_NetworkSession_MD4IoT
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -45,7 +46,7 @@ ParserParams:
|
|||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: "'*'"
|
||||
Default: '*'
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ Description: |
|
|||
This Query Parser maps Microsoft Windows Firewall Events (WindowsEvent and SecurityEvent tables) to the Advanced SIEM Information Model Network Session schema.
|
||||
Event IDs which are parsed as part of this parser: 5150, 5151, 5152, 5153, 5154, 5155, 5156, 5167, 5158, 5159
|
||||
ParserName: vimNetworkSessionMicrosoftWindowsEventFirewall
|
||||
EquivalentBuiltInParser: _Im_NetworkSession_MicrosoftWindowsEventFirewall
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -46,7 +47,7 @@ ParserParams:
|
|||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: "'*'"
|
||||
Default: '*'
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
|
|
@ -297,8 +298,8 @@ ParserQuery: |
|
|||
};
|
||||
// Main query -> outputs both schemas as one normalized table
|
||||
union isfuzzy=true
|
||||
WindowsFirewall_SecurityEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)
|
||||
, WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)
|
||||
WindowsFirewall_SecurityEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)
|
||||
, WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)
|
||||
| extend
|
||||
DvcAction = iff(EventID in (5154, 5156, 5158), "Allow", "Deny"),
|
||||
DvcOs = 'Windows',
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ References:
|
|||
Description: |
|
||||
This ASIM parser supports filtering and normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
|
||||
ParserName: vimNetworkSessionZscalerZIA
|
||||
EquivalentBuiltInParser: _Im_NetworkSession_ZscalerZIA
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -43,7 +44,7 @@ ParserParams:
|
|||
Default: dynamic([])
|
||||
- Name: eventresult
|
||||
Type: string
|
||||
Default: "'*'"
|
||||
Default: '*'
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
|
|
@ -133,4 +134,4 @@ ParserQuery: |
|
|||
| project-away
|
||||
DeviceCustom*
|
||||
};
|
||||
parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, disabled)
|
||||
parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)
|
||||
|
|
@ -30,7 +30,7 @@
|
|||
"FunctionAlias": "ASimWebSession",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'vimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('vimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]), \n httpuseragent_has_any:dynamic=dynamic([]), \n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*')\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionSquidProxy' in (DisabledParsers))),\n vimWebSessionZscalerZIA (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionZscalerZIA' in (DisabledParsers)))\n};\nparser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)\n",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@
|
|||
"FunctionAlias": "vimWebSessionSquidProxy",
|
||||
"query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(httpuseragent_has_any) == 0) or (RawData has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = toint(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or eventresult in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResultDetails\n // -- Map\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = toint(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Apache', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.1.0', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n UsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr\n | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@
|
|||
"FunctionAlias": "vimWebSessionZscalerZIA",
|
||||
"query": "let remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n // -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n \"reason=\" EventResultOriginalDetails:string \";\"\n \"outcome=\" EventResultDetails:string \";\"\n \"cat=\" * \";\"\n \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Post filtering\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n// -- Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.1.0\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n DvcAction = DeviceAction,\n DvcHostname = Computer,\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n DstBytes = ReceivedBytes,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n SrcBytes = SentBytes,\n ThreatRiskLevel = DeviceCustomNumber1,\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\")\n| extend\n DstHostname = DstFQDNparts[0],\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\")\n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstAppType = \"SaaS application\",\n DstFQDN = \"FQDN\",\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -14,7 +14,8 @@ References:
|
|||
Link: https://aka.ms/AboutASIM
|
||||
Description: |
|
||||
This ASIM parser supports normalizing Web Session logs from all supported sources to the ASIM DNS activity normalized schema.
|
||||
ParserName: ASimWebSessions
|
||||
ParserName: ASimWebSession
|
||||
EquivalentBuiltInParser: _ASim_WebSession
|
||||
ParserQuery: |
|
||||
let DisabledParsers=materialize(_GetWatchlist('ASimWebParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
|
||||
let ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
|
||||
|
|
@ -27,6 +28,6 @@ ParserQuery: |
|
|||
parser
|
||||
|
||||
Parsers:
|
||||
- vimWebSessionEmpty
|
||||
- ASimWebSessionSquidProxy
|
||||
- ASimWebSessionZscalerZIA
|
||||
- _Im_WebSession_Empty
|
||||
- _ASim_WebSession_SquidProxy
|
||||
- _ASim_WebSession_ZscalerZIA
|
||||
|
|
@ -19,6 +19,7 @@ References:
|
|||
Description: |
|
||||
This ASIM parser supports normalizing Squid Proxy logs produced by the Microsoft Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
|
||||
ParserName: ASimWebSessionSquidProxy
|
||||
EquivalentBuiltInParser: _ASim_WebSession_SquidProxy
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ References:
|
|||
Description: |
|
||||
This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
|
||||
ParserName: ASimWebSessionZscalerZIA
|
||||
EquivalentBuiltInParser: _ASim_WebSession_ZscalerZIA
|
||||
ParserParams:
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
Parser:
|
||||
Title: Web Session ASIM filtering parser
|
||||
Version: '0.1'
|
||||
Version: '0.2'
|
||||
LastUpdated: Nov 30, 2021
|
||||
Product:
|
||||
Name: Source agnostic
|
||||
|
|
@ -14,7 +14,8 @@ References:
|
|||
Link: https://aka.ms/AboutASIM
|
||||
Description: |
|
||||
This ASIM parser supports filtering and normalizing Web Session logs from all supported sources to the ASIM DNS activity normalized schema.
|
||||
ParserName: ASimWebSession
|
||||
ParserName: vimWebSession
|
||||
EquivalentBuiltInParser: _Im_WebSession
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -37,8 +38,8 @@ ParserParams:
|
|||
- Name: eventresult
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: eventresultdetils_has_any
|
||||
Type: dyanmic
|
||||
- Name: eventresultdetails_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
@ -63,6 +64,6 @@ ParserQuery: |
|
|||
parser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)
|
||||
|
||||
Parsers:
|
||||
- vimWebSesssionEmpty
|
||||
- vimWebSessionSquidProxy
|
||||
- vimWebSessionZscalerZIA
|
||||
- _Im_WebSesssion_Empty
|
||||
- _Im_WebSession_SquidProxy
|
||||
- _Im_WebSession_ZscalerZIA
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ References:
|
|||
Description: |
|
||||
This function returns an empty ASIM Web Session schema
|
||||
ParserName: vimWebSessionEmpty
|
||||
EquivalentBuiltInParser: _Im_WebSession_Empty
|
||||
ParserQuery: |
|
||||
let parser=datatable(
|
||||
TimeGenerated:datetime
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
Parser:
|
||||
Title: Web Session ASIM filtering parser for Squid Proxy
|
||||
Version: '0.1'
|
||||
Version: '0.2'
|
||||
LastUpdated: Dec 6, 2021
|
||||
Product:
|
||||
Name: Squid Proxy
|
||||
|
|
@ -19,6 +19,7 @@ References:
|
|||
Description: |
|
||||
This ASIM parser supports filtering and normalizing Squid Proxy logs produced by the Microsoftusu Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
|
||||
ParserName: vimWebSessionSquidProxy
|
||||
EquivalentBuiltInParser: _Im_WebSession_SquidProxy
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
|
|
@ -41,8 +42,8 @@ ParserParams:
|
|||
- Name: eventresult
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: eventresultdetils_has_any
|
||||
Type: dyanmic
|
||||
- Name: eventresultdetails_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
Parser:
|
||||
Title: Web Session ASIM filtering parser for Zscaler ZIA
|
||||
Version: '0.1'
|
||||
Version: '0.2'
|
||||
LastUpdated: Dec 7, 2021
|
||||
Product:
|
||||
Name: Zscaler ZIA
|
||||
|
|
@ -19,6 +19,7 @@ References:
|
|||
Description: |
|
||||
This ASIM parser supports filtering and normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
|
||||
ParserName: vimWebSessionZscalerZIA
|
||||
EquivalentBuiltInParser: _Im_WebSession_ZscalerZIA
|
||||
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
|
|
@ -42,8 +43,8 @@ ParserParams:
|
|||
- Name: eventresult
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: eventresultdetils_has_any
|
||||
Type: dyanmic
|
||||
- Name: eventresultdetails_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
|
|
|
|||
|
|
@ -0,0 +1,182 @@
|
|||
[
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:01:25.926 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-01",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.9,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:02:17.564 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-02",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.75,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:02:25.396 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-01",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.85,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:02:43.475 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-02",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.95,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:00:19.692 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-01",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.6,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:00:28.848 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-01",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.7,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:00:49.065 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-01",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.8,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:00:45.092 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-02",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.55,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:00:45.064 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-01",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.65,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
},
|
||||
{
|
||||
"TenantId": "00000000-0000-0000-0000-000000000000",
|
||||
"SourceSystem": "RestAPI",
|
||||
"MG": "",
|
||||
"ManagementGroupName": "",
|
||||
"TimeGenerated [UTC]": "12/3/2021, 9:01:19.781 AM",
|
||||
"Computer": "",
|
||||
"RawData": "",
|
||||
"RawMessage": "Potential Model attack identified",
|
||||
"service_name": "image_classification_defense_engine",
|
||||
"asset_id": "model-02",
|
||||
"source_name": "NA",
|
||||
"probablity": 0.9,
|
||||
"attack_name": "model_attack",
|
||||
"timestamp": "2021-12-03T00:50:23Z",
|
||||
"Type": "AIShield_CL",
|
||||
"_ResourceId": ""
|
||||
}
|
||||
]
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
id: 5b0cec45-4a91-4f08-bb1b-392427e8f440
|
||||
name: Jira - Global permission added
|
||||
description: |
|
||||
'Detects when global permission added.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- PrivilegeEscalation
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'Global permission added'
|
||||
| project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, ChangedValues
|
||||
| extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
id: b894593a-2b4c-4573-bc47-78715224a6f5
|
||||
name: Jira - New site admin user
|
||||
description: |
|
||||
'Detects new site admin user.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- PrivilegeEscalation
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'User added to group'
|
||||
| where ObjectItemName =~ 'site-admins'
|
||||
| extend user = todynamic(AssociatedItems)[0]['name']
|
||||
| extend AccountCustomEntity = user
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
id: 8c90f30f-c612-407c-91a0-c6a6b41ac199
|
||||
name: Jira - New user created
|
||||
description: |
|
||||
'Detects when new user was created.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'User created'
|
||||
| where ObjectItemTypeName =~ 'USER'
|
||||
| project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, AssociatedItems
|
||||
| extend AccountCustomEntity = ObjectItemName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
id: 72592618-fa57-45e1-9f01-ca8706a5e3f5
|
||||
name: Jira - Permission scheme updated
|
||||
description: |
|
||||
'Detects when permission scheme was updated.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1531
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'Permission scheme updated'
|
||||
| project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, ChangedValues
|
||||
| extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
id: 6bf42891-b54d-4b4e-8533-babc5b3ea4c5
|
||||
name: Jira - New site admin user
|
||||
description: |
|
||||
'Detects new site admin user.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
let priv_users = JiraAudit
|
||||
| where EventMessage =~ 'User added to group'
|
||||
| where ObjectItemName =~ 'site-admins'
|
||||
| extend user = todynamic(AssociatedItems)[0]['name']
|
||||
| summarize makeset(user);
|
||||
JiraAudit
|
||||
| where EventMessage =~ "User's password changed"
|
||||
| extend user = todynamic(AssociatedItems)[0]['name']
|
||||
| where user in (priv_users)
|
||||
| extend AccountCustomEntity = user
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
id: fb6a8001-fe87-4177-a8f3-df2302215c4f
|
||||
name: Jira - Project roles changed
|
||||
description: |
|
||||
'Detects when project roles were changed.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1531
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'Project roles changed'
|
||||
| project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, AssociatedItems
|
||||
| extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
id: 943176e8-b979-45c0-8ad3-58ba6cfd41f0
|
||||
name: Jira - User's password changed
|
||||
description: |
|
||||
'Detects when user's password was changed.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ "User's password changed"
|
||||
| extend user = todynamic(AssociatedItems)[0]['name']
|
||||
| extend AccountCustomEntity = user, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
id: c13ecb19-4317-4d87-9a1c-52660dd44a7d
|
||||
name: Jira - User removed from group
|
||||
description: |
|
||||
'Detects when a user was removed from group.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1531
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'User removed from group'
|
||||
| extend user = todynamic(AssociatedItems)[0]['name']
|
||||
| project EventCreationTime, ObjectItemName, user
|
||||
| extend AccountCustomEntity = user
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
id: 5d3af0aa-833e-48ed-a29a-8cfd2705c953
|
||||
name: Jira - User removed from project
|
||||
description: |
|
||||
'Detects when a user was removed from project.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1531
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'User removed from project'
|
||||
| extend user = todynamic(AssociatedItems)[0]['name']
|
||||
| project EventCreationTime, ObjectItemName, user
|
||||
| extend AccountCustomEntity = user
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
id: 398aa0ca-45a2-4f79-bc21-ee583bbb63bc
|
||||
name: Jira - Workflow scheme copied
|
||||
description: |
|
||||
'Detects when workflow scheme was copied.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Collection
|
||||
relevantTechniques:
|
||||
- T1213
|
||||
query: |
|
||||
JiraAudit
|
||||
| where EventMessage =~ 'Workflow scheme copied'
|
||||
| extend workflow = todynamic(AssociatedItems)[0]['name']
|
||||
| project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, workflow
|
||||
| extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
id: 3fdc31f0-a166-4a4d-b861-f3cd262fd4a1
|
||||
name: Jira - Blocked tasks
|
||||
description: |
|
||||
'Query searches for blocked tasks.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1499
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage in ('Status updated', 'Status created')
|
||||
| where ObjectItemTypeName =~ 'STATUS'
|
||||
| where ObjectItemName =~ 'Blocked'
|
||||
| extend ProcessCustomEntity = ObjectItemName
|
||||
entityMappings:
|
||||
- entityType: Process
|
||||
fieldMappings:
|
||||
- identifier: ProcessId
|
||||
columnName: ProcessCustomEntity
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
id: aadc0945-a399-47ba-b285-c0c09ee06375
|
||||
name: Jira - New users
|
||||
description: |
|
||||
'Query searches for new users created.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'User created'
|
||||
| where ObjectItemTypeName =~ 'USER'
|
||||
| project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, AssociatedItems
|
||||
| extend AccountCustomEntity = ObjectItemName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
id: 103ccb8d-f910-4978-aba7-1ad598db822b
|
||||
name: Jira - Project versions released
|
||||
description: |
|
||||
'Query searches for project versions released.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1565
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'Project version released'
|
||||
| project EventCreationTime, UserName, ObjectItemName, AssociatedItems
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
id: e78cb74b-576b-4e35-a46c-8d328b2d4040
|
||||
name: Jira - Project versions
|
||||
description: |
|
||||
'Query searches for project versions.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1565
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'Project version created'
|
||||
| project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, ChangedValues, AssociatedItems
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
id: eb409b8b-0267-4e95-b3a9-ee1a72c32409
|
||||
name: Jira - Updated projects
|
||||
description: |
|
||||
'Query searches for updated projects.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1565
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'Project updated'
|
||||
| project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, ChangedValues, AssociatedItems
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
id: d208b406-1509-455c-8c7d-7ffe2f893f24
|
||||
name: Jira - Updated users
|
||||
description: |
|
||||
'Query searches for updated users.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- PrivilegeEscalation
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1531
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'User updated'
|
||||
| project EventCreationTime, ObjectItemName, ChangedValues, AssociatedItems
|
||||
| extend AccountCustomEntity = ObjectItemName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
id: 3e6ff26d-05dc-4921-9a60-444a0e28cd45
|
||||
name: Jira - Updated workflow schemes
|
||||
description: |
|
||||
'Query searches for updated workflow schemes.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1565
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'Workflow scheme updated'
|
||||
| project EventCreationTime, UserName, SrcIpAddr, ObjectItemName
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
id: d4dd32bb-84a4-4fdc-9118-3039cbabb4f8
|
||||
name: Jira - Updated workflows
|
||||
description: |
|
||||
'Query searches for updated workflows.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1565
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'Workflow updated'
|
||||
| project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, ChangedValues
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
id: 2265bbd2-7e97-4d69-bdfc-eeb646730d8f
|
||||
name: Jira - Users' IP addresses
|
||||
description: |
|
||||
'Query searches for users' IP addresses.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where isnotempty(SrcIpAddr)
|
||||
| where isnotempty(USerName)
|
||||
| summarize ip_list = makeset(SrcIpAddr) by UserName
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
id: 2f875fa8-ced3-4059-b453-616dbc6eb276
|
||||
name: Jira - Workflow schemes added to projects
|
||||
description: |
|
||||
'Query searches for workflow schemes added to projects.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
- JiraAudit
|
||||
tactics:
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1565
|
||||
query: |
|
||||
JiraAudit
|
||||
| where TimeGenerated > ago(24h)
|
||||
| where EventMessage =~ 'Workflow scheme added to project'
|
||||
| project EventCreationTime, UserName, ObjectItemName, AssociatedItems
|
||||
| extend AccountCustomEntity = UserName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: AccountCustomEntity
|
||||
|
|
@ -0,0 +1,419 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 1,
|
||||
"content": {
|
||||
"json": "**NOTE**: This data connector depends on a parser based on Kusto Function **JiraAudit** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-jiraauditapi-parser)"
|
||||
},
|
||||
"name": "text - 8"
|
||||
},
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "TimeRange",
|
||||
"type": 4,
|
||||
"description": "Sets the time name for analysis",
|
||||
"value": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 900000
|
||||
},
|
||||
{
|
||||
"durationMs": 3600000
|
||||
},
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
]
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "pills",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 11"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
|
||||
"size": 0,
|
||||
"title": "Events Over Time",
|
||||
"timeContext": {
|
||||
"durationMs": 7776000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart",
|
||||
"graphSettings": {
|
||||
"type": 0
|
||||
}
|
||||
},
|
||||
"customWidth": "55",
|
||||
"name": "query - 12",
|
||||
"styleSettings": {
|
||||
"maxWidth": "55"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where isnotempty(EventCategoryType) \r\n| summarize count() by EventCategoryType\r\n| join kind = inner (JiraAudit \r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventCategoryType) on EventCategoryType\r\n| project-away EventCategoryType1, TimeGenerated\r\n| project count_, EventCategory = case(EventCategoryType =~ 'user management', 'User Management',\r\n EventCategoryType =~ 'projects', 'Projects Management',\r\n EventCategoryType =~ 'group management', 'Group Management',\r\n EventCategoryType =~ 'workflows', 'Workflow Management',\r\n EventCategoryType =~ 'permissions', 'Permissions Management',\r\n EventCategoryType =~ 'status', 'Task Status',\r\n 'Other'), Trend\r\n",
|
||||
"size": 3,
|
||||
"title": "Event Categories",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"titleContent": {
|
||||
"columnMatch": "EventCategory",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"style": "decimal",
|
||||
"maximumFractionDigits": 2,
|
||||
"maximumSignificantDigits": 3
|
||||
}
|
||||
}
|
||||
},
|
||||
"secondaryContent": {
|
||||
"columnMatch": "Trend",
|
||||
"formatter": 21,
|
||||
"formatOptions": {
|
||||
"palette": "blue"
|
||||
}
|
||||
},
|
||||
"showBorder": false
|
||||
}
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "query - 0",
|
||||
"styleSettings": {
|
||||
"maxWidth": "30"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where EventCategoryType =~ 'projects'\r\n| where ObjectItemTypeName =~ 'PROJECT'\r\n| summarize dcount(ObjectItemName)",
|
||||
"size": 3,
|
||||
"title": "Projects",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "card",
|
||||
"tileSettings": {
|
||||
"showBorder": false
|
||||
},
|
||||
"graphSettings": {
|
||||
"type": 0
|
||||
},
|
||||
"mapSettings": {
|
||||
"locInfo": "LatLong",
|
||||
"sizeSettings": "DstPortNumber",
|
||||
"sizeAggregation": "Sum",
|
||||
"legendMetric": "DstPortNumber",
|
||||
"legendAggregation": "Sum",
|
||||
"itemColorSettings": {
|
||||
"type": "heatmap",
|
||||
"colorAggregation": "Sum",
|
||||
"nodeColorField": "DstPortNumber",
|
||||
"heatmapPalette": "greenRed"
|
||||
}
|
||||
},
|
||||
"textSettings": {
|
||||
"style": "bignumber"
|
||||
}
|
||||
},
|
||||
"name": "query - 14"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where EventCategoryType =~ 'workflows'\r\n| where ObjectItemTypeName =~ 'WORKFLOW'\r\n| summarize dcount(ObjectItemName)\r\n",
|
||||
"size": 3,
|
||||
"title": "Workflows",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "card",
|
||||
"textSettings": {
|
||||
"style": "bignumber"
|
||||
}
|
||||
},
|
||||
"name": "query - 12"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\n| where isnotempty(UserName)\n| summarize dcount(UserName)",
|
||||
"size": 3,
|
||||
"title": "Users",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "card",
|
||||
"textSettings": {
|
||||
"style": "bignumber"
|
||||
}
|
||||
},
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\n| count",
|
||||
"size": 3,
|
||||
"title": "Operations",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "card",
|
||||
"textSettings": {
|
||||
"style": "bignumber"
|
||||
}
|
||||
},
|
||||
"name": "query - 3"
|
||||
}
|
||||
]
|
||||
},
|
||||
"customWidth": "15",
|
||||
"name": "group - 13"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where isnotempty(EventMessage) \r\n| summarize count() by EventMessage\r\n",
|
||||
"size": 3,
|
||||
"title": "Event types",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "EventMessage",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"customWidth": "27",
|
||||
"name": "query - 3",
|
||||
"styleSettings": {
|
||||
"margin": "10",
|
||||
"padding": "10"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": " JiraAudit\r\n | where isnotempty(SrcIpAddr) \r\n | summarize count() by SrcIpAddr\r\n | top 10 by SrcIpAddr",
|
||||
"size": 3,
|
||||
"title": "Top sources",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "27",
|
||||
"name": "query - 9"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where isnotempty(UserName) \r\n| summarize count() by UserName, EventMessage\r\n| project User=UserName, Operation=EventMessage, EventCount=count_\r\n",
|
||||
"size": 0,
|
||||
"title": "User activity",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"customWidth": "46",
|
||||
"name": "query - 15",
|
||||
"styleSettings": {
|
||||
"maxWidth": "30"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where isnotempty(UserName)\r\n| where isnotempty(SrcIpAddr) \r\n| summarize IPAddresses = makeset(SrcIpAddr) by UserName\r\n",
|
||||
"size": 0,
|
||||
"title": "Document types",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"customWidth": "35",
|
||||
"name": "query - 10",
|
||||
"styleSettings": {
|
||||
"maxWidth": "30"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where EventCategoryType =~ 'projects'\r\n| where ObjectItemTypeName =~ 'PROJECT'\r\n| summarize count() by ObjectItemName",
|
||||
"size": 0,
|
||||
"title": "Top projects",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart"
|
||||
},
|
||||
"customWidth": "55",
|
||||
"name": "query - 13",
|
||||
"styleSettings": {
|
||||
"maxWidth": "50"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\r\n| where EventCategoryType =~ 'workflows'\r\n| where ObjectItemTypeName =~ 'WORKFLOW'\r\n| summarize count() by ObjectItemName\r\n",
|
||||
"size": 3,
|
||||
"title": "Workflows by activity",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart",
|
||||
"gridSettings": {
|
||||
"rowLimit": 100,
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "query - 12"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\n| where isnotempty(UserName) \n| summarize count() by UserName",
|
||||
"size": 3,
|
||||
"title": "Users' activity",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "30",
|
||||
"name": "query - 11"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "JiraAudit\n| where isnotempty(UserName) \n| summarize count() by UserName\n| order by count_\n| project User=UserName, EventCount=count_",
|
||||
"size": 0,
|
||||
"title": "Events by user",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "table"
|
||||
},
|
||||
"customWidth": "40",
|
||||
"name": "query - 12"
|
||||
}
|
||||
],
|
||||
"fromTemplateId": "sentinel-AtlasianJiraAuditWorkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
Двоичные данные
Solutions/AtlassianJiraAudit/Workbooks/Images/AtlassianJiraAuditBlack.png
Normal file
Двоичные данные
Solutions/AtlassianJiraAudit/Workbooks/Images/AtlassianJiraAuditBlack.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 264 KiB |
Двоичные данные
Solutions/AtlassianJiraAudit/Workbooks/Images/AtlassianJiraAuditWhite.png
Normal file
Двоичные данные
Solutions/AtlassianJiraAudit/Workbooks/Images/AtlassianJiraAuditWhite.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 284 KiB |
|
|
@ -0,0 +1,29 @@
|
|||
id: 910b7d93-f1a0-4b76-9e32-593004c0fe85
|
||||
name: Bosch AIShield - Image classification model theft vulnerability detection
|
||||
description: |
|
||||
'This alert creates an incident when Image classification model theft vulnerability detected from the Bosch AIShield.'
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: BoschAIShield
|
||||
dataTypes:
|
||||
- AIShield
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics: []
|
||||
relevantTechniques: []
|
||||
query: |
|
||||
AIShield
|
||||
| where ServiceName has 'image_classification'
|
||||
| where Severity =~ 'High'
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
alertDetailsOverride:
|
||||
alertDisplayNameFormat: Bosch {{EventProduct}} - Image classification model theft vulnerability detected.
|
||||
alertDescriptionFormat: |
|
||||
This query detects Image classification model theft vulnerability alert from Bosch {{EventProduct}} generated at {{TimeGenerated}}\n\nPlease check the source for more information and investigate further.
|
||||
alertTacticsColumnName: null
|
||||
alertSeverityColumnName: Severity
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
|
@ -0,0 +1,122 @@
|
|||
{
|
||||
"id": "BoschAIShield",
|
||||
"title": "Bosch AIShield",
|
||||
"publisher": "Bosch",
|
||||
"descriptionMarkdown": "The [Bosch AIShield](http://www.boschaishield.com/) connector allows users to connect with AIShield custom defense mechanism logs with Microsoft Sentinel, allowing the creation of dynamic Dashboards, Workbooks, Notebooks and tailored Alerts to improve investigation and thwart attacks on AI systems. It gives users more insight into their organization's AI assets security posturing and improves their AI systems security operation capabilities.",
|
||||
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**AIShield**](https://aka.ms/sentinel-boschaishield-parser) which is deployed with the Azure Sentinel Solution.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "AIShield_CL",
|
||||
"baseQuery": "AIShield_CL"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description" : "Get all incidents order by time",
|
||||
"query": "AIShield\n | order by TimeGenerated desc "
|
||||
},
|
||||
{
|
||||
"description" : "Get high risk incidents",
|
||||
"query": "AIShield\n | where Severity =~ 'High'"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "AIShield_CL",
|
||||
"lastDataReceivedQuery": "AIShield_CL\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"AIShield_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": true
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"read": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"customs": [
|
||||
{
|
||||
"name": "Note",
|
||||
"description": "Users should have utilized Bosch AIShield SaaS offering to conduct vulnerability analysis and deployed custom defense mechanisms generated along with their AI asset. [**Click here**](https://azuremarketplace.microsoft.com/marketplace/apps/bosch.rbei_aishield) to know more or get in touch."
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "",
|
||||
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AIShield**](https://aka.ms/sentinel-boschaishield-parser) which is deployed with the Azure Sentinel Solution.",
|
||||
"instructions": [
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "",
|
||||
"description": "\n>**IMPORTANT:** Before deploying the Bosch AIShield Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Workspace ID"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
},
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Primary Key"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"metadata" : {
|
||||
"id": "cb950e71-d52e-4333-8637-96e3a5aaf70d",
|
||||
"version": "1.0.0",
|
||||
"kind": "dataConnector",
|
||||
"source": {
|
||||
"kind": "solution",
|
||||
"name": "Bosch"
|
||||
},
|
||||
"author": {
|
||||
"name": "Bosch"
|
||||
},
|
||||
"support": {
|
||||
"name": "Bosch",
|
||||
"link": "mailto:AIShield.Contact@bosch.com",
|
||||
"tier": "developer"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
<svg id="95a639b5-7c06-4edd-b6ab-5830fbefa47b" xmlns="http://www.w3.org/2000/svg" width="200" height="97" viewBox="0 0 433 97">
|
||||
<g>
|
||||
<g id="be4b3fdf-4813-4917-8ae3-209fe19e9d81">
|
||||
<path id="1ebe4c05-823f-4d16-8b9f-cb08ae70f182" d="M185.2,46.88a13.77,13.77,0,0,0,8.8-13c0-11.7-8.3-17.5-19.7-17.5H144.4V80h32.5c10,0,19.8-7,19.8-17.7C196.7,49.58,185.2,47,185.2,46.88ZM160,29.58h11.6a5.66,5.66,0,0,1,6,5.31q0,.34,0,.69a5.93,5.93,0,0,1-6,5.81H159.9Zm11.7,37.1H160.1V54.18h11.3c5.7,0,8.4,2.5,8.4,6.2C179.8,65,176.4,66.68,171.7,66.68Z" fill="#ed0007"/>
|
||||
<path id="d6fca39c-1b0a-484c-b4a3-cc37a43b3df0" d="M231.1,14.78c-18.4,0-29.2,14.7-29.2,33.3s10.8,33.3,29.2,33.3,29.2-14.6,29.2-33.3S249.6,14.78,231.1,14.78Zm0,51.4c-9,0-13.5-8.1-13.5-18.1s4.5-18,13.5-18,13.6,8.1,13.6,18C244.7,58.18,240.1,66.18,231.1,66.18Z" fill="#ed0007"/>
|
||||
<path id="5a51f65f-8a87-4ac2-87a1-59fb1d89a664" d="M294.2,41.38l-2.2-.5c-5.4-1.1-9.7-2.5-9.7-6.4,0-4.2,4.1-5.9,7.7-5.9a17.86,17.86,0,0,1,13,5.9l9.9-9.8c-4.5-5.1-11.8-10-23.2-10-13.4,0-23.6,7.5-23.6,20,0,11.4,8.2,17,18.2,19.1l2.2.5c8.3,1.7,11.4,3,11.4,7,0,3.8-3.4,6.3-8.6,6.3-6.2,0-11.8-2.7-16.1-8.2l-10.1,10c5.6,6.7,12.7,11.9,26.4,11.9,11.9,0,24.6-6.8,24.6-20.7C314.3,46.08,303.3,43.28,294.2,41.38Z" fill="#ed0007"/>
|
||||
<path id="b2309c01-6254-4599-b734-06a2007dae15" d="M349.7,66.18c-7,0-14.3-5.8-14.3-18.5,0-11.3,6.8-17.6,13.9-17.6,5.6,0,8.9,2.6,11.5,7.1l12.8-8.5c-6.4-9.7-14-13.8-24.5-13.8-19.2,0-29.6,14.9-29.6,32.9,0,18.9,11.5,33.7,29.4,33.7,12.6,0,18.6-4.4,25.1-13.8L361.1,59C358.5,63.18,355.7,66.18,349.7,66.18Z" fill="#ed0007"/>
|
||||
<polygon id="115300d7-5299-4248-9da0-5d72849a44a1" points="416.3 16.38 416.3 39.78 397 39.78 397 16.38 380.3 16.38 380.3 79.98 397 79.98 397 54.88 416.3 54.88 416.3 79.98 433 79.98 433 16.38 416.3 16.38" fill="#ed0007"/>
|
||||
</g>
|
||||
<g id="2d477aa6-fb01-461a-ae28-3c049cb8bb72">
|
||||
<path d="M48.2.18a48.2,48.2,0,1,0,48.2,48.2A48.2,48.2,0,0,0,48.2.18Zm0,91.9a43.7,43.7,0,1,1,43.7-43.7,43.71,43.71,0,0,1-43.7,43.7Z"/>
|
||||
<path d="M68.1,18.28H64.8v16.5H31.7V18.28H28.3a36.06,36.06,0,0,0,0,60.2h3.4V62H64.8v16.5h3.3a36.05,36.05,0,0,0,0-60.2ZM27.1,72A31.59,31.59,0,0,1,24.47,27.4a32.51,32.51,0,0,1,2.63-2.62Zm37.7-14.6H31.7V39.28H64.8Zm4.5,14.5v-10h0V34.78h0v-10a31.65,31.65,0,0,1,2.39,44.71A33.68,33.68,0,0,1,69.3,71.88Z"/>
|
||||
</g>
|
||||
</g>
|
||||
</svg>
|
||||
|
После Ширина: | Высота: | Размер: 2.3 KiB |
|
|
@ -0,0 +1,27 @@
|
|||
// Title: Bosch AIShield Parser
|
||||
// Author: Bosch
|
||||
// Version: 1.0
|
||||
// Last Updated: 17/12/2021
|
||||
// Comment: Inital Release
|
||||
//
|
||||
// DESCRIPTION:
|
||||
// This parser takes raw logs form Bosch AIShield and parses the data into a normalized schema.
|
||||
//
|
||||
// Usage Instruction :
|
||||
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as AIShield.
|
||||
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. AIShield | take 10).
|
||||
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
||||
|
||||
AIShield_CL
|
||||
| extend EventVendor = 'Bosch'
|
||||
| extend EventProduct = 'AIShield'
|
||||
| extend Severity = iff(probablity_d between (0.85..1.0),"High",iff(probablity_d between
|
||||
(0.7..0.84), "Medium", iff(probablity_d < (0.7),"Low","Unknown")))
|
||||
| project-rename
|
||||
AttackName = attack_name_s,
|
||||
Message = RawMessage_s,
|
||||
ServiceName = service_name_s,
|
||||
AssetId = asset_id_s,
|
||||
EventTimestamp = timestamp_t,
|
||||
SourceName = source_name_s
|
||||
| project-away probablity_d
|
||||
|
|
@ -38,6 +38,7 @@ Few Microsoft Sentinel solutions are selectively enabled for CSP Program (Cloud
|
|||
6. Palo Alto Prisma
|
||||
7. Imperva WAF Cloud
|
||||
8. Cybersecurity Maturity Model Certification CMMC
|
||||
9. Sophos Endpoint Protection
|
||||
|
||||
* If you try to install (Create) a Microsoft Sentinel solution in a CSP subscription for those solutions not yet enabled for CSP Program (not from the list above), you'll encounter the error message 'This offer is not available for subscriptions from Microsoft Azure Cloud Solution Providers'.
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче