Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #5339 from securepractice/SecurePracticeMailRisk 

Secure Practice MailRisk Solution
This commit is contained in:
NikTripathi 2022-07-05 10:36:12 +05:30 коммит произвёл GitHub
Родитель 220444f1e6 beeb703b00
Коммит fd50b2599a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 6340 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

161
.script/tests/KqlvalidationsTests/CustomTables/MailRiskEmails_CL.json Normal file
Просмотреть файл

@ -0,0 +1,161 @@
{
"Name":"MailRiskEmail_CL",
"Properties":[
{
"Name":"TenantId",
"Type":"String"
},
{
"Name":"SourceSystem",
"Type":"String"
},
{
"Name":"MG",
"Type":"String"
},
{
"Name":"ManagementGroupName",
"Type":"String"
},
{
"Name":"ManagementGroupName",
"Type":"String"
},
{
"Name":"TimeGenerated [UTC]",
"Type":"DateTime"
},
{
"Name":"Computer",
"Type":"String"
},
{
"Name":"RawData",
"Type":"String"
},
{
"Name":"event_type_s",
"Type":"String"
},
{
"Name":"reported_at_s",
"Type":"String"
},
{
"Name":"id_d",
"Type":"Double"
},
{
"Name":"message_id_s",
"Type":"String"
},
{
"Name":"size_bytes_d",
"Type":"Double"
},
{
"Name":"subject_s",
"Type":"String"
},
{
"Name":"from_email_s",
"Type":"String"
},
{
"Name":"from_name_s",
"Type":"String"
},
{
"Name":"reply_to_s",
"Type":"String"
},
{
"Name":"spam_score_d",
"Type":"Double"
},
{
"Name":"spf_s",
"Type":"String"
},
{
"Name":"originating_ip_s",
"Type":"String"
},
{
"Name":"_links_count_hard_d",
"Type":"Double"
},
{
"Name":"links_s",
"Type":"Dynamic"
},
{
"Name":"_attachments_count_hard_d",
"Type":"Double"
},
{
"Name":"attachments_s",
"Type":"Dynamic"
},
{
"Name":"reporter_domain_s",
"Type":"String"
},
{
"Name":"company_id_d",
"Type":"Double"
},
{
"Name":"feedback_requested_b",
"Type":"Boolean"
},
{
"Name":"feedback_provided_b",
"Type":"Boolean"
},
{
"Name":"Category",
"Type":"String"
},
{
"Name":"risk_d",
"Type":"Double"
},
{
"Name":"risk_source_s",
"Type":"String"
},
{
"Name":"sent_at_s",
"Type":"String"
},
{
"Name":"assessed_at_s",
"Type":"String"
},
{
"Name":"content_status_s",
"Type":"String"
},
{
"Name":"headers_s",
"Type":"Dynamic"
},
{
"Name":"assessments_s",
"Type":"Dynamic"
},
{
"Name":"reported_risk_d",
"Type":"Double"
},
{
"Name":"Type",
"Type":"String"
},
{
"Name":"_ResourceId",
"Type":"String"
}
]
}

31
Logos/securepractice_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.2" baseProfile="tiny" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" width="1285.653px" height="1285.656px" viewBox="0 0 1285.653 1285.656" xml:space="preserve">
<g>
<rect display="none" fill="#575756" width="1285.653" height="1285.656" />
<path fill="#DE8004" stroke="#FFFFFF" stroke-width="84" d="M1020.921,355.942c0,0-0.323-0.081-0.928-0.225V224.222L887.475,91.183
H642.827H397.576L264.732,224.222v131.721L128.172,492.503v328.858c202.518,287.056,257.328,248.038,514.655,405.036
c257.327-156.998,312.138-117.98,514.655-405.036V492.503L1020.921,355.942z M642.711,487.857
c-64.426-103.525-164.249-134.999-245.135-141.39v-77.654l44.591-45.251h200.66h200.166l44.482,45.251v77.412
C804.443,352.034,702.442,382.954,642.711,487.857z" />
<g>
<polygon fill="#999999" points="264.732,355.942 264.732,224.222 397.576,91.183 642.827,91.183 642.827,223.563 442.167,223.563
397.576,268.813 397.576,355.942 " />
<polygon fill="#BABABA" points="1019.993,355.942 1019.993,224.222 887.475,91.183 642.827,91.183 642.827,223.563
842.993,223.563 887.475,268.813 887.475,355.942 " />
<path fill="#F7A738" d="M642.827,1226.397c257.327-156.998,312.138-117.98,514.655-405.036V492.503l-136.561-136.561
c0,0-265.015-66.887-378.21,131.915" />
<path fill="#DE8004" d="M642.827,1226.397c-257.327-156.998-312.138-117.98-514.655-405.036V492.503l136.561-136.561
c0,0,254.26-66.887,377.979,131.915" />
</g>
<g>
<rect x="642.827" y="590.941" fill="#DE8004" width="142.145" height="142.145" />
<rect x="784.972" y="733.086" fill="#DE8004" width="142.144" height="142.146" />
<rect x="500.683" y="590.941" fill="#F7A738" width="142.145" height="142.145" />
<rect x="500.683" y="733.086" fill="#F7A738" width="142.145" height="142.146" />
<rect x="358.538" y="733.086" fill="#F7A738" width="142.145" height="142.146" />
<rect x="358.538" y="875.231" fill="#F7A738" width="142.145" height="142.145" />
<rect x="358.538" y="449.77" fill="#F7A738" width="142.145" height="142.145" />
</g>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.1 KiB

6008
Sample Data/Custom/MailRiskEmails_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

140
Solutions/MailRisk/Data Connectors/SecurePractice_MailRisk.json Normal file
Просмотреть файл

@ -0,0 +1,140 @@
{
"id": "SecurePractice_MailRisk",
"title": "MailRisk by Secure Practice",
"publisher": "Secure Practice",
"descriptionMarkdown": "Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics.",
"graphQueries": [
{
"metricName": "Total emails received",
"legend": "MailRiskEmails_CL",
"baseQuery": "MailRiskEmails_CL"
}
],
"sampleQueries": [
{
"description" : "All emails",
"query": "MailRiskEmails_CL\n| sort by TimeGenerated desc"
},
{
"description" : "Emails with SPF pass",
"query": "MailRiskEmails_CL\n| where spf_s == 'pass' \n| sort by TimeGenerated desc"
},
{
"description" : "Emails with specific category",
"query": "MailRiskEmails_CL\n| where Category == 'scam' \n| sort by TimeGenerated desc"
},
{
"description" : "Emails with link urls that contain the string \"microsoft\"",
"query": "MailRiskEmails_CL\n| sort by TimeGenerated desc\n| mv-expand link = parse_json(links_s)\n| where link.url contains \"microsoft\""
}
],
"dataTypes": [
{
"name": "MailRiskEmails_CL",
"lastDataReceivedQuery": "MailRiskEmails_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"MailRiskEmails_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "API credentials",
"description": "Your Secure Practice API key pair is also needed, which are created in the [settings in the admin portal](https://manage.securepractice.co/settings/security). If you have lost your API secret, you can generate a new key pair (WARNING: Any other integrations using the old key pair will stop working)."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Secure Practice API to push logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": "Please have these the Workspace ID and Workspace Primary Key (can be copied from the following), readily available.",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the MailRisk data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fgithub.com%2Fsecurepractice%2Fmailrisk-sentinel-connector%2Fblob%2Fmaster%2Fazuredeploy.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Secure Practice API Key**, **Secure Practice API Secret** \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy."
},
{
"title": "Manual deployment",
"description": "In the open source repository on [GitHub](https://github.com/securepractice/mailrisk-sentinel-connector) you can find instructions for how to manually deploy the data connector."
}
],
"metadata": {
"id": "c9c97ce4-2093-466c-846e-49be58a39197",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "sourceRepository",
"name": "mailrisk-sentinel-connector",
"url": "https://github.com/securepractice/mailrisk-sentinel-connector"
},
"author": {
"name": "Secure Practice"
},
"support": {
"tier": "developer",
"name": "Secure Practice",
"email": "support@securepractice.co",
"link": "https://securepractice.co/support"
}
}
}