Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into ubiquiti_data_conn

This commit is contained in:
v-ampami 2021-03-30 13:02:25 +05:30 коммит произвёл GitHub
Родитель ce81a52c0a 34a9f660f0
Коммит f76b6ed5bd
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
449 изменённых файлов: 69702 добавлений и 1443 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

45
.script/tests/KqlvalidationsTests/CustomTables/AppServiceAntivirusScanAuditLogs.json
Просмотреть файл

@ -1,45 +0,0 @@
{
"Name": "AppServiceAntivirusScanAuditLogs",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "ScanStatus",
"Type": "String"
},
{
"Name": "TotalFilesScanned",
"Type": "Long"
},
{
"Name": "NumberOfInfectedFiles",
"Type": "Long"
},
{
"Name": "ListOfInfectedFiles",
"Type": "String"
},
{
"Name": "ErrorMessage",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
}
]
}

97
.script/tests/KqlvalidationsTests/CustomTables/AppServiceHTTPLogs.json
Просмотреть файл

@ -1,97 +0,0 @@
{
"Name": "AppServiceHTTPLogs",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "CsMethod",
"Type": "string"
},
{
"Name": "CsUriStem",
"Type": "string"
},
{
"Name": "SPort",
"Type": "string"
},
{
"Name": "CIp",
"Type": "string"
},
{
"Name": "UserAgent",
"Type": "string"
},
{
"Name": "CsHost",
"Type": "string"
},
{
"Name": "ScStatus",
"Type": "long"
},
{
"Name": "ScSubStatus",
"Type": "string"
},
{
"Name": "ScWin32Status",
"Type": "string"
},
{
"Name": "ScBytes",
"Type": "long"
},
{
"Name": "CsBytes",
"Type": "long"
},
{
"Name": "TimeTaken",
"Type": "long"
},
{
"Name": "Result",
"Type": "string"
},
{
"Name": "Cookie",
"Type": "string"
},
{
"Name": "CsUriQuery",
"Type": "string"
},
{
"Name": "CsUsername",
"Type": "string"
},
{
"Name": "Referer",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

245
.script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json Normal file
Просмотреть файл

@ -0,0 +1,245 @@
{
"Name": "BoxEvents",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "AdditionalDetailsAnnotationId",
"Type": "Double"
},
{
"Name": "AdditionalDetailsGroupId",
"Type": "String"
},
{
"Name": "AdditionalDetailsGroupName",
"Type": "String"
},
{
"Name": "SourceUserEmail",
"Type": "String"
},
{
"Name": "AdditionalDetailsCommentId",
"Type": "Double"
},
{
"Name": "AdditionalDetailsMessage",
"Type": "String"
},
{
"Name": "AdditionalDetailsTaskId",
"Type": "Double"
},
{
"Name": "AdditionalDetailsTaskMessage",
"Type": "String"
},
{
"Name": "AdditionalDetailsTaskCreatedById",
"Type": "Double"
},
{
"Name": "AdditionalDetailsTaskCreatedByLogin",
"Type": "String"
},
{
"Name": "AdditionalDetailsTaskAssignmentAssignedToId",
"Type": "Double"
},
{
"Name": "AdditionalDetailsTaskAssignmentAssignedToLogin",
"Type": "String"
},
{
"Name": "AdditionalDetailsTaskAssignmentStatus",
"Type": "String"
},
{
"Name": "AdditionalDetailsTaskAssignmentMessage",
"Type": "String"
},
{
"Name": "SourceFileId",
"Type": "String"
},
{
"Name": "SourceFileName",
"Type": "String"
},
{
"Name": "SourceParentName",
"Type": "String"
},
{
"Name": "SourceItemType",
"Type": "String"
},
{
"Name": "SourceItemId",
"Type": "String"
},
{
"Name": "SourceItemName",
"Type": "String"
},
{
"Name": "SourceParentType",
"Type": "String"
},
{
"Name": "FileDirectory",
"Type": "String"
},
{
"Name": "SourceParentId",
"Type": "String"
},
{
"Name": "SourceOwnedByType",
"Type": "String"
},
{
"Name": "SourceOwnedById",
"Type": "String"
},
{
"Name": "SourceOwnedByName",
"Type": "String"
},
{
"Name": "SourceOwnedByLogin",
"Type": "String"
},
{
"Name": "CreatedByType",
"Type": "String"
},
{
"Name": "SrcUserSid",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcUserUpn",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventId",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "BoxType",
"Type": "String"
},
{
"Name": "FileSize",
"Type": "Double"
},
{
"Name": "AdditionalDetailsEkmId",
"Type": "String"
},
{
"Name": "AdditionalDetailsVersionId",
"Type": "String"
},
{
"Name": "AdditionalDetailsServiceId",
"Type": "String"
},
{
"Name": "AdditionalDetailsServiceName",
"Type": "String"
},
{
"Name": "SourceType",
"Type": "String"
},
{
"Name": "SourceId",
"Type": "String"
},
{
"Name": "SourceName",
"Type": "String"
},
{
"Name": "SourceLogin",
"Type": "String"
},
{
"Name": "AdditionalDetailsAccessTokenIdentifier",
"Type": "String"
},
{
"Name": "AdditionalDetailsSharedLinkId",
"Type": "String"
},
{
"Name": "SourceFolderId",
"Type": "String"
},
{
"Name": "SourceFolderName",
"Type": "String"
},
{
"Name": "SourceUserId",
"Type": "String"
},
{
"Name": "SourceUserName",
"Type": "String"
},
{
"Name": "AccessibleByType",
"Type": "String"
},
{
"Name": "AccessibleById",
"Type": "String"
},
{
"Name": "AccessibleByName",
"Type": "String"
},
{
"Name": "AccessibleByLogin",
"Type": "String"
},
{
"Name": "AdditionalDetailsType",
"Type": "String"
},
{
"Name": "AdditionalDetailsCollabId",
"Type": "String"
},
{
"Name": "AdditionalDetailsRole",
"Type": "String"
},
{
"Name": "AdditionalDetailsIsPerformedByAdmin",
"Type": "Boolean"
}
]
}

417
.script/tests/KqlvalidationsTests/CustomTables/Cloudflare_CL.json Normal file
Просмотреть файл

@ -0,0 +1,417 @@
{
"Name": "Cloudflare_CL",
"Properties": [
{
"Name": "BotScore_d",
"Type": "Double"
},
{
"Name": "BotScoreSrc_s",
"Type": "String"
},
{
"Name": "CacheCacheStatus_s",
"Type": "String"
},
{
"Name": "CacheResponseBytes_d",
"Type": "Double"
},
{
"Name": "CacheResponseStatus_d",
"Type": "Double"
},
{
"Name": "CacheTieredFill_b",
"Type": "Bool"
},
{
"Name": "ClientASN_d",
"Type": "Double"
},
{
"Name": "ClientCountry_s",
"Type": "String"
},
{
"Name": "ClientDeviceType_s",
"Type": "String"
},
{
"Name": "ClientIP_s",
"Type": "String"
},
{
"Name": "ClientIPClass_s",
"Type": "String"
},
{
"Name": "ClientRequestBytes_d",
"Type": "Double"
},
{
"Name": "ClientRequestHost_s",
"Type": "String"
},
{
"Name": "ClientRequestMethod_s",
"Type": "String"
},
{
"Name": "ClientRequestPath_s",
"Type": "String"
},
{
"Name": "ClientRequestProtocol_s",
"Type": "String"
},
{
"Name": "ClientRequestReferer_s",
"Type": "String"
},
{
"Name": "ClientRequestURI_s",
"Type": "String"
},
{
"Name": "ClientRequestUserAgent_s",
"Type": "String"
},
{
"Name": "ClientSSLCipher_s",
"Type": "String"
},
{
"Name": "ClientSSLProtocol_s",
"Type": "String"
},
{
"Name": "ClientSrcPort_d",
"Type": "Double"
},
{
"Name": "ClientXRequestedWith_s",
"Type": "String"
},
{
"Name": "EdgeColoCode_s",
"Type": "String"
},
{
"Name": "EdgeColoID_d",
"Type": "Double"
},
{
"Name": "EdgeEndTimestamp_t",
"Type": "DateTime"
},
{
"Name": "EdgePathingOp_s",
"Type": "String"
},
{
"Name": "EdgePathingSrc_s",
"Type": "String"
},
{
"Name": "EdgePathingStatus_s",
"Type": "String"
},
{
"Name": "EdgeRateLimitAction_s",
"Type": "String"
},
{
"Name": "EdgeRateLimitID_d",
"Type": "Double"
},
{
"Name": "EdgeRequestHost_s",
"Type": "String"
},
{
"Name": "EdgeResponseBytes_d",
"Type": "Double"
},
{
"Name": "EdgeResponseCompressionRatio_d",
"Type": "Double"
},
{
"Name": "EdgeResponseContentType_s",
"Type": "String"
},
{
"Name": "EdgeResponseStatus_d",
"Type": "Double"
},
{
"Name": "EdgeServerIP_s",
"Type": "String"
},
{
"Name": "EdgeStartTimestamp_t",
"Type": "DateTime"
},
{
"Name": "FirewallMatchesActions_s",
"Type": "String"
},
{
"Name": "FirewallMatchesRuleIDs_s",
"Type": "String"
},
{
"Name": "FirewallMatchesSources_s",
"Type": "String"
},
{
"Name": "OriginIP_s",
"Type": "String"
},
{
"Name": "OriginResponseBytes_d",
"Type": "Double"
},
{
"Name": "OriginResponseHTTPExpires_s",
"Type": "String"
},
{
"Name": "OriginResponseHTTPLastModified_s",
"Type": "String"
},
{
"Name": "OriginResponseStatus_d",
"Type": "Double"
},
{
"Name": "OriginResponseTime_d",
"Type": "Double"
},
{
"Name": "OriginSSLProtocol_s",
"Type": "String"
},
{
"Name": "ParentRayID_s",
"Type": "String"
},
{
"Name": "RayID_s",
"Type": "String"
},
{
"Name": "SecurityLevel_s",
"Type": "String"
},
{
"Name": "WAFAction_s",
"Type": "String"
},
{
"Name": "WAFFlags_s",
"Type": "String"
},
{
"Name": "WAFMatchedVar_s",
"Type": "String"
},
{
"Name": "WAFProfile_s",
"Type": "String"
},
{
"Name": "WAFRuleID_s",
"Type": "String"
},
{
"Name": "WAFRuleMessage_s",
"Type": "String"
},
{
"Name": "WorkerCPUTime_d",
"Type": "Double"
},
{
"Name": "WorkerStatus_s",
"Type": "String"
},
{
"Name": "WorkerSubrequest_b",
"Type": "Bool"
},
{
"Name": "WorkerSubrequestCount_d",
"Type": "Double"
},
{
"Name": "ZoneID_d",
"Type": "Double"
},
{
"Name": "Application_s",
"Type": "String"
},
{
"Name": "ClientBytes_d",
"Type": "Double"
},
{
"Name": "ClientMatchedIpFirewall_s",
"Type": "String"
},
{
"Name": "ClientPort_d",
"Type": "Double"
},
{
"Name": "ClientProto_s",
"Type": "String"
},
{
"Name": "ClientTcpRtt_d",
"Type": "Double"
},
{
"Name": "ClientTlsCipher_s",
"Type": "String"
},
{
"Name": "ClientTlsClientHelloServerName_s",
"Type": "String"
},
{
"Name": "ClientTlsProtocol_s",
"Type": "String"
},
{
"Name": "ClientTlsStatus_s",
"Type": "String"
},
{
"Name": "ColoCode_s",
"Type": "String"
},
{
"Name": "ConnectTimestamp_t",
"Type": "DateTime"
},
{
"Name": "DisconnectTimestamp_t",
"Type": "DateTime"
},
{
"Name": "Event_s",
"Type": "String"
},
{
"Name": "IpFirewall_b",
"Type": "Bool"
},
{
"Name": "OriginBytes_d",
"Type": "Double"
},
{
"Name": "OriginPort_d",
"Type": "Double"
},
{
"Name": "OriginProto_s",
"Type": "String"
},
{
"Name": "OriginTcpRtt_d",
"Type": "Double"
},
{
"Name": "OriginTlsCipher_s",
"Type": "String"
},
{
"Name": "OriginTlsFingerprint_s",
"Type": "String"
},
{
"Name": "OriginTlsMode_s",
"Type": "String"
},
{
"Name": "OriginTlsProtocol_s",
"Type": "String"
},
{
"Name": "OriginTlsStatus_s",
"Type": "String"
},
{
"Name": "ProxyProtocol_s",
"Type": "String"
},
{
"Name": "Status_d",
"Type": "Double"
},
{
"Name": "Timestamp_t",
"Type": "DateTime"
},
{
"Name": "Action_s",
"Type": "String"
},
{
"Name": "ClientASNDescription_s",
"Type": "String"
},
{
"Name": "ClientRefererHost_s",
"Type": "String"
},
{
"Name": "ClientRefererPath_s",
"Type": "String"
},
{
"Name": "ClientRefererQuery_s",
"Type": "String"
},
{
"Name": "ClientRefererScheme_s",
"Type": "String"
},
{
"Name": "ClientRequestQuery_s",
"Type": "String"
},
{
"Name": "ClientRequestScheme_s",
"Type": "String"
},
{
"Name": "Datetime_t",
"Type": "DateTime"
},
{
"Name": "Kind_s",
"Type": "String"
},
{
"Name": "MatchIndex_d",
"Type": "Double"
},
{
"Name": "OriginatorRayID_s",
"Type": "String"
},
{
"Name": "RuleID_s",
"Type": "String"
},
{
"Name": "Source_s",
"Type": "String"
}
]
}

2017
.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

189
.script/tests/KqlvalidationsTests/CustomTables/Exabeam.json Normal file
Просмотреть файл

@ -0,0 +1,189 @@
{
"Name": "ExabeamEvent",
"Properties": [
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "Service",
"Type": "String"
},
{
"Name": "Status",
"Type": "String"
},
{
"Name": "Id",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "EntityValue",
"Type": "String"
},
{
"Name": "Score",
"Type": "String"
},
{
"Name": "SequenceType",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcDvcHostname",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "Labels",
"Type": "String"
},
{
"Name": "Accounts",
"Type": "String"
},
{
"Name": "AssetsCount",
"Type": "String"
},
{
"Name": "Assets",
"Type": "String"
},
{
"Name": "Zones",
"Type": "String"
},
{
"Name": "TopReasons",
"Type": "String"
},
{
"Name": "ReasonsCount",
"Type": "String"
},
{
"Name": "EventsCount",
"Type": "String"
},
{
"Name": "AlertsCount",
"Type": "String"
},
{
"Name": "AssetLabels",
"Type": "String"
},
{
"Name": "AssetLocations",
"Type": "String"
},
{
"Name": "TopUsers",
"Type": "String"
},
{
"Name": "AssetHostname",
"Type": "String"
},
{
"Name": "AssetIpAddress",
"Type": "String"
},
{
"Name": "DstDvcHostname",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "Domain",
"Type": "String"
},
{
"Name": "Raw",
"Type": "String"
},
{
"Name": "RuleId",
"Type": "String"
},
{
"Name": "RuleName",
"Type": "String"
},
{
"Name": "RuleDescription",
"Type": "String"
},
{
"Name": "App",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "Activity",
"Type": "String"
},
{
"Name": "AdditionalInfo",
"Type": "String"
},
{
"Name": "JobStatus",
"Type": "String"
},
{
"Name": "JobDetails",
"Type": "String"
},
{
"Name": "JobId",
"Type": "String"
},
{
"Name": "CreatedBy",
"Type": "String"
},
{
"Name": "Timestamp",
"Type": "DateTime"
}
]
}

6
.script/tests/KqlvalidationsTests/CustomTables/InfobloxNIOS.json
Просмотреть файл

@ -20,6 +20,10 @@
{
"Name": "Client_IP",
"Type": "String"
},
{
"Name": "ServerIP",
"Type": "String"
}
]
}
}

313
.script/tests/KqlvalidationsTests/CustomTables/Mcafee_ePO.json Normal file
Просмотреть файл

@ -0,0 +1,313 @@
{
"Name": "McAfeeEPOEvent",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "GmtTime",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventId",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "AgentGuid",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "AgentVersion",
"Type": "String"
},
{
"Name": "SrcDvcOs",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "TimeZoneBias",
"Type": "String"
},
{
"Name": "ProductName",
"Type": "String"
},
{
"Name": "ProductFamily",
"Type": "String"
},
{
"Name": "ProductVersion",
"Type": "String"
},
{
"Name": "Analyzer",
"Type": "String"
},
{
"Name": "AnalyzerName",
"Type": "String"
},
{
"Name": "AnalyzerVersion",
"Type": "String"
},
{
"Name": "AnalyzerHostName",
"Type": "String"
},
{
"Name": "AnalyzerDatVersion",
"Type": "String"
},
{
"Name": "AnalyzerEngineVersion",
"Type": "String"
},
{
"Name": "AnalyzerDetectionMethod",
"Type": "String"
},
{
"Name": "ThreatName",
"Type": "String"
},
{
"Name": "ThreatType",
"Type": "String"
},
{
"Name": "ThreatCategory",
"Type": "String"
},
{
"Name": "ThreatId",
"Type": "String"
},
{
"Name": "ThreatHandled",
"Type": "String"
},
{
"Name": "ThreatActionTaken",
"Type": "String"
},
{
"Name": "ThreatSeverity",
"Type": "String"
},
{
"Name": "SrcUserUpn",
"Type": "String"
},
{
"Name": "SrcProcessName",
"Type": "String"
},
{
"Name": "DstDvcHostname",
"Type": "String"
},
{
"Name": "DstUserName",
"Type": "String"
},
{
"Name": "TargetProcessName",
"Type": "String"
},
{
"Name": "DstFileName",
"Type": "String"
},
{
"Name": "Target",
"Type": "String"
},
{
"Name": "BladeName",
"Type": "String"
},
{
"Name": "AnalyzerContentVersion",
"Type": "String"
},
{
"Name": "AnalyzerContentCreationDate",
"Type": "String"
},
{
"Name": "AnalyzerRuleName",
"Type": "String"
},
{
"Name": "AnalyzerRuleId",
"Type": "String"
},
{
"Name": "AnalyzerGtiQuery",
"Type": "String"
},
{
"Name": "ThreatDetectedOnCreation",
"Type": "String"
},
{
"Name": "DstFileSize",
"Type": "String"
},
{
"Name": "DstFileModifiedTime",
"Type": "DateTime"
},
{
"Name": "DstFileAccessedTime",
"Type": "DateTime"
},
{
"Name": "DstFileCreationTime",
"Type": "DateTime"
},
{
"Name": "Cleanable",
"Type": "String"
},
{
"Name": "TaskName",
"Type": "String"
},
{
"Name": "FirstAttemptedAction",
"Type": "String"
},
{
"Name": "FirstActionStatus",
"Type": "String"
},
{
"Name": "SecondAttemptedAction",
"Type": "String"
},
{
"Name": "SecondActionStatus",
"Type": "String"
},
{
"Name": "ApiName",
"Type": "String"
},
{
"Name": "SourceDescription",
"Type": "String"
},
{
"Name": "SrcProcessId",
"Type": "String"
},
{
"Name": "SrcProcessHashMd5",
"Type": "String"
},
{
"Name": "AttackVectorType",
"Type": "String"
},
{
"Name": "DurationBeforeDetection",
"Type": "String"
},
{
"Name": "AccessRequested",
"Type": "String"
},
{
"Name": "DetectionMessage",
"Type": "String"
},
{
"Name": "AmCoreContentVersion",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcMacAddr",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "DstMacAddr",
"Type": "String"
},
{
"Name": "ProductId",
"Type": "String"
},
{
"Name": "Locale",
"Type": "String"
},
{
"Name": "Error",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "Version",
"Type": "String"
},
{
"Name": "InitiatorId",
"Type": "String"
},
{
"Name": "InitiatorType",
"Type": "String"
},
{
"Name": "SiteName",
"Type": "String"
},
{
"Name": "Description",
"Type": "String"
}
]
}

97
.script/tests/KqlvalidationsTests/CustomTables/OracleDatabaseAudit.json Normal file
Просмотреть файл

@ -0,0 +1,97 @@
{
"Name": "OracleDatabaseAuditEvent",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "SeverityLevel",
"Type": "String"
},
{
"Name": "MessageLength",
"Type": "String"
},
{
"Name": "Action",
"Type": "String"
},
{
"Name": "ActionLength",
"Type": "String"
},
{
"Name": "DbAction",
"Type": "String"
},
{
"Name": "DstUserName",
"Type": "String"
},
{
"Name": "Privilege",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "ClientTerminal",
"Type": "String"
},
{
"Name": "Status",
"Type": "String"
},
{
"Name": "DbId",
"Type": "String"
},
{
"Name": "SessionId",
"Type": "String"
},
{
"Name": "EntryId",
"Type": "String"
},
{
"Name": "Statement",
"Type": "String"
},
{
"Name": "SrcDvcHostname",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "String"
},
{
"Name": "ReturnCode",
"Type": "String"
},
{
"Name": "ObjCreator",
"Type": "String"
},
{
"Name": "ObjName",
"Type": "String"
},
{
"Name": "OsUserId",
"Type": "String"
}
]
}

6
.script/tests/KqlvalidationsTests/CustomTables/PulseConnectSecure.json
Просмотреть файл

@ -16,6 +16,10 @@
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "Source_IP",
"Type": "String"
}
]
}
}

121
.script/tests/KqlvalidationsTests/CustomTables/SenservaPro_CL.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"Name": "SenservaPro_CL",
"Properties": [
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "ControlName_s",
"Type": "String"
},
{
"Name": "Date_t",
"Type": "DateTime"
},
{
"Name": "Description_s",
"Type": "String"
},
{
"Name": "Errors_s",
"Type": "String"
},
{
"Name": "Group_s",
"Type": "String"
},
{
"Name": "Id_d",
"Type": "Real"
},
{
"Name": "RawData",
"Type": "String"
},
{
"Name": "Reference_s",
"Type": "String"
},
{
"Name": "Severity",
"Type": "Int"
},
{
"Name": "Tenant_AppendBlobUri_s",
"Type": "String"
},
{
"Name": "Tenant_BestAzureLicenseFound_d",
"Type": "Real"
},
{
"Name": "Tenant_BlockBlobUri_s",
"Type": "String"
},
{
"Name": "Tenant_CustomerVaultUrl_s",
"Type": "String"
},
{
"Name": "Tenant_EventHubNamespaceConnectionString_s",
"Type": "String"
},
{
"Name": "Tenant_EventHubName_s",
"Type": "String"
},
{
"Name": "Tenant_Installed_s",
"Type": "String"
},
{
"Name": "Tenant_Installed_t",
"Type": "DateTime"
},
{
"Name": "Tenant_SenservaVersion_d",
"Type": "Real"
},
{
"Name": "Tenant_TenantDisplayName_s",
"Type": "String"
},
{
"Name": "Tenant_TenantId_g",
"Type": "String"
},
{
"Name": "Tenant_TenantId_s",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "Value_s",
"Type": "String"
},
{
"Name": "Weight_d",
"Type": "Real"
},
{
"Name": "_ResourceId",
"Type": "String"
},
{
"Name": "_SubscriptionId",
"Type": "String"
},
{
"Name": "Tenant_ExportWorkspaceDisplayName_s",
"Type": "String"
}
]
}

285
.script/tests/KqlvalidationsTests/CustomTables/SlackAudit.json Normal file
Просмотреть файл

@ -0,0 +1,285 @@
{
"Name":"SlackAudit",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "Datetime"
},
{
"Name": "Action",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "DetailsMobileOnly",
"Type": "Bool"
},
{
"Name": "DetailsWebOnly",
"Type": "Bool"
},
{
"Name": "DetailsKickerId",
"Type": "String"
},
{
"Name": "DetailsKickerName",
"Type": "String"
},
{
"Name": "DetailsKickerEmail",
"Type": "String"
},
{
"Name": "DetailsKickerTeam",
"Type": "String"
},
{
"Name": "DetailsAppOwnerId",
"Type": "String"
},
{
"Name": "DetailsGranularBotToken",
"Type": "Bool"
},
{
"Name": "DetailsNewScopes",
"Type": "String"
},
{
"Name": "DetailsPreviousScopes",
"Type": "String"
},
{
"Name": "EntityUsergroupId",
"Type": "String"
},
{
"Name": "EntityUsergroupName",
"Type": "String"
},
{
"Name": "DetailsKickerType",
"Type": "String"
},
{
"Name": "DetailsKickerUserId",
"Type": "String"
},
{
"Name": "DetailsKickerUserName",
"Type": "String"
},
{
"Name": "DetailsKickerUserEmail",
"Type": "String"
},
{
"Name": "DetailsKickerUserTeam",
"Type": "String"
},
{
"Name": "DetailsInviterId",
"Type": "String"
},
{
"Name": "DetailsInviterName",
"Type": "String"
},
{
"Name": "DetailsInviterEmail",
"Type": "String"
},
{
"Name": "DetailsInviterTeam",
"Type": "String"
},
{
"Name": "DetailsInviterType",
"Type": "String"
},
{
"Name": "DetailsInviterUserId",
"Type": "String"
},
{
"Name": "DetailsInviterUserName",
"Type": "String"
},
{
"Name": "DetailsInviterUserEmail",
"Type": "String"
},
{
"Name": "DetailsInviterUserTeam",
"Type": "String"
},
{
"Name": "DetailsIsWorkflow",
"Type": "Bool"
},
{
"Name": "EntityAppId",
"Type": "String"
},
{
"Name": "EntityAppName",
"Type": "String"
},
{
"Name": "EntityAppIsDistributed",
"Type": "Bool"
},
{
"Name": "EntityAppIsDirectoryApproved",
"Type": "Bool"
},
{
"Name": "EntityAppIsWorkflowApp",
"Type": "Bool"
},
{
"Name": "EntityAppScopes",
"Type": "String"
},
{
"Name": "DetailsIsInternalIntegration",
"Type": "Bool"
},
{
"Name": "DetailsBotScopes",
"Type": "String"
},
{
"Name": "EntityChannelId",
"Type": "String"
},
{
"Name": "EntityChannelPrivacy",
"Type": "String"
},
{
"Name": "EntityChannelName",
"Type": "String"
},
{
"Name": "EntityChannelIsShared",
"Type": "Bool"
},
{
"Name": "EntityChannelIsOrgShared",
"Type": "Bool"
},
{
"Name": "DetailsType",
"Type": "String"
},
{
"Name": "EntityUserId",
"Type": "String"
},
{
"Name": "EntityUserName",
"Type": "String"
},
{
"Name": "EntityUserEmail",
"Type": "String"
},
{
"Name": "EntityUserTeam",
"Type": "String"
},
{
"Name": "EventId",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "Double"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "ActorType",
"Type": "String"
},
{
"Name": "SrcUserIdentity",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcUserEmail",
"Type": "String"
},
{
"Name": "ActorUserTeam",
"Type": "String"
},
{
"Name": "EntityType",
"Type": "String"
},
{
"Name": "EntityFileId",
"Type": "String"
},
{
"Name": "EntityFileName",
"Type": "String"
},
{
"Name": "EntityFileFiletype",
"Type": "String"
},
{
"Name": "EntityFileTitle",
"Type": "String"
},
{
"Name": "context_location_type_s",
"Type": "String"
},
{
"Name": "ContextLocationId",
"Type": "String"
},
{
"Name": "ContextLocationName",
"Type": "String"
},
{
"Name": "ContextLocationDomain",
"Type": "String"
},
{
"Name": "UserAgentOriginal",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "ContextSessionId",
"Type": "Double"
},
{
"Name": "DvcActionDesc",
"Type": "String"
}
]
}

173
.script/tests/KqlvalidationsTests/CustomTables/Zoom_CL.json Normal file
Просмотреть файл

@ -0,0 +1,173 @@
{
"Name":"Zoom",
"Properties":[
{
"Name":"EventVendor",
"Type":"String"
},
{
"Name":"EventProduct",
"Type":"String"
},
{
"Name":"TimeGenerated",
"Type":"DateTime"
},
{
"Name":"EventDay",
"Type":"String"
},
{
"Name":"Date",
"Type":"String"
},
{
"Name":"NewUsersCount",
"Type":"Double"
},
{
"Name":"MeetingsCount",
"Type":"Double"
},
{
"Name":"ParticipantsCount",
"Type":"Double"
},
{
"Name":"MeetingMinutes",
"Type":"Double"
},
{
"Name":"EventType",
"Type":"String"
},
{
"Name":"EventName",
"Type":"String"
},
{
"Name":"EventMessage",
"Type":"String"
},
{
"Name":"Id",
"Type":"String"
},
{
"Name":"UserIdentity",
"Type":"String"
},
{
"Name":"Email",
"Type":"String"
},
{
"Name":"UserEmail",
"Type":"String"
},
{
"Name":"UserName",
"Type":"String"
},
{
"Name":"UserType",
"Type":"Double"
},
{
"Name":"Dept",
"Type":"String"
},
{
"Name":"Department",
"Type":"String"
},
{
"Name":"LastClientVersion",
"Type":"String"
},
{
"Name":"LastLoginTime",
"Type":"DateTime"
},
{
"Name":"EventEndTime",
"Type":"DateTime"
},
{
"Name":"EventCategoryType",
"Type":"String"
},
{
"Name":"CreateTime",
"Type":"DateTime"
},
{
"Name":"EventCreationTime",
"Type":"DateTime"
},
{
"Name":"Usage",
"Type":"String"
},
{
"Name":"PlanUsage",
"Type":"String"
},
{
"Name":"FreeUsage",
"Type":"String"
},
{
"Name":"Time",
"Type":"DateTime"
},
{
"Name":"Operator",
"Type":"String"
},
{
"Name":"CategoryType",
"Type":"String"
},
{
"Name":"Action",
"Type":"String"
},
{
"Name":"OperationDetail",
"Type":"String"
},
{
"Name":"EventOriginalMessage",
"Type":"String"
},
{
"Name":"EventResult",
"Type":"String"
},
{
"Name":"IpAddress",
"Type":"String"
},
{
"Name":"SrcIpAddr",
"Type":"String"
},
{
"Name":"ClientType",
"Type":"String"
},
{
"Name":"SrcDvcModelName",
"Type":"String"
},
{
"Name":"Version",
"Type":"String"
},
{
"Name":"SrcDvcModelNumber",
"Type":"String"
}
]
}

32
.script/tests/KqlvalidationsTests/KqlValidationTests.cs
Просмотреть файл

@ -39,8 +39,6 @@ namespace Kqlvalidations.Tests
return;
}
var lines = Regex.Split(queryStr, @"\n\r?");
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line: 0, Col: 0);
if (!validationRes.IsValid)
@ -49,6 +47,36 @@ namespace Kqlvalidations.Tests
}
Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : $"Template Id:{id} is not valid in Line:{firstErrorLocation.Line} col:{firstErrorLocation.Col} Errors:{validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}");
}
[Theory]
[ClassData(typeof(DetectionsYamlFilesTestData))]
public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string detectionsYamlFileName)
{
var detectionsYamlFile = Directory.GetFiles(DetectionPath, detectionsYamlFileName, SearchOption.AllDirectories).Single();
var yaml = File.ReadAllText(detectionsYamlFile);
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize<dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
//Templates that are in the skipped templates should not pass the validateion (if they pass, why skip?)
if (TemplatesToSkipValidationReader.WhiteListTemplateIds.Contains(id))
{
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line: 0, Col: 0);
if (!validationRes.IsValid)
{
firstErrorLocation = GetLocationInQuery(queryStr, validationRes.Diagnostics.First(d => d.Severity == "Error").Start);
}
Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid.");
}
else
{
return;
}
}
private (int Line, int Col) GetLocationInQuery(string queryStr, int pos)
{

2
.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj
Просмотреть файл

@ -12,7 +12,7 @@
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="YamlDotNet" Version="6.0.0" />
<PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="1.0.11" />
<PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="1.0.12" />
</ItemGroup>
</Project>

Двоичные данные
.script/tests/KqlvalidationsTests/Microsoft.Azure.Sentinel.KustoServices.1.0.11.nupkg
Просмотреть файл

Двоичный файл не отображается.

13
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -1,20 +1,11 @@
[
"34663177-8abf-4db1-b0a4-5683ab273f44",
"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c",
"7249500f-3038-4b83-8549-9cd8dfa2d498",
"06a9b845-6a95-4432-a78b-83919b28c375",
"04384937-e927-4595-8f3c-89ff58ed231f",
"0914adab-90b5-47a3-a79f-7cdcac843aa7",
"155f40c6-610d-497d-85fc-3cf06ec13256",
"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e",
"d6491be0-ab2d-439d-95d6-ad8ea39277c5",
"57e56fc9-417a-4f41-a579-5475aea7b8ce",
"a9956d3a-07a9-44a6-a279-081a85020cae",
"aac495a9-feb1-446d-b08e-a1164a539452",
"f2dd4a3a-ebac-4994-9499-1a859938c947",
"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06",
"f041e01d-840d-43da-95c8-4188f6cef546",
"a4025a76-6490-4e6b-bb69-d02be4b03f07",
"e70fa6e0-796a-4e85-9420-98b17b0bb749",
"6d7214d9-4a28-44df-aafb-0910b9e6ae3e"
]
"e70fa6e0-796a-4e85-9420-98b17b0bb749"
]

Двоичные данные
.script/tests/KqlvalidationsTests/microsoft.azure.sentinel.kustoservices.1.0.12.nupkg Normal file
Просмотреть файл

Двоичный файл не отображается.

27
.script/tests/detectionTemplateSchemaValidation/DetectionTemplateSchemaValidationTests.cs
Просмотреть файл

@ -67,6 +67,33 @@ namespace Kqlvalidations.Tests
var isValid = connectorIds.Count() == 0;
Assert.True(isValid, isValid ? string.Empty : $"Template Id:'{id}' doesn't have valid connectorIds:'{string.Join(",", connectorIds)}'. If a new connector is used and already configured in the Portal, please add it's Id to the list in 'ValidConnectorIds.json' file.");
}
[Fact]
public void Validate_DetectionTemplates_AllFilesAreYamls()
{
string detectionPath = DetectionsYamlFilesTestData.GetDetectionPath();
var yamlFiles = Directory.GetFiles(detectionPath, "*.yaml", SearchOption.AllDirectories).ToList();
var AllFiles = Directory.GetFiles(detectionPath,"*", SearchOption.AllDirectories).ToList();
var numberOfNotYamlFiles = 1; //This is the readme.md file in the directory
Assert.True(AllFiles.Count == yamlFiles.Count + numberOfNotYamlFiles, "All the files in detections folder are supposed to end with .yaml");
}
[Fact]
public void Validate_DetectionTemplates_NoSameTemplateIdTwice()
{
string detectionPath = DetectionsYamlFilesTestData.GetDetectionPath();
var yamlFiles = Directory.GetFiles(detectionPath, "*.yaml", SearchOption.AllDirectories);
var templatesAsStrings = yamlFiles.Select(yaml => GetYamlFileAsString(Path.GetFileName(yaml)));
var templatesAsObjects = templatesAsStrings.Select(yaml => JObject.Parse(ConvertYamlToJson(yaml)));
var duplicationsById = templatesAsObjects.GroupBy(a => a["id"]).Where(group => group.Count() > 1); //Finds duplications -> ids that there are more than 1 template from
var duplicatedId = "";
if (duplicationsById.Count() > 0){
duplicatedId = duplicationsById.Last().Select(x => x["id"]).First().ToString();
}
Assert.True(duplicationsById.Count() == 0, $"There should not be 2 templates with the same ID, but the id {duplicatedId} is duplicated.");
}
private string GetYamlFileAsString(string detectionsYamlFileName)
{

5
.script/tests/detectionTemplateSchemaValidation/Models/AttackTactic.cs
Просмотреть файл

@ -2,8 +2,6 @@
{
public enum AttackTactic
{
Reconnaissance,
ResourceDevelopment,
InitialAccess,
Execution,
Persistence,
@ -15,6 +13,7 @@
Collection,
Exfiltration,
CommandAndControl,
Impact
Impact,
PreAttack
}
}

6
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -23,6 +23,7 @@
"BetterMTD",
"BeyondSecuritybeSECURE",
"BlackberryCylancePROTECT",
"BoxDataConnector",
"BroadcomSymantecDLP",
"CEF",
"CheckPoint",
@ -34,6 +35,8 @@
"CiscoUmbrellaDataConnector",
"Citrix",
"CitrixWAF",
"CloudflareDataConnector",
"Corelight",
"CyberArk",
"CyberpionSecurityLogs",
"Darktrace",
@ -57,6 +60,7 @@
"InfobloxNIOS",
"IoT",
"JuniperSRX",
"McAfeeePO",
"MicrosoftCloudAppSecurity",
"MicrosoftDefenderAdvancedThreatProtection",
"MicrosoftThreatIntelligence",
@ -79,6 +83,8 @@
"QualysVulnerabilityManagement",
"SalesforceServiceCloud",
"SecurityEvents",
"SenservaPro",
"SlackAuditAPI",
"SonicWallFirewall",
"SophosCloudOptix",
"SophosXGFirewall",

2
CODEOWNERS
Просмотреть файл

@ -3,7 +3,7 @@
# the last matching pattern has the most precendence.
# Core team members
* @liemilyg @mgladi @orco365 @shalinoid @KobyKoren @shainw @ianhelle @timbMSFT @juliango2100 @dicolanl @Amitbergman @sagamzu @YaronFruchtmann @preetikr @Yaniv-Shasha @sarah-yo @nazang @ehudk-msft @oshvartz @Liatlishams @NoamLandress @laithhisham @petebryan
* @liemilyg @mgladi @orco365 @shalinoid @KobyKoren @shainw @ianhelle @timbMSFT @juliango2100 @dicolanl @Amitbergman @sagamzu @YaronFruchtmann @preetikr @Yaniv-Shasha @sarah-yo @nazang @ehudk-msft @oshvartz @Liatlishams @NoamLandress @laithhisham @petebryan @lior-tamir
# This is copied from here: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners

4
DataConnectors/AIA-Darktrace.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"id": "DarktraceDarktrace",
"id": "Darktrace",
"title": "AI Analyst Darktrace",
"publisher": "Darktrace",
"descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.",
@ -111,4 +111,4 @@
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
}
}

18
DataConnectors/AIVectraDetect.json
Просмотреть файл

@ -122,5 +122,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "2de7b355-5f0b-4eb1-a264-629314ef86e5",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Vectra AI"
},
"support": {
"name": "Vectra AI",
"link": "https://www.vectra.ai/support",
"tier": "developer"
}
}
}

18
DataConnectors/Agari/Agari_API_FunctionApp.json
Просмотреть файл

@ -168,5 +168,21 @@
"title": "",
"description": "**5. Complete Setup.**\n\n1. Once all application settings have been entered, click **Save**. Note that it will take some time to have the required dependencies download, so you may see some inital failure messages."
}
]
],
"metadata" : {
"id": "152fa8d4-b84b-4370-8317-b63ed52f9fe3",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Agari"
},
"support": {
"name": "Agari",
"link": "https://support.agari.com/hc/en-us/articles/360000645632-How-to-access-Agari-Support",
"tier": "developer"
}
}
}

328
DataConnectors/AlsidForAD.json
Просмотреть файл

@ -1,156 +1,172 @@
{
"id": "AlsidForAD",
"title": "Alsid for Active Directory",
"publisher": "Alsid",
"descriptionMarkdown": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.\nIt provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **afad_parser** in queries and workbooks. [Follow steps to get this Kusto Function>](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) ",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AlsidForADLog_CL",
"baseQuery": "AlsidForADLog_CL"
}
],
"sampleQueries": [
{
"description" : "Get the number of alerts triggered by each IoE",
"query": "afad_parser\n | where MessageType == 0\n | summarize AlertCount = count() by Codename"
},
{
"description" : "Get all IoE alerts with severity superior to the threshold",
"query" : "let threshold = 2;\n let SeverityTable=datatable(Severity:string,Level:int) [\n \"low\", 1,\n \"medium\", 2,\n \"high\", 3,\n \"critical\", 4\n ];\n afad_parser\n | where MessageType == 0\n | lookup kind=leftouter SeverityTable on Severity\n | where Level >= ['threshold']"
},
{
"description" : "Get all IoE alerts for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all IoE alerts for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(7d)"
},
{
"description" : "Get all IoE alerts for the last 30 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(30d)"
},
{
"description" : "Get all trailflow changes for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all trailflow changes for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(7d)"
}
],
"dataTypes": [
{
"name": "AlsidForADLog_CL",
"lastDataReceivedQuery": "AlsidForADLog_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AlsidForADLog_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) to create the Kusto Functions alias, **afad_parser**",
"instructions": [
]
},
{
"title": "1. Configure the Syslog server",
"description": "You will first need a **linux Syslog** server that Alsid for AD will send logs to. Typically you can run **rsyslog** on **Ubuntu**.\n You can then configure this server as you wish but it is recommended to be able to output AFAD logs in a separate file."
},
{
"title": "2. Configure Alsid to send logs to your Syslog server",
"description": "On your **Alsid for AD** portal, go to *System*, *Configuration* and then *Syslog*.\nFrom there you can create a new Syslog alert toward your Syslog server.\n\nOnce this is done, check that the logs are correctly gathered on your server in a separate file (to do this, you can use the *Test the configuration* button in the Syslog alert configuration in AFAD)."
},
{
"title": "3. Install and onboard the Microsoft agent for Linux",
"description": "",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "4. Configure the logs to be collected by the agents",
"description": "Configure the agent to collect the logs.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Custom Logs**.\n2. Select **Apply below configuration to my machines** and click **Add**.\n4. Upload a sample AFAD Syslog file from the **Linux** machine running the **Syslog** server and click **Next**.\n5. Set the record delimiter to **New Line** if not already the case and click **Next**.\n6. Select **Linux** and enter the file path to the **Syslog** file, click **+** then **Next**.\n7. In the Name field type *AlsidForADLog* before the _CL suffix, then click **Done**.\n\nAll of theses steps are showcased [here](https://www.youtube.com/watch?v=JwV1uZSyXM4&feature=youtu.be) as an example",
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "",
"description": "> You should now be able to receive logs in the *AlsidForADLog_CL* table, logs data can be parse using the **afad_parser()** function, used by all query samples, workbooks and analytic templates."
}
]
}
{
"id": "AlsidForAD",
"title": "Alsid for Active Directory",
"publisher": "Alsid",
"descriptionMarkdown": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.\nIt provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **afad_parser** in queries and workbooks. [Follow steps to get this Kusto Function>](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) ",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AlsidForADLog_CL",
"baseQuery": "AlsidForADLog_CL"
}
],
"sampleQueries": [
{
"description" : "Get the number of alerts triggered by each IoE",
"query": "afad_parser\n | where MessageType == 0\n | summarize AlertCount = count() by Codename"
},
{
"description" : "Get all IoE alerts with severity superior to the threshold",
"query" : "let threshold = 2;\n let SeverityTable=datatable(Severity:string,Level:int) [\n \"low\", 1,\n \"medium\", 2,\n \"high\", 3,\n \"critical\", 4\n ];\n afad_parser\n | where MessageType == 0\n | lookup kind=leftouter SeverityTable on Severity\n | where Level >= ['threshold']"
},
{
"description" : "Get all IoE alerts for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all IoE alerts for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(7d)"
},
{
"description" : "Get all IoE alerts for the last 30 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(30d)"
},
{
"description" : "Get all trailflow changes for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all trailflow changes for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(7d)"
}
],
"dataTypes": [
{
"name": "AlsidForADLog_CL",
"lastDataReceivedQuery": "AlsidForADLog_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"afad_parser\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) to create the Kusto Functions alias, **afad_parser**",
"instructions": [
]
},
{
"title": "1. Configure the Syslog server",
"description": "You will first need a **linux Syslog** server that Alsid for AD will send logs to. Typically you can run **rsyslog** on **Ubuntu**.\n You can then configure this server as you wish, but it is recommended to be able to output AFAD logs in a separate file.\nAlternatively you can use [this Quickstart template](https://azure.microsoft.com/resources/templates/alsid-syslog-proxy/) which will deploy the Syslog server and the Microsoft agent for you. If you do use this template, you can skip step 3."
},
{
"title": "2. Configure Alsid to send logs to your Syslog server",
"description": "On your **Alsid for AD** portal, go to *System*, *Configuration* and then *Syslog*.\nFrom there you can create a new Syslog alert toward your Syslog server.\n\nOnce this is done, check that the logs are correctly gathered on your server in a seperate file (to do this, you can use the *Test the configuration* button in the Syslog alert configuration in AFAD).\nIf you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS."
},
{
"title": "3. Install and onboard the Microsoft agent for Linux",
"description": "You can skip this step if you used the Quickstart template in step 1",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "4. Configure the logs to be collected by the agents",
"description": "Configure the agent to collect the logs.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Custom Logs**.\n2. Select **Apply below configuration to my machines** and click **Add**.\n3. Upload a sample AFAD Syslog file from the **Linux** machine running the **Syslog** server and click **Next**, for your convenience, you can find such a file [here](https://github.com/Azure/azure-quickstart-templates/blob/master/alsid-syslog-proxy/logs/AlsidForAD.log).\n4. Set the record delimiter to **New Line** if not already the case and click **Next**.\n5. Select **Linux** and enter the file path to the **Syslog** file, click **+** then **Next**. If you used the Quickstart template in step 1, the default location of the file is `/var/log/AlsidForAD.log`.\n6. Set the **Name** to *AlsidForADLog_CL* then click **Done** (Azure automatically adds *_CL* at the end of the name, there must be only one, make sure the name is not *AlsidForADLog_CL_CL*).\n\nAll of these steps are showcased [here](https://www.youtube.com/watch?v=JwV1uZSyXM4&feature=youtu.be) as an example",
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "",
"description": "> You should now be able to receive logs in the *AlsidForADLog_CL* table, logs data can be parse using the **afad_parser()** function, used by all query samples, workbooks and analytic templates."
}
],
"metadata": {
"id": "12ff1831-b733-4861-a3e7-6115d20106f4",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Alsid"
},
"support": {
"name": "Alsid",
"link": "https://www.alsid.com/contact-us/",
"tier": "developer"
}
}
}

Двоичные данные
DataConnectors/AtlassianJiraAudit/JiraAuditAPISentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

12
DataConnectors/AtlassianJiraAudit/JiraAuditAPISentinelConnector/__init__.py
Просмотреть файл

@ -9,6 +9,7 @@ import hashlib
import os
import tempfile
import logging
import re
from .state_manager import StateManager
customer_id = os.environ['WorkspaceID']
@ -17,9 +18,18 @@ jira_token = os.environ['JiraAccessToken']
jira_username = os.environ['JiraUsername']
jira_homesite_name = os.environ['JiraHomeSiteName']
connection_string = os.environ['AzureWebJobsStorage']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
log_type = 'Jira_Audit'
jira_uri_audit = "https://" + jira_homesite_name + ".atlassian.net/rest/api/3/auditing/record"
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Invalid Log Analytics Uri.")
def generate_date():
current_time = datetime.datetime.utcnow().replace(second=0, microsecond=0) - datetime.timedelta(minutes=10)
state = StateManager(connection_string=connection_string)
@ -95,7 +105,7 @@ def post_data(body):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,

4
DataConnectors/AtlassianJiraAudit/JiraAudit_API_FunctionApp.json
Просмотреть файл

@ -111,11 +111,11 @@
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://github.com/averbn/azure_sentinel_data_connectors/blob/main/jira-audit-azure-sentinel-data-connector/JiraAuditAPISentinelConn.zip?raw=true) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. JiraAuditXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-jiraauditapi-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. JiraAuditXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tJiraUsername\n\t\tJiraAccessToken\n\t\tJiraHomeSiteName\n\t\tWorkspaceID\n\t\tWorkspaceKey\n3. Once all application settings have been entered, click **Save**."
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tJiraUsername\n\t\tJiraAccessToken\n\t\tJiraHomeSiteName\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
}
]
}

24
DataConnectors/AtlassianJiraAudit/azuredeploy_Connector_JiraAuditAPI_AzureFunction.json
Просмотреть файл

@ -4,6 +4,8 @@
"parameters": {
"FunctionName": {
"defaultValue": "JiraAudit",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"WorkspaceID": {
@ -28,7 +30,9 @@
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]"
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
@ -148,30 +152,18 @@
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"JiraAccessToken": "[parameters('JiraAccessToken')]",
"JiraUsername": "[parameters('JiraUsername')]",
"JiraHomeSiteName": "[parameters('JiraHomeSiteName')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/averbn/azure_sentinel_data_connectors/blob/main/jira-audit-azure-sentinel-data-connector/JiraAuditAPISentinelConn.zip?raw=true"
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-jiraauditapi-functionapp"
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(variables('FunctionName'), '/', variables('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
],
"properties": {
"siteName": "[variables('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",

20
DataConnectors/BETTERMTD.json
Просмотреть файл

@ -91,7 +91,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -125,5 +125,21 @@
}
]
}
]
],
"metadata": {
"id": "31f0ea52-dcd4-443b-9d04-a3e709addebc",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Better Mobile"
},
"support": {
"name": "Better Mobile",
"email": "support@better.mobi",
"tier": "developer"
}
}
}

20
DataConnectors/Beyond Security beSECURE.json
Просмотреть файл

@ -97,7 +97,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -139,5 +139,21 @@
}
]
}
]
],
"metadata": {
"id": "3be993d4-3aa7-41de-8280-e62de7859eca",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Beyond Security"
},
"support": {
"name": "Beyond Security",
"link": "https://beyondsecurity.freshdesk.com/support/home",
"tier": "developer"
}
}
}

18
DataConnectors/Citrix_WAF.json
Просмотреть файл

@ -122,5 +122,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "7504f78d-1928-4399-a1ae-ba826c47c42d",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Citrix Systems"
},
"support": {
"name": "Citrix Systems",
"link": "https://www.citrix.com/support/",
"tier": "developer"
}
}
}

18
DataConnectors/Connector_syslog_WatchGuardFirebox.json
Просмотреть файл

@ -114,5 +114,21 @@
}
]
}
]
],
"metadata": {
"id": "47835227-715b-4000-892e-e1fff81023c0",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "WatchGuard"
},
"support": {
"name": "WatchGuard",
"link": "https://www.watchguard.com/wgrd-support/overview",
"tier": "developer"
}
}
}

18
DataConnectors/CyberArk Data Connector.json
Просмотреть файл

@ -96,5 +96,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "1c45e738-21dd-4fcd-9449-e2c9478e9552",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Cyberark"
},
"support": {
"name": "Cyberark",
"link": "https://www.cyberark.com/customer-support/",
"tier": "developer"
}
}
}

Двоичные данные
DataConnectors/ESET Enterprise Inspector/AzureFunctionESETEnterpriseInspector.zip
Просмотреть файл

Двоичный файл не отображается.

13
DataConnectors/ESET Enterprise Inspector/EnterpriseInspectorProcessDetections/__init__.py
Просмотреть файл

@ -38,8 +38,18 @@ def main(eeimsg: func.QueueMessage) -> None:
verify = bool(strtobool(os.environ['verifySsl']))
workspace_id = os.environ['workspaceId']
workspace_key = os.environ['workspaceKey']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
log_type = 'ESETEnterpriseInspector'
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("ESET Enterprise Inspector: Invalid Log Analytics Uri.")
# Connect to ESET Enterprise Inspector server
ei = EnterpriseInspector(
base_url=base_url,
@ -58,5 +68,6 @@ def main(eeimsg: func.QueueMessage) -> None:
customer_id=workspace_id,
shared_key=workspace_key,
body=body,
log_type=log_type
log_type=log_type,
logAnalyticsUri = logAnalyticsUri
)

11
DataConnectors/ESET Enterprise Inspector/datacollector/__init__.py
Просмотреть файл

@ -24,15 +24,16 @@ def build_signature(customer_id, shared_key, date, content_length, method, conte
return authorization
# Build and send a request to the POST API
def post_data(customer_id, shared_key, body, log_type):
def post_data(customer_id, shared_key, body, log_type, logAnalyticsUri):
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
@ -40,9 +41,9 @@ def post_data(customer_id, shared_key, body, log_type):
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print('Accepted')
else:
exit_error(f'Response code "{response.status_code}" while sending data through data-collector API.')
exit_error(f'Response code "{response.status_code}" while sending data through data-collector API.')

156
DataConnectors/Exabeam/Connector_Exabeam_Syslog.json Normal file
Просмотреть файл

@ -0,0 +1,156 @@
{
"id": "Exabeam",
"title": "Exabeam Advanced Analytics",
"publisher": "Exabeam",
"descriptionMarkdown": "The [Exabeam Advanced Analytics](https://www.exabeam.com/ueba/advanced-analytics-and-mitre-detect-and-stop-threats/) data connector provides the capability to ingest Exabeam Advanced Analytics events into Azure Sentinel. Refer to [Exabeam Advanced Analytics documentation](https://docs.exabeam.com/) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **ExabeamEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-Exabeam-parser)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Exabeam",
"baseQuery": "ExabeamEvent"
}
],
"sampleQueries": [
{
"description" : "Top 10 Clients (Source IP)",
"query": "ExabeamEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog (Exabeam)",
"lastDataReceivedQuery": "ExabeamEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ExabeamEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-Exabeam-parser) to create the Kusto Functions alias, **ExabeamEvent**",
"instructions": [
]
},
{
"title": "",
"description": ">**NOTE:** This data connector has been developed using Exabeam Advanced Analytics i54 (Syslog)",
"instructions": [
]
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the server where the Exabeam Advanced Analytic logs are generated or forwarded.\n\n> Logs from Exabeam Advanced Analytic deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description": "Configure the custom log directory to be collected" ,
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "3. Configure Exabeam event forwarding to Syslog",
"description": "[Follow these instructions](https://docs.exabeam.com/en/advanced-analytics/i54/advanced-analytics-administration-guide/113254-configure-advanced-analytics.html#UUID-7ce5ff9d-56aa-93f0-65de-c5255b682a08) to send Exabeam Advanced Analytics activity log data via syslog."
}
]
}

20
DataConnectors/FORCEPOINT_NGFW.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"id": "FORCEPOINT_NGFW",
"id": "ForcepointNgfw",
"title": "Forcepoint NGFW (Preview)",
"publisher": "Forcepoint",
"descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Azure Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.",
@ -122,5 +122,21 @@
"title": "5. Forcepoint integration installation guide ",
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)"
}
]
],
"metadata":{
"id": "e002d400-e0b0-4673-959a-eec31378d17c",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Forcepoint"
},
"support": {
"name": "Forcepoint",
"link": "https://support.forcepoint.com/",
"tier": "developer"
}
}
}

18
DataConnectors/Forcepoint CASB.json
Просмотреть файл

@ -116,6 +116,22 @@
},
{ "title": "5. Forcepoint integration installation guide ",
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)"
}
],
"metadata": {
"id": "04f93db2-8f2a-4edc-bb78-9e1e7587faff",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Forcepoint"
},
"support": {
"name": "Forcepoint",
"link": "https://support.forcepoint.com",
"tier": "developer"
}
}
]
}

20
DataConnectors/Forcepoint DLP.json
Просмотреть файл

@ -57,7 +57,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -91,5 +91,21 @@
}
]
}
]
],
"metadata": {
"id": "c4961e1e-45b1-4565-a096-6e14561c90b6",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Forcepoint"
},
"support": {
"name": "Forcepoint",
"link": "https://support.forcepoint.com/",
"tier": "developer"
}
}
}

18
DataConnectors/ForgeRock_CEF.json
Просмотреть файл

@ -118,5 +118,21 @@
"title" : "4. Secure your machine ",
"description" : "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "cb5b9a69-5ab1-445c-8491-6b96a2ea3100",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "ForgeRock"
},
"support": {
"name": "ForgeRock",
"link": "https://www.forgerock.com/support",
"tier": "developer"
}
}
}

Двоичные данные
DataConnectors/GithubFunction/AzureFunctionGitHub/GitHubTimerTrigger.zip
Просмотреть файл

Двоичный файл не отображается.

86
DataConnectors/GithubFunction/AzureFunctionGitHub/GitHubTimerTrigger/run.ps1
Просмотреть файл

@ -3,7 +3,7 @@
Language: PowerShell
Version: 1.2
Author: Nicholas Dicola, Sreedhar Ande
Last Modified: 02/08/2021
Last Modified: 03/29/2021
DESCRIPTION
This Function App calls the GitHub REST API (https://api.github.com/) to pull the GitHub
@ -36,25 +36,21 @@ $AzureWebJobsStorage = $env:AzureWebJobsStorage
$personalAccessToken = $env:PersonalAccessToken
$workspaceId = $env:WorkspaceId
$workspaceKey = $env:WorkspaceKey
$LAURI = $env:LAURI
$storageAccountContainer = "github-repo-logs"
$AuditLogTable = $env:GitHubAuditLogsTableName
if ([string]::IsNullOrEmpty($AuditLogTable))
{
$AuditLogTable = "GitHub_CL"
}
$RepoLogTable = $env:GitHubRepoLogsTableName
if ([string]::IsNullOrEmpty($RepoLogTable))
{
$RepoLogTable = "GitHubRepoLogs_CL"
}
#The AzureTenant variable is used to specify other cloud environments like Azure Gov(.us) etc.,
$AzureTenant = $env:AZURE_TENANT
$AuditLogTable = "GitHub_CL"
$RepoLogTable = "GitHubRepoLogs_CL"
$currentStartTime = (get-date).ToUniversalTime() | get-date -Format yyyy-MM-ddTHH:mm:ss:ffffffZ
if (-Not [string]::IsNullOrEmpty($LAURI)){
if($LAURI.Trim() -notmatch 'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$')
{
Write-Error -Message "DocuSign-SecurityEvents: Invalid Log Analytics Uri." -ErrorAction Stop
Exit
}
}
function Write-OMSLogfile {
<#
.SYNOPSIS
@ -129,12 +125,13 @@ function Write-OMSLogfile {
-contentType $ContentType `
-resource $resource
# Compatible with Commercial and Gov Tenants
if ([string]::IsNullOrEmpty($AzureTenant)){
$uri = "https://" + $CustomerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
# Compatible with previous version
if ([string]::IsNullOrEmpty($LAURI)){
$LAURI = "https://" + $CustomerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
}
else{
$uri = "https://" + $CustomerId + ".ods.opinsights.azure" +$AzureTenant + $resource + "?api-version=2016-04-01"
else
{
$LAURI = $LAURI + $resource + "?api-version=2016-04-01"
}
$headers = @{
@ -143,7 +140,7 @@ function Write-OMSLogfile {
"x-ms-date" = $rfc1123date
"time-generated-field" = $dateTime
}
$response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $ContentType -Headers $headers -Body $Body -UseBasicParsing
$response = Invoke-WebRequest -Uri $LAURI -Method $method -ContentType $ContentType -Headers $headers -Body $Body -UseBasicParsing
Write-Verbose -message ('Post Function Return Code ' + $response.statuscode)
return $response.statuscode
}
@ -205,8 +202,8 @@ $headers = @{
$storageAccountContext = New-AzStorageContext -ConnectionString $AzureWebJobsStorage
$checkBlob = Get-AzStorageBlob -Blob ORGS.json -Container $storageAccountContainer -Context $storageAccountContext
if($checkBlob -ne $null){
Get-AzStorageBlobContent -Blob ORGS.json -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:TMPDIR\orgs.json" -Force
$githubOrgs = Get-Content "$env:TMPDIR\orgs.json" | ConvertFrom-Json
Get-AzStorageBlobContent -Blob ORGS.json -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:temp\orgs.json" -Force
$githubOrgs = Get-Content "$env:temp\orgs.json" | ConvertFrom-Json
}
else{
Write-Error "No ORGS.json file, exiting"
@ -225,8 +222,8 @@ foreach($org in $githubOrgs){
$checkBlob = Get-AzStorageBlob -Blob "lastrun-Audit.json" -Container $storageAccountContainer -Context $storageAccountContext
if($checkBlob -ne $null){
#Blob found get data
Get-AzStorageBlobContent -Blob "lastrun-Audit.json" -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:TMPDIR\lastrun-Audit.json" -Force
$lastRunAuditContext = Get-Content "$env:TMPDIR\lastrun-Audit.json" | ConvertFrom-Json
Get-AzStorageBlobContent -Blob "lastrun-Audit.json" -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:temp\lastrun-Audit.json" -Force
$lastRunAuditContext = Get-Content "$env:temp\lastrun-Audit.json" | ConvertFrom-Json
}
else {
#no blob create the context
@ -238,7 +235,7 @@ foreach($org in $githubOrgs){
"lastContext": ""
}
"@
$lastRunAudit | Out-File "$env:TMPDIR\lastrun-Audit.json"
$lastRunAudit | Out-File "$env:temp\lastrun-Audit.json"
$lastRunAuditContext = $lastRunAudit | ConvertFrom-Json
}
@ -283,8 +280,8 @@ foreach($org in $githubOrgs){
$lastRunContext.org = $orgName
$lastRunContext.lastContext = $lastRunContext.lastContext
$lastRunContext.lastRun = $currentStartTime
$lastRunAuditContext | ConvertTo-Json | Out-File "$env:TMPDIR\lastrun-Audit.json"
Set-AzStorageBlobContent -Blob "lastrun-Audit.json" -Container $storageAccountContainer -Context $storageAccountContext -File "$env:TMPDIR\lastrun-Audit.json" -Force
$lastRunAuditContext | ConvertTo-Json | Out-File "$env:temp\lastrun-Audit.json"
Set-AzStorageBlobContent -Blob "lastrun-Audit.json" -Container $storageAccountContainer -Context $storageAccountContext -File "$env:temp\lastrun-Audit.json" -Force
}
} until ($hasNextPage -eq $false)
@ -398,14 +395,23 @@ foreach($org in $githubOrgs){
$forkLogs | Add-Member -NotePropertyName LogType -NotePropertyValue Forks
#Send to log A
SendToLogA -gitHubData $forkLogs -customLogName $RepoLogTable
}
}
$uri = "https://api.github.com/repos/$orgName/$repoName/secret-scanning/alerts"
$secretscanningalerts = $null
$secretscanningalerts = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers
if ($secretscanningalerts.Length -gt 0){
$secretscanningalerts | Add-Member -NotePropertyName OrgName -NotePropertyValue $orgName
$secretscanningalerts | Add-Member -NotePropertyName Repository -NotePropertyValue $repoName
$secretscanningalerts | Add-Member -NotePropertyName LogType -NotePropertyValue SecretScanningAlerts
#Send to log A
SendToLogA -gitHubData $secretscanningalerts -customLogName $RepoLogTable
}
}
else {
Write-Host "$repoName is empty"
Write-Verbose "$repoName is empty"
}
}
}
# get blobs for last run
@ -414,8 +420,8 @@ foreach($org in $githubOrgs){
foreach($repo in $repoList){
$repoName = $repo.name
if($blobs.Name -contains "lastrun-$orgName-$repoName.json"){
Get-AzStorageBlobContent -Blob "lastrun-$orgName-$repoName.json" -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:TMPDIR\lastrun-$orgName-$repoName.json" -Force
$lastRunVulnContext = Get-Content "$env:TMPDIR\lastrun-$orgName-$repoName.json" | ConvertFrom-Json
Get-AzStorageBlobContent -Blob "lastrun-$orgName-$repoName.json" -Container $storageAccountContainer -Context $storageAccountContext -Destination "$env:temp\lastrun-$orgName-$repoName.json" -Force
$lastRunVulnContext = Get-Content "$env:temp\lastrun-$orgName-$repoName.json" | ConvertFrom-Json
}
else {
$lastRun = $currentStartTime
@ -425,9 +431,9 @@ foreach($org in $githubOrgs){
"lastContext": ""
}
"@
$lastRunVuln| Out-File "$env:TMPDIR\lastrun-$orgName-$repoName.json"
$lastRunVuln| Out-File "$env:temp\lastrun-$orgName-$repoName.json"
$lastRunVulnContext = $lastRunVuln | ConvertFrom-Json
Set-AzStorageBlobContent -Container $storageAccountContainer -Context $storageAccountContext -File "$env:TMPDIR\lastrun-$orgName-$repoName.json" -Force
Set-AzStorageBlobContent -Container $storageAccountContainer -Context $storageAccountContext -File "$env:temp\lastrun-$orgName-$repoName.json" -Force
}
#Build the query based on previous context or not
@ -470,11 +476,13 @@ foreach($org in $githubOrgs){
else {
$lastRunVulnContext.lastContext = $lastRunContext
$lastRunVulnContext.lastRun = $currentStartTime
$lastRunVulnContext | ConvertTo-Json | Out-File "$env:TMPDIR\lastrun-$orgName-$repoName.json"
Set-AzStorageBlobContent -Blob "lastrun-$orgName-$repoName.json" -Container $storageAccountContainer -Context $storageAccountContext -File "$env:TMPDIR\lastrun-$orgName-$repoName.json" -Force
$lastRunVulnContext | ConvertTo-Json | Out-File "$env:temp\lastrun-$orgName-$repoName.json"
Set-AzStorageBlobContent -Blob "lastrun-$orgName-$repoName.json" -Container $storageAccountContainer -Context $storageAccountContext -File "$env:temp\lastrun-$orgName-$repoName.json" -Force
}
} until ($hasNextPage -eq $false)
}
#clear the repo list for next org
$repoList = @()
#clear the temp folder
Remove-Item $env:temp\* -Recurse -Force -ErrorAction SilentlyContinue
}

8
DataConnectors/GithubFunction/CHANGELOG.MD
Просмотреть файл

@ -1,3 +1,11 @@
## 1.3
- Added secret-scanning/alerts logs
- Updated ARM template to support both Commercial and Azure Gov
- Removed previously added logic
- Environment variables to provide additional support for users to supply their own values for Table names
## 1.2
- Fixed issues raised on Sentinel GitHub Repo on AuditLogs
- Updated logic to ingest each AuditLog as an individual record

4
DataConnectors/GithubFunction/Connector_REST_API_FunctionApp_GitHub.json
Просмотреть файл

@ -118,7 +118,7 @@
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "This method provides an automated deployment of the GitHub Data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazurecomdeploy_dotcomtenants.json)\t[![Deploy To Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazuregovdeploy_dotustenants.json)\t(**.us Tenant**)\n\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Personal Access Token** \n> - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
"description": "This method provides an automated deployment of the GitHub Data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazuredeploy.json)\n\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Personal Access Token** \n> - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
@ -130,7 +130,7 @@
},
{
"title": "",
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fandedevsecops%2FAzure-Sentinel%2Faz-func-github-dataconnector%2FDataConnectors%2FGithubFunction%2Fazuredeploy_GitHubData.json) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fandedevsecops%2FAzure-Sentinel%2Faz-func-github-dataconnector%2FDataConnectors%2FGithubFunction%2Fazuredeploy.json) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
},
{
"title": "",

1
DataConnectors/GithubFunction/Function Dependencies/lastrun-Audit.json
Просмотреть файл

@ -1,4 +1,5 @@
{
"org":"",
"lastContext": "",
"lastRun": ""
}

84
DataConnectors/GithubFunction/azurecomdeploy_dotcomtenants.json → DataConnectors/GithubFunction/azuredeploy.json
Просмотреть файл

@ -9,27 +9,24 @@
"description": "Specifies the name of the Function App."
}
},
"PersonalAccessToken": {
"defaultValue": "Enter the GitHub Personal Access Token (PAT)",
"type": "string",
"PersonalAccessToken": {
"type": "securestring",
"metadata": {
"description": "Specifies GitHub Enterprise Personal Access Token."
}
},
"WorkspaceId": {
"type": "string",
"defaultValue": "<WorkspaceId>",
"type": "string",
"metadata": {
"description": "Specifies the Log Analytics Workspace Id."
}
},
"WorkspaceKey": {
"type": "string",
"defaultValue": "<WorkspaceKey>",
"type": "securestring",
"metadata": {
"description": "Specifies the Log Analytics Workspace Key."
}
},
},
"FunctionSchedule": {
"type": "string",
"defaultValue": "0 */10 * * * *",
@ -40,10 +37,13 @@
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"KeyVaultName": "[tolower(concat('githubkv', uniqueString(resourceGroup().id, subscription().id)))]",
"StorageAccountName":"[concat(substring(variables('FunctionName'), 0, 20), 'sa')]",
"KeyVaultName": "[concat(substring(variables('FunctionName'), 0, 20), 'kv')]",
"GitAPIToken": "GitAPIToken",
"LogAnalyticsWorkspaceKey": "LogAnalyticsWorkspaceKey",
"StorageContainerName": "github-repo-logs"
"StorageContainerName": "github-repo-logs",
"StorageSuffix":"[environment().suffixes.storage]",
"LogAnaltyicsUri":"[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceId')), '.ods.opinsights'))]"
},
"resources": [
{
@ -60,7 +60,7 @@
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"name": "[variables('StorageAccountName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
@ -112,9 +112,9 @@
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"name": "[concat(variables('StorageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
@ -133,9 +133,9 @@
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"name": "[concat(variables('StorageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
],
"sku": {
"name": "Standard_LRS",
@ -154,7 +154,7 @@
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]",
"[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
@ -167,7 +167,10 @@
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true
"alwaysOn": true,
"siteConfig": {
"powerShellVersion": "~7"
}
},
"resources": [
{
@ -185,16 +188,14 @@
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WEBSITE_CONTENTSHARE": "[toLower(variables('FunctionName'))]",
"PersonalAccessToken": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('GitAPIToken')).secretUriWithVersion, ')')]",
"TMPDIR": "D:\\local\\Temp",
"PersonalAccessToken": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('GitAPIToken')).secretUriWithVersion, ')')]",
"WorkspaceId": "[parameters('WorkspaceId')]",
"WorkspaceKey": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('LogAnalyticsWorkspaceKey')).secretUriWithVersion, ')')]",
"Schedule": "[parameters('FunctionSchedule')]",
"GitHubAuditLogsTableName": "GitHubAuditLogs",
"GitHubRepoLogsTableName": "GitHubRepoLogs",
"LAURI": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/githubazurefunctionzip"
}
}
@ -263,26 +264,13 @@
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(variables('FunctionName'), '/', variables('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
],
"properties": {
"siteName": "[variables('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
],
"properties": {
"publicAccess": "None"
@ -291,10 +279,10 @@
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
],
"properties": {
"publicAccess": "None"
@ -303,10 +291,10 @@
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), concat('/default/', variables('StorageContainerName')))]",
"name": "[concat(variables('StorageAccountName'), concat('/default/', variables('StorageContainerName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
],
"properties": {
"publicAccess": "None"
@ -315,10 +303,10 @@
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"name": "[concat(variables('StorageAccountName'), '/default/', tolower(variables('StorageAccountName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('StorageAccountName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
],
"properties": {
"shareQuota": 5120

329
DataConnectors/GithubFunction/azuregovdeploy_dotustenants.json
Просмотреть файл

@ -1,329 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "GitHubLogs",
"type": "string",
"metadata": {
"description": "Specifies the name of the Function App."
}
},
"PersonalAccessToken": {
"defaultValue": "Enter the GitHub Personal Access Token (PAT)",
"type": "string",
"metadata": {
"description": "Specifies GitHub Enterprise Personal Access Token."
}
},
"WorkspaceId": {
"type": "string",
"defaultValue": "<WorkspaceId>",
"metadata": {
"description": "Specifies the Log Analytics Workspace Id."
}
},
"WorkspaceKey": {
"type": "string",
"defaultValue": "<WorkspaceKey>",
"metadata": {
"description": "Specifies the Log Analytics Workspace Key."
}
},
"FunctionSchedule": {
"type": "string",
"defaultValue": "0 */10 * * * *",
"metadata": {
"description": "For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 1 hour is `0 0 * * * *`. This, in plain text, means: When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year"
}
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"KeyVaultName": "[tolower(concat('githubkv', uniqueString(resourceGroup().id, subscription().id)))]",
"GitAPIToken": "GitAPIToken",
"LogAnalyticsWorkspaceKey": "LogAnalyticsWorkspaceKey",
"StorageContainerName": "github-repo-logs"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
],
"ipRules": [
],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"kind": "functionapp",
"properties": {
"name": "[variables('FunctionName')]",
"workerSize": "0",
"workerSizeId": "0",
"numberOfWorkers": "1"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('FunctionName'))]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]",
"[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('GitAPIToken'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('LogAnalyticsWorkspaceKey'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.usgovcloudapi.net')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.usgovcloudapi.net')]",
"WEBSITE_CONTENTSHARE": "[toLower(variables('FunctionName'))]",
"PersonalAccessToken": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('GitAPIToken')).secretUriWithVersion, ')')]",
"TMPDIR": "D:\\local\\Temp",
"WorkspaceId": "[parameters('WorkspaceId')]",
"WorkspaceKey": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('LogAnalyticsWorkspaceKey')).secretUriWithVersion, ')')]",
"Schedule": "[parameters('FunctionSchedule')]",
"AZURE_TENANT": ".us",
"GitHubAuditLogsTableName": "GitHubAuditLogs",
"GitHubRepoLogsTableName": "GitHubRepoLogs",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/githubazurefunctionzip"
}
}
]
},
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[variables('KeyVaultName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
],
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(resourceId('Microsoft.Web/sites', variables('FunctionName')),'2019-08-01', 'full').identity.principalId]",
"permissions": {
"secrets": [ "get",
"list"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true
},
"resources": [
{
"type": "secrets",
"apiVersion": "2016-10-01",
"name": "[variables('GitAPIToken')]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
],
"properties": {
"value": "[parameters('PersonalAccessToken')]",
"contentType": "string",
"attributes": {
"enabled": true
}
}
},
{
"type": "secrets",
"apiVersion": "2016-10-01",
"name": "[variables('LogAnalyticsWorkspaceKey')]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
],
"properties": {
"value": "[parameters('WorkspaceKey')]",
"contentType": "string",
"attributes": {
"enabled": true
}
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(variables('FunctionName'), '/', variables('FunctionName'), '.azurewebsites.us')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
],
"properties": {
"siteName": "[variables('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), concat('/default/', variables('StorageContainerName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

67
DataConnectors/GithubFunction/readme.md
Просмотреть файл

@ -12,16 +12,30 @@ Following are the configuration steps to deploy Function App.
A GitHub API Token is required. See the documentation to learn more about the [GitHub Personal Access Token](https://github.com/settings/tokens/).
## Configuration Steps
1. Deploy the ARM template and fill in the parameters.
## Configuration Steps to Deploy Function App
1. Click on Deploy to Azure (For both Commercial & Azure GOV)
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
2. Select the preferred **Subscription**, **Resource Group** and **Location**
**Note**
Best practice : Create new Resource Group while deploying - all the resources of your custom Data connector will reside in the newly created Resource
Group
3. Enter the following value in the ARM template deployment
```
"PersonalAccessToken": This is the GITHUB PAT
"Workspace Id": The Sentinel Log Analytics Workspace Id
"Workspace Key": The Sentinel Log Analytics Workspace Key
"Function Schedule": The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule
"PersonalAccessToken": This is the GITHUB PAT
"Workspace Id": The Sentinel Log Analytics Workspace Id
"Workspace Key": The Sentinel Log Analytics Workspace Key
"Function Schedule": The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule
```
2. There are two json files (ORGS.json and lastrun-Audit.json) in Function Dependencies folder
3. Edit the ORGS.json file and update "org": "sampleorg" and replace sample org with your org name.
## Post Deployment Steps
1. There are two json files (ORGS.json and lastrun-Audit.json) in Function Dependencies folder
2. Edit the ORGS.json file and update "org": "sampleorg" and replace sample org with your org name.
```
If you have single org
[
@ -44,7 +58,7 @@ A GitHub API Token is required. See the documentation to learn more about the [G
]
```
4. Edit lastrun-Audit.json and update "org": "sampleorg" and replace sample org with your org name
3. Edit lastrun-Audit.json and update "org": "sampleorg" and replace sample org with your org name
```
If you have single org
@ -73,16 +87,16 @@ A GitHub API Token is required. See the documentation to learn more about the [G
]
```
5. Upload the following files to the storage account "github-repo-logs" container from
4. Upload the following files to the storage account "github-repo-logs" container from
```
ORGS.json
lastrun-Audit.json
```
6. PersonalAccessToken and Workspace Key will be placed as "Secrets" in the Azure KeyVault `githubkv<<uniqueid>>` with only Azure Function access policy. If you want to see/update these secrets,
5. PersonalAccessToken and Workspace Key will be placed as "Secrets" in the Azure KeyVault `<<Function App Name>><<uniqueid>>` with only Azure Function access policy. If you want to see/update these secrets,
```
a. Go to Azure KeyVault "githubkv<<uniqueid>>"
a. Go to Azure KeyVault `<<Function App Name>><<uniqueid>>`
b. Click on "Access Policies" under Settings
c. Click on "Add Access Policy"
i. Configure from template : Secret Management
@ -93,7 +107,7 @@ A GitHub API Token is required. See the documentation to learn more about the [G
```
7. The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function based on your schedule provided while deploying. If you want to change
6. The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function based on your schedule provided while deploying. If you want to change
the schedule
```
a. Click on Function App "Configuration" under Settings
@ -102,32 +116,5 @@ A GitHub API Token is required. See the documentation to learn more about the [G
```
**Note: For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year".**
8. Once Azure Function App is deployed
```
a. Go to `githublogs<<uniqueid>>`
b. Click on "Advanced Tools" under Development Tools
c. Click on Go --> You will be redirected to Web App --> Check Temp folder path.
d. It can be either C:\local\Temp\ or D:\local\Temp\.
```
9. After finding Temp folder path
```
a. Go to `githublogs<<uniqueid>>`
b. Click on "Configuration" under Settings
c. Click on "TMPDIR" under "Application Settings"
d. Update Drive (C//D) based on your findings from Step 9.
```
**Note: Make sure the value in "TMPDIR" doesnt have "\\" at the end.**
10. **For Azure Gov customers only**, You will see additional environment variable "Azure Tenant" under "Configuration" --> "Application Settings" and its default value is ".us"
Currently this Function App supports "Azure Gov(.US)" tenants
Ex: https://portal.azure.us
Note: there are two parsers (here)[https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/GitHub] to make the logs useful
## Deploy the Function App template
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazurecomdeploy_dotcomtenants.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazuregovdeploy_dotustenants.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>

Двоичные данные
DataConnectors/GoogleWorkspaceReports/GWorkspaceReportsAPISentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

15
DataConnectors/GoogleWorkspaceReports/GWorkspaceReportsAPISentinelConnector/__init__.py
Просмотреть файл

@ -13,6 +13,7 @@ import azure.functions as func
import logging
import os
import time
import re
customer_id = os.environ['WorkspaceID']
shared_key = os.environ['WorkspaceKey']
@ -20,6 +21,15 @@ pickle_str = os.environ['GooglePickleString']
pickle_string = base64.b64decode(pickle_str)
SCOPES = ['https://www.googleapis.com/auth/admin.reports.audit.readonly']
activities = ["login", "calendar", "drive", "admin", "mobile", "token", "user_accounts"]
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Google Workspace Reports: Invalid Log Analytics Uri.")
def get_credentials():
creds = None
@ -75,15 +85,14 @@ def post_data(customer_id, shared_key, body, log_type):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
logging.info("Logs with {} activity was processed into Azure".format(log_type))
else:

18
DataConnectors/Imperva WAF Gateway/Connector_Imperva_WAF_Gateway.json
Просмотреть файл

@ -129,5 +129,21 @@
"title": "5. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "f8699c9c-536c-4d28-9049-d0c555dd8c8c",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Imperva"
},
"support": {
"name": "Imperva",
"link": "https://www.imperva.com/support/technical-support/",
"tier": "developer"
}
}
}

20
DataConnectors/NXLogDnsLogs.json
Просмотреть файл

@ -53,7 +53,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -87,5 +87,21 @@
}
]
}
]
],
"metadata": {
"id": "4eb027bc-5a8e-4e7e-8dac-3aaba3e487b1",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "NXLog"
},
"support": {
"name": "NXLog",
"link": "https://nxlog.co/community-forum",
"tier": "developer"
}
}
}

20
DataConnectors/NXLogLinuxAudit.json
Просмотреть файл

@ -57,7 +57,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -91,5 +91,21 @@
}
]
}
]
],
"metadata": {
"id": "3969d734-ab64-44fe-ac9b-73d758e0e814",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "NXLog"
},
"support": {
"name": "NXLog",
"link": "https://nxlog.co/community-forum",
"tier": "developer"
}
}
}

121
DataConnectors/OSSEC/Connector_CEF_OSSEC.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"id": "OSSEC",
"title": "OSSEC",
"publisher": "OSSEC",
"descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Azure Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **OSSECEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-OSSEC-parser) ",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "OSSEC",
"baseQuery": "OSSECEvent"
}
],
"sampleQueries": [
{
"description" : "Top 10 Rules",
"query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (OSSEC)",
"lastDataReceivedQuery": "OSSECEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"OSSECEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-OSSEC-parser) to create the Kusto Functions alias, **OSSECEvent**",
"instructions": [
]
},
{
"title": "1. Linux Syslog agent configuration",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
]
},
{
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent",
"description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog."
},
{
"title": "3. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
]
},
{
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
}

19
DataConnectors/OnapsisPlatform.json
Просмотреть файл

@ -236,6 +236,21 @@
}
]
],
"metadata": {
"id": "81ae314e-2c7c-40d0-87fe-812ffda0b60c",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Onapsis"
},
"support": {
"name": "Onapsis",
"link": "https://onapsis.force.com/s/login/",
"tier": "developer"
}
}
}

20
DataConnectors/OrcaSecurityAlerts.json
Просмотреть файл

@ -53,7 +53,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -87,5 +87,21 @@
}
]
}
]
],
"metadata": {
"id": "f664e101-f4af-4d74-809c-8fad6ee3c381",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Orca Security"
},
"support": {
"name": "Orca Security",
"link": "http://support.orca.security/",
"tier": "developer"
}
}
}

21
DataConnectors/Palo Alto Networks/PaloAltoNetworks.json
Просмотреть файл

@ -35,7 +35,8 @@
}
],
"availability": {
"status": 1
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
@ -113,5 +114,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Palo Alto Networks"
},
"support": {
"name": "Palo Alto Networks",
"link": "https://www.paloaltonetworks.com/company/contact-support",
"tier": "developer"
}
}
}

18
DataConnectors/Perimeter81ActivityLogs.json
Просмотреть файл

@ -99,5 +99,21 @@
}
]
}
]
],
"metadata": {
"id": "1d855d54-0f17-43b3-ad33-93a0ab7b6ce8",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Perimeter 81"
},
"support": {
"name": "Perimeter 81",
"link": "https://support.perimeter81.com/",
"tier": "developer"
}
}
}

Двоичные данные
DataConnectors/ProofpointPOD/ProofpointSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

15
DataConnectors/ProofpointPOD/ProofpointSentinelConnector/__init__.py
Просмотреть файл

@ -12,6 +12,7 @@ import requests
import azure.functions as func
import logging
import certifi
import re
customer_id = os.environ['WorkspaceID']
@ -20,6 +21,15 @@ cluster_id = os.environ['ProofpointClusterID']
_token = os.environ['ProofpointToken']
time_delay_minutes = 60
event_types = ["maillog","message"]
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("ProofpointPOD: Invalid Log Analytics Uri.")
def main(mytimer: func.TimerRequest) -> None:
if mytimer.past_due:
@ -35,6 +45,7 @@ def main(mytimer: func.TimerRequest) -> None:
class Proofpoint_api:
def __init__(self):
self.cluster_id = cluster_id
self.logAnalyticsUri = logAnalyticsUri
self._token = _token
self.time_delay_minutes = int(time_delay_minutes)
self.gen_timeframe(time_delay_minutes=self.time_delay_minutes)
@ -113,7 +124,9 @@ class Proofpoint_api:
content_length = len(body)
signature = self.build_signature(rfc1123date, content_length, method, content_type,
resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = self.logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,

Двоичные данные
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

14
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConnector/__init__.py
Просмотреть файл

@ -9,6 +9,7 @@ import csv
import os
import sys
import tempfile
import re
import azure.functions as func
@ -25,7 +26,15 @@ interval = "hourly"
hours_interval = 1
days_interval = 1
url = "https://login.salesforce.com/services/oauth2/token"
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Salesforce Service Cloud: Invalid Log Analytics Uri.")
def _get_token():
params = {
@ -175,14 +184,15 @@ def post_data(customer_id, shared_key, body, log_type, chunk_count):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print('Accepted')
logging.info("Chunk was processed({} events)".format(chunk_count))

18
DataConnectors/SonicWall/SonicwallFirewall.JSON
Просмотреть файл

@ -118,5 +118,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "bbe6d9ef-2581-41b8-95b0-9d50c919d377",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "SonicWall"
},
"support": {
"name": "SonicWall",
"link": "https://www.sonicwall.com/support/",
"tier": "developer"
}
}
}

20
DataConnectors/Sophos Cloud Optix/Connector_REST_API_SophosCloudOptix.json
Просмотреть файл

@ -53,7 +53,7 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
@ -99,5 +99,21 @@
"title": "4. Turn on the integration",
"description": "To turn on the integration, select Enable, and then click Save.\n"
}
]
],
"metadata": {
"id": "a3646b81-9e6a-4f4b-beb1-9d2eba8ab669",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Sophos"
},
"support": {
"name": "Sophos",
"link": "https://secure2.sophos.com/en-us/support.aspx",
"tier": "developer"
}
}
}

18
DataConnectors/SquadraTechnologies.SecRMM.json
Просмотреть файл

@ -125,5 +125,21 @@
}
]
}
]
],
"metadata": {
"id": "5040166e-9344-4b4a-b260-8f2e3539ae45",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Squadra Technologies"
},
"support": {
"name": "Squadra Technologies",
"link": "https://www.squadratechnologies.com/Contact.aspx",
"tier": "developer"
}
}
}

20
DataConnectors/Templates/Connector_CEF_template.json
Просмотреть файл

@ -110,5 +110,23 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
"version": "This is an optional field. Default and recommended format for kind value as **community or solutions** is string eg. \"1.0.0\" aligning with solutions which makes it easier to manage the content. Whereas, for kind value as **sourceRepository** the recommended format is numeric (eg. 1, 1.0,1.0.0, etc) aligning to ARM template best practices.",
"kind": "dataConnector",
"source": {
"kind": "source type of the content. Value must be one of these : localWorkspace | community | solution | sourceRepository",
"name": "Name of the content source. The repo name, solution name, LA workspace name etc."
},
"author": {
"name": "Name of the author. For localWorkspace it is automatically the workspace user"
},
"support": {
"tier": "Type of support for content item: microsoft | developer | community",
"name": "Name of support contact or company",
"email": "Optional: Email of support contact",
"link":"Optional: Link for support help, like to support page to open a ticket etc"
}
}
}

20
DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/DataConnector_API_AzureFunctionApp_template.json
Просмотреть файл

@ -125,5 +125,23 @@
"title": "3. Configure the Function App",
"description": "1. In the Function App screen, click the Function App name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following 'x (number of)' application settings individually, under Name, with their respective string values (case-sensitive) under Value: \n\t\tapiUsername\n\t\tapipassword\n\t\tapiToken\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tlogAnalyticsUri (optional)\n(add any other settings required by the Function App)\nSet the `uri` value to: `<add uri value>` \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
}
]
],
"metadata": {
"id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
"version": "This is an optional field. Default and recommended format for kind value as **community or solutions** is string eg. \"1.0.0\" aligning with solutions which makes it easier to manage the content. Whereas, for kind value as **sourceRepository** the recommended format is numeric (eg. 1, 1.0,1.0.0, etc) aligning to ARM template best practices.",
"kind": "dataConnector",
"source": {
"kind": "source type of the content. Value must be one of these : localWorkspace | community | solution | sourceRepository",
"name": "Name of the content source. The repo name, solution name, LA workspace name etc."
},
"author": {
"name": "Name of the author. For localWorkspace it is automatically the workspace user"
},
"support": {
"tier": "Type of support for content item: microsoft | developer | community",
"name": "Name of support contact or company",
"email": "Optional: Email of support contact",
"link":"Optional: Link for support help, like to support page to open a ticket etc"
}
}
}

18
DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/Template_REST_API_AzureFunction_App_Code/Template_REST_API_Function_App_PowerShell/Template_REST_API_Function_App_PowerShell.ps1
Просмотреть файл

@ -18,7 +18,6 @@ $currentUTCtime = (Get-Date).ToUniversalTime()
# The 'IsPastDue' property is 'true' when the current function invocation is later than scheduled.
if ($Timer.IsPastDue) {
Write-Host "PowerShell timer is running late! $($Timer.ScheduledStatus.Last)"
}
# Define the application settings (environmental variables) for the Workspace ID, Workspace Key, <PROVIDER NAME APPLIANCE NAME> API Key(s) or Token, URI, and/or Other variables. Reference (https://docs.microsoft.com/azure/azure-functions/functions-reference-powershell#environment-variables)for more information
@ -116,9 +115,22 @@ Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
"time-generated-field" = $TimeStampField;
}
$response = Invoke-WebRequest -Uri $logAnalyticsUri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
return $response.StatusCode
try {
$response = Invoke-WebRequest -Uri $logAnalyticsUri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
}
catch {
Write-Error "Error during sending logs to Azure Sentinel: $_.Exception.Message"
# Exit out of context
Exit
}
if ($response.StatusCode -eq 200) {
Write-Host "Logs have been successfully sent to Azure Sentinel."
}
else {
Write-Host "Error during sending logs to Azure Sentinel. Response code : $response.StatusCode"
}
return $response.StatusCode
}
<# Use this block to post the JSON formated data into Azure Log Analytics via the Azure Log Analytics Data Collector API

17
DataConnectors/Templates/Connector_REST_API_AzureFunctionApp_template/Template_REST_API_AzureFunction_App_Code/Template_REST_API_Function_App_Python/Template_REST_API_Function_App_Python.py
Просмотреть файл

@ -37,7 +37,7 @@ def main(mytimer: func.TimerRequest) -> None:
customer_id = os.environ['workspaceId']
shared_key = os.envviron['workspaceKey']
log_type = os.envviron['tableName']
logAnalyticsUri = os.environ['logAnalyticsUri']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customerId + '.ods.opinsights.azure.com'
@ -97,7 +97,7 @@ def post_data(customer_id, shared_key, body, log_type):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
logAnalyticsUri = logAnalyticsUri + resource + "?api-version=2016-04-01"
uri = logAnalyticsUri + resource + "?api-version=2016-04-01"
headers = {
'content-type': content_type,
@ -105,12 +105,15 @@ def post_data(customer_id, shared_key, body, log_type):
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(logAnalyticsUri,data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print 'Accepted'
try:
response = requests.post(uri, data=body, headers=headers)
except Exception as err:
print("Error during sending logs to Azure Sentinel: {}".format(err))
else:
print "Response code: {}".format(response.status_code)
if (response.status_code >= 200 and response.status_code <= 299):
print("logs have been successfully sent to Azure Sentinel.")
else:
print("Error during sending logs to Azure Sentinel. Response code: {}".format(response.status_code))
/* Use this block to post the JSON formated data into Azure Log Analytics via the Azure Log Analytics Data Collector API

20
DataConnectors/Templates/Connector_REST_API_template.json
Просмотреть файл

@ -89,5 +89,23 @@
}
]
}
]
],
"metadata": {
"id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
"version": "This is an optional field. Default and recommended format for kind value as **community or solutions** is string eg. \"1.0.0\" aligning with solutions which makes it easier to manage the content. Whereas, for kind value as **sourceRepository** the recommended format is numeric (eg. 1, 1.0,1.0.0, etc) aligning to ARM template best practices.",
"kind": "dataConnector",
"source": {
"kind": "source type of the content. Value must be one of these : localWorkspace | community | solution | sourceRepository",
"name": "Name of the content source. The repo name, solution name, LA workspace name etc."
},
"author": {
"name": "Name of the author. For localWorkspace it is automatically the workspace user"
},
"support": {
"tier": "Type of support for content item: microsoft | developer | community",
"name": "Name of support contact or company",
"email": "Optional: Email of support contact",
"link":"Optional: Link for support help, like to support page to open a ticket etc"
}
}
}

20
DataConnectors/Templates/Connector_Syslog_template.json
Просмотреть файл

@ -106,5 +106,23 @@
}
]
}
]
],
"metadata": {
"id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
"version": "This is an optional field. Default and recommended format for kind value as **community or solutions** is string eg. \"1.0.0\" aligning with solutions which makes it easier to manage the content. Whereas, for kind value as **sourceRepository** the recommended format is numeric (eg. 1, 1.0,1.0.0, etc) aligning to ARM template best practices.",
"kind": "dataConnector",
"source": {
"kind": "source type of the content. Value must be one of these : localWorkspace | community | solution | sourceRepository",
"name": "Name of the content source. The repo name, solution name, LA workspace name etc."
},
"author": {
"name": "Name of the author. For localWorkspace it is automatically the workspace user"
},
"support": {
"tier": "Type of support for content item: microsoft | developer | community",
"name": "Name of support contact or company",
"email": "Optional: Email of support contact",
"link":"Optional: Link for support help, like to support page to open a ticket etc"
}
}
}

18
DataConnectors/ThycoticSecretServer_CEF.json
Просмотреть файл

@ -120,5 +120,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "c4c9c58b-d659-49af-a11e-2d5d7bd8ccc8",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Thycotic"
},
"support": {
"name": "Thycotic",
"link": "https://thycotic.com/support/",
"tier": "developer"
}
}
}

Двоичные данные
DataConnectors/Trend Micro/AzureFunctionTrendMicroXDR.zip
Просмотреть файл

Двоичный файл не отображается.

15
DataConnectors/Trend Micro/AzureFunctionTrendMicroXDR/TimerTrigger/__init__.py
Просмотреть файл

@ -14,6 +14,7 @@ import hmac
import hashlib
import sys
import os
import re
import azure.functions as func
def main(mytimer: func.TimerRequest) -> None:
@ -39,6 +40,15 @@ api_id = os.environ ['api_key']
regioncode = os.environ ['regioncode']
url_base = region[regioncode]
log_type = 'TrendMicro_XDR'
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Trend Micro: Invalid Log Analytics Uri.")
#Get List of Events
def getWorkbenchList():
@ -107,7 +117,7 @@ def post_data(customer_id, shared_key, body, log_type, workbencheIds):
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
@ -116,7 +126,7 @@ def post_data(customer_id, shared_key, body, log_type, workbencheIds):
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
print ('Accepted ' + workbencheIds)
#Uncomment for easy troublshooting of log posting to Sentinel
@ -150,3 +160,4 @@ def function():
a += 1
return status

18
DataConnectors/Trend Micro/TrendMicroXDR_REST_API_Connector.json
Просмотреть файл

@ -130,5 +130,21 @@
"title": "Azure Resource Manager (ARM) Template Deployment",
"description": "This method provides an automated deployment of the Trend Micro XDR connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-trendmicroxdr-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter a unique **Function Name**, **Workspace ID**, **Workspace Key**, **API Token** and **Region Code**. \n - Note: Provide the appropriate region code based on where your Trend Micro XDR instance is deployed: us, eu, au, in, sg, jp \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
}
]
],
"metadata": {
"id": "61d3a450-20c0-4f0e-9209-b8cf41d9a774",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Trend Micro"
},
"support": {
"name": "Trend Micro",
"link": "https://success.trendmicro.com/technical-support",
"tier": "developer"
}
}
}

21
DataConnectors/TrendMicroDeepSecurity.json
Просмотреть файл

@ -52,7 +52,8 @@
}
],
"availability": {
"status": 1
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
@ -130,5 +131,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "abf0937a-e5be-4587-a805-fd5dbcffd6cd",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Trend Micro"
},
"support": {
"name": "Trend Micro",
"link": "https://success.trendmicro.com/technical-support",
"tier": "developer"
}
}
}

18
DataConnectors/TrendMicroTippingPoint.json
Просмотреть файл

@ -126,5 +126,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "78cd5319-f6b0-4428-be45-5dea94c8ec83",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Trend Micro"
},
"support": {
"name": "Trend Micro",
"link": "https://success.trendmicro.com/technical-support",
"tier": "developer"
}
}
}

18
DataConnectors/WireXsystemsNFP(1b).json
Просмотреть файл

@ -126,5 +126,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "4c0776c2-a5dc-419d-8cf7-81c2484448d2",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "WireX Systems"
},
"support": {
"name": "WireX Systems",
"email": "support@wirexsystems.com",
"tier": "developer"
}
}
}

25
DataConnectors/Zimperium MTD Alerts.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"id": "Zimperium_MTD_Alerts",
"id": "ZimperiumMtdAlerts",
"title": "Zimperium Mobile Threat Defense",
"publisher": "Zimperium",
"descriptionMarkdown": "Zimperium Mobile Threat Defense connector gives you the ability to connect the Zimperium threat log with Azure Sentinel to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.",
@ -61,15 +61,14 @@
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs":""
]
},
"instructionSteps": [
{
@ -96,5 +95,21 @@
}
]
}
]
],
"metadata": {
"id": "26bcf619-26b2-44aa-a7ad-212da52deeb8",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Zimperium"
},
"support": {
"name": "Zimperium",
"link": "https://www.zimperium.com/support",
"tier": "developer"
}
}
}

Двоичные данные
DataConnectors/ZoomReports/ZoomAPISentinelConn.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

121
DataConnectors/ZoomReports/ZoomReports_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"id": "Zoom",
"title": "Zoom Reports",
"publisher": "Zoom",
"descriptionMarkdown": "The [Zoom](https://zoom.us/) Reports data connector provides the capability to ingest [Zoom Reports](https://marketplace.zoom.us/docs/api-reference/zoom-api/reports/) events into Azure Sentinel through the REST API. Refer to [API documentation](https://marketplace.zoom.us/docs/api-reference/introduction) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **Zoom** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-ZoomAPI-parser).",
"graphQueries": [{
"metricName": "Total data received",
"legend": "Zoom_CL",
"baseQuery": "Zoom_CL"
}
],
"sampleQueries": [{
"description": "Zoom Events - All Activities.",
"query": "Zoom\n | sort by TimeGenerated desc"
}
],
"dataTypes": [{
"name": "Zoom_CL",
"lastDataReceivedQuery": "Zoom_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [{
"type": "IsConnectedQuery",
"value": [
"Zoom_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**ZoomApiKey** and **ZoomApiSecret** are required for Zoom API. [See the documentation to learn more about API](https://marketplace.zoom.us/docs/guides/auth/jwt). Check all [requirements and follow the instructions](https://marketplace.zoom.us/docs/guides/auth/jwt) for obtaining credentials."
}
]
},
"instructionSteps": [{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Zoom API to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ZoomAPI-parser) to create the Kusto functions alias, **Zoom**"
},
{
"title": "",
"description": "**STEP 1 - Configuration steps for the Zoom API**\n\n [Follow the instructions](https://marketplace.zoom.us/docs/guides/auth/jwt) to obtain the credentials. \n"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Zoom Reports data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Zoom Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ZoomAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **ZoomApiKey**, **ZoomApiSecret** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Zoom Reports data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ZoomAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ZoomXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tZoomApiKey\n\t\tZoomApiSecret\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
]
}

209
DataConnectors/ZoomReports/ZoomSentinelConnector/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,209 @@
import azure.functions as func
import jwt
import datetime
import json
import base64
import hashlib
import hmac
import requests
import re
import os
import logging
from .state_manager import StateManager
jwt_api_key = os.environ['ZoomApiKey']
jwt_api_secret = os.environ['ZoomApiSecret']
customer_id = os.environ['WorkspaceID']
shared_key = os.environ['WorkspaceKey']
connection_string = os.environ['AzureWebJobsStorage']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
table_name = "Zoom"
chunksize = 10000
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Zoom: Invalid Log Analytics Uri.")
class Zoom:
def __init__(self):
self.api_key = jwt_api_key
self.api_secret = jwt_api_secret
self.base_url = "https://api.zoom.us/v2"
self.jwt_token_exp_hours = 1
self.jwt_token = self.generate_jwt_token()
self.from_day,self.to_day = self.generate_date()
self.headers = {
'Accept': 'application/json',
'authorization': "Bearer " + self.jwt_token,
}
def generate_jwt_token(self):
payload = {
'iss': self.api_key,
'exp': datetime.datetime.now() + datetime.timedelta(hours=self.jwt_token_exp_hours)
}
jwt_token = jwt.encode(payload, self.api_secret)
return jwt_token
def generate_date(self):
current_time_day = datetime.datetime.utcnow().replace(second=0, microsecond=0)
state = StateManager(connection_string)
past_time = state.get()
if past_time is not None:
logging.info("The last time point is: {}".format(past_time))
else:
logging.info("There is no last time point, trying to get events for last week.")
past_time = (current_time_day - datetime.timedelta(days=7)).strftime("%Y-%m-%d")
state.post(current_time_day.strftime("%Y-%m-%d"))
return (past_time, current_time_day.strftime("%Y-%m-%d"))
def get_report(self, report_type_suffix,next_page_token = None):
query_params = {
"page_size": 300,
"from": self.from_day,
"to": self.to_day
}
if next_page_token:
query_params.update({"next_page_token": next_page_token})
try:
r = requests.get(url = self.base_url + report_type_suffix,
params = query_params,
headers = self.headers)
if r.status_code == 200:
return r.json()
elif r.status_code == 400:
logging.error("The requested report cannot be generated for this account because"
" this account has not subscribed to toll-free audio conference plan."
" Error code: {}".format(r.status_code))
elif r.status_code == 401:
logging.error("Invalid access token. Error code: {}".format(r.status_code))
elif r.status_code == 300:
logging.error("Only provide report in recent 6 months. Error code: {}".format(
r.status_code))
else:
logging.error("Something wrong. Error code: {}".format(r.status_code))
except Exception as err:
logging.error("Something wrong. Exception error text: {}".format(err))
class Sentinel:
def __init__(self):
self.logAnalyticsUri = logAnalyticsUri
self.success_processed = 0
self.fail_processed = 0
self.table_name = table_name
self.chunksize = chunksize
def gen_chunks_to_object(self, data, chunksize=100):
chunk = []
for index, line in enumerate(data):
if (index % chunksize == 0 and index > 0):
yield chunk
del chunk[:]
chunk.append(line)
yield chunk
def gen_chunks(self, data):
for chunk in self.gen_chunks_to_object(data, chunksize=self.chunksize):
obj_array = []
for row in chunk:
if row != None and row != '':
obj_array.append(row)
body = json.dumps(obj_array)
self.post_data(body, len(obj_array))
def build_signature(self, date, content_length, method, content_type, resource):
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
encoded_hash = base64.b64encode(
hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(customer_id, encoded_hash)
return authorization
def post_data(self, body, chunk_count):
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = self.build_signature(rfc1123date, content_length, method, content_type,
resource)
uri = self.logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': self.table_name,
'x-ms-date': rfc1123date
}
response = requests.post(uri, data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
logging.info("Chunk was processed({} events)".format(chunk_count))
self.success_processed = self.success_processed + chunk_count
else:
logging.error("Error during sending events to Azure Sentinel. Response code:{}".format(response.status_code))
self.fail_processed = self.fail_processed + chunk_count
def results_array_join(result_element,api_req_id,api_req_name):
for element in result_element[api_req_id]:
element['event_type'] = api_req_id
element['event_name'] = api_req_name
results_array.append(element)
def get_main_info():
for api_req_id, api_req_info in reports_api_requests_dict.items():
api_req = api_req_info['api_req']
api_req_name = api_req_info['name']
logging.info("Getting report: {}".format(api_req_info['name']))
result = zoom.get_report(report_type_suffix = api_req)
if result is not None:
next_page_token = result.get('next_page_token')
results_array_join(result,api_req_id,api_req_name)
else:
next_page_token = None
while next_page_token:
result = zoom.get_report(report_type_suffix=api_req, next_page_token = next_page_token)
if result is not None:
next_page_token = result.get('next_page_token')
results_array_join(result, api_req_id, api_req_name)
else:
next_page_token = None
def main(mytimer: func.TimerRequest) -> None:
utc_timestamp = datetime.datetime.utcnow().replace(
tzinfo=datetime.timezone.utc).isoformat()
if mytimer.past_due:
logging.info('The timer is past due!')
logging.info('Python timer trigger function ran at %s', utc_timestamp)
logging.info('Starting program')
global results_array, reports_api_requests_dict, zoom
reports_api_requests_dict = \
{
"dates": {"api_req": "/report/daily", "name": "Daily Usage Reports."},
"users": {"api_req": "/report/users", "name": "Active/Inactive Host Reports."},
"telephony_usage": {"api_req": "/report/telephone", "name": "Telephone Reports."},
"cloud_recording_storage": {"api_req": "/report/cloud_recording", "name": "Cloud Recording Usage Reports."},
"operation_logs": {"api_req": "/report/operationlogs", "name": "Operation Logs Report."},
"activity_logs": {"api_req": "/report/activities", "name": "Sign In/Sign Out Activity Report."}
}
results_array = []
zoom = Zoom()
sentinel = Sentinel()
zoom_class_vars = vars(zoom)
from_day, to_day = zoom_class_vars['from_day'], zoom_class_vars['to_day']
logging.info('Trying to get events for period: {} - {}'.format(from_day, to_day))
get_main_info()
sentinel.gen_chunks(results_array)
sentinel_class_vars = vars(sentinel)
success_processed, fail_processed = sentinel_class_vars["success_processed"],\
sentinel_class_vars["fail_processed"]
logging.info('Total events processed successfully: {}, failed: {}. Period: {} - {}'
.format(success_processed, fail_processed, from_day, to_day))

11
DataConnectors/ZoomReports/ZoomSentinelConnector/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 59 23 * * *"
}
]
}

0
DataConnectors/Box/AzureFunctionBox/state_manager.py → DataConnectors/ZoomReports/ZoomSentinelConnector/state_manager.py
Просмотреть файл

199
DataConnectors/ZoomReports/azuredeploy_Connector_ZoomAPI_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,199 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "Zoom",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "securestring",
"defaultValue": "<workspaceKey>"
},
"ZoomApiKey": {
"type": "string",
"defaultValue": "<ZoomApiKey>"
},
"ZoomApiSecret": {
"type": "securestring",
"defaultValue": "<ZoomApiSecret>"
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"ZoomApiKey": "[parameters('ZoomApiKey')]",
"ZoomApiSecret": "[parameters('ZoomApiSecret')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-ZoomAPI-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

15
DataConnectors/ZoomReports/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

4
DataConnectors/ZoomReports/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

8
DataConnectors/ZoomReports/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,8 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
azure-storage-file-share==12.3.0
azure-functions
pyjwt
requests

18
DataConnectors/alcide_kaudit.json
Просмотреть файл

@ -103,5 +103,21 @@
}
]
}
]
],
"metadata" : {
"id": "ffaeb3c2-6c9a-4d55-8852-e13da1162ec6",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Alcide"
},
"support": {
"name": "Alcide",
"link": "https://www.alcide.io/company/contact-us/",
"tier": "developer"
}
}
}

18
DataConnectors/illusive Attack Management System.json
Просмотреть файл

@ -114,5 +114,21 @@
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
],
"metadata": {
"id": "aa770f1e-4d05-477a-8dc1-b893772f3a46",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Illusive Networks"
},
"support": {
"name": "Illusive Networks",
"link": "https://www.illusivenetworks.com/technical-support/",
"tier": "developer"
}
}
}

18
DataConnectors/template_BarracudaCloudFirewall.JSON
Просмотреть файл

@ -125,5 +125,21 @@
}
]
}
]
],
"metadata": {
"id": "afbf6c4a-7190-442a-a649-5c18a907ceb3",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Barracuda Networks"
},
"support": {
"name": "Barracuda Networks",
"link": "https://www.barracuda.com/support",
"tier": "developer"
}
}
}

20
Detections/AlsidForAD/DCShadow.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c
name: Alsid DCShadow
description: |
'Searches for DCShadow attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1207
query: |
afad_parser
| where MessageType == 2 and Codename == "DCShadow"

20
Detections/AlsidForAD/DCSync.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: d3c658bd-8da9-4372-82e4-aaffa922f428
name: Alsid DCSync
description: |
'Searches for DCSync attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003.006
query: |
afad_parser
| where MessageType == 2 and Codename == "DCSync"

20
Detections/AlsidForAD/GoldenTicket.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb
name: Alsid Golden Ticket
description: |
'Searches for Golden Ticket attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1558.001
query: |
afad_parser
| where MessageType == 2 and Codename == "Golden Ticket"

28
Detections/AlsidForAD/IndicatorsOfAttack.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 3caa67ef-8ed3-4ab5-baf2-3850d3667f3d
name: Alsid Indicators of Attack
description: |
'Searches for triggered Indicators of Attack'
severity: Low
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
afad_parser
| where MessageType == 2
| lookup kind=leftouter SeverityTable on Severity
| order by Level

20
Detections/AlsidForAD/LSASSMemory.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 3acf5617-7c41-4085-9a79-cc3a425ba83a
name: Alsid LSASS Memory
description: |
'Searches for OS Credentials dumping attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003.001
query: |
afad_parser
| where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"

20
Detections/AlsidForAD/PasswordGuessing.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: ba239935-42c2-472d-80ba-689186099ea1
name: Alsid Password Guessing
description: |
'Searches for bruteforce Password Guessing attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
afad_parser
| where MessageType == 2 and Codename == "Password Guessing"

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше