diff --git a/Solutions/CiscoWSA/Package/1.0.3.zip b/Solutions/CiscoWSA/Package/1.0.3.zip new file mode 100644 index 0000000000..702224929c Binary files /dev/null and b/Solutions/CiscoWSA/Package/1.0.3.zip differ diff --git a/Solutions/CiscoWSA/Package/createUiDefinition.json b/Solutions/CiscoWSA/Package/createUiDefinition.json new file mode 100644 index 0000000000..097280d294 --- /dev/null +++ b/Solutions/CiscoWSA/Package/createUiDefinition.json @@ -0,0 +1,485 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Azure Sentinel.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CiscoWSA. You can get CiscoWSA Syslog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the Syslog table in your Azure Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "CiscoWSA", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + }, + { + "name": "workbook1-name", + "type": "Microsoft.Common.TextBox", + "label": "Display Name", + "defaultValue": "CiscoWSA", + "toolTip": "Display name for the workbook.", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a workbook name" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs analytic rules for CiscoWSA that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Access to unwanted site", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when users attempting to access sites from high risk category." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Unexpected uploads", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects unexpected file uploads." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Multiple errors to resource from risky category", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects multiple connection errors to resource from risky category." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Multiple errors to URL", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects multiple connection errors to URL." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Multiple infected files", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects multiple infected files on same source." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Multiple attempts to download unwanted file", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when multiple attempts to download unwanted file occur." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Suspected protocol abuse", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects possible protocol abuse." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Internet access from public IP", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects internet access from public IP." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Unexpected file type", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects unexpected file type." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Unexpected URL", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects unexpected URL." + } + } + ] + }, + { + "name": "analytic11", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Unscannable file or scan error", + "elements": [ + { + "name": "analytic11-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects unscanned downloaded file." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Azure Sentinel Solution installs hunting queries for CiscoWSA that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Blocked files", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for blocked files. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Rare aplications", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for rare applications. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Top aplications", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for top applications. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Top URLs", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for top URLs. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Uncategorized URLs", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for uncategorized URLs. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Uploaded files", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for uploaded files. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Rare URL with error", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for rare URLs with errors. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery8", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - URL shorteners", + "elements": [ + { + "name": "huntingquery8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches connections to Url shorteners resources. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery9", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - Potentially risky resources", + "elements": [ + { + "name": "huntingquery9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for potentially risky resources. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + }, + { + "name": "huntingquery10", + "type": "Microsoft.Common.Section", + "label": "Cisco WSA - User errors", + "elements": [ + { + "name": "huntingquery10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query searches for user errors during accessing resource. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]" + } + } +} diff --git a/Solutions/CiscoWSA/Package/mainTemplate.json b/Solutions/CiscoWSA/Package/mainTemplate.json new file mode 100644 index 0000000000..92f53d617e --- /dev/null +++ b/Solutions/CiscoWSA/Package/mainTemplate.json @@ -0,0 +1,1272 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Sanmit Biraj - v-sabiraj@microsoft.com", + "comments": "Solution template for CiscoWSA" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CiscoWSA", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic5-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic6-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic7-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic8-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic9-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic10-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic11-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "connector1-name": { + "type": "string", + "defaultValue": "2867774a-bd42-4001-a7b1-25d605b1f00d" + } + }, + "variables": { + "CiscoWSA_workbook": "CiscoWSA_workbook", + "_CiscoWSA_workbook": "[variables('CiscoWSA_workbook')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "CiscoWSAAccessToUnwantedSite_AnalyticalRules": "CiscoWSAAccessToUnwantedSite_AnalyticalRules", + "_CiscoWSAAccessToUnwantedSite_AnalyticalRules": "[variables('CiscoWSAAccessToUnwantedSite_AnalyticalRules')]", + "CiscoWSADataExfiltration_AnalyticalRules": "CiscoWSADataExfiltration_AnalyticalRules", + "_CiscoWSADataExfiltration_AnalyticalRules": "[variables('CiscoWSADataExfiltration_AnalyticalRules')]", + "CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules": "CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules", + "_CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules": "[variables('CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules')]", + "CiscoWSAMultipleErrorsToUrl_AnalyticalRules": "CiscoWSAMultipleErrorsToUrl_AnalyticalRules", + "_CiscoWSAMultipleErrorsToUrl_AnalyticalRules": "[variables('CiscoWSAMultipleErrorsToUrl_AnalyticalRules')]", + "CiscoWSAMultipleInfectedFles_AnalyticalRules": "CiscoWSAMultipleInfectedFles_AnalyticalRules", + "_CiscoWSAMultipleInfectedFles_AnalyticalRules": "[variables('CiscoWSAMultipleInfectedFles_AnalyticalRules')]", + "CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules": "CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules", + "_CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules": "[variables('CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules')]", + "CiscoWSAProtocolAbuse_AnalyticalRules": "CiscoWSAProtocolAbuse_AnalyticalRules", + "_CiscoWSAProtocolAbuse_AnalyticalRules": "[variables('CiscoWSAProtocolAbuse_AnalyticalRules')]", + "CiscoWSAPublicIPSource_AnalyticalRules": "CiscoWSAPublicIPSource_AnalyticalRules", + "_CiscoWSAPublicIPSource_AnalyticalRules": "[variables('CiscoWSAPublicIPSource_AnalyticalRules')]", + "CiscoWSAUnexpectedFileType_AnalyticalRules": "CiscoWSAUnexpectedFileType_AnalyticalRules", + "_CiscoWSAUnexpectedFileType_AnalyticalRules": "[variables('CiscoWSAUnexpectedFileType_AnalyticalRules')]", + "CiscoWSAUnexpectedUrl_AnalyticalRules": "CiscoWSAUnexpectedUrl_AnalyticalRules", + "_CiscoWSAUnexpectedUrl_AnalyticalRules": "[variables('CiscoWSAUnexpectedUrl_AnalyticalRules')]", + "CiscoWSAUnscannableFile_AnalyticalRules": "CiscoWSAUnscannableFile_AnalyticalRules", + "_CiscoWSAUnscannableFile_AnalyticalRules": "[variables('CiscoWSAUnscannableFile_AnalyticalRules')]", + "CiscoWSABlockedFiles_HuntingQueries": "CiscoWSABlockedFiles_HuntingQueries", + "_CiscoWSABlockedFiles_HuntingQueries": "[variables('CiscoWSABlockedFiles_HuntingQueries')]", + "workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "CiscoWSARareApplications_HuntingQueries": "CiscoWSARareApplications_HuntingQueries", + "_CiscoWSARareApplications_HuntingQueries": "[variables('CiscoWSARareApplications_HuntingQueries')]", + "CiscoWSATopApplications_HuntingQueries": "CiscoWSATopApplications_HuntingQueries", + "_CiscoWSATopApplications_HuntingQueries": "[variables('CiscoWSATopApplications_HuntingQueries')]", + "CiscoWSATopResources_HuntingQueries": "CiscoWSATopResources_HuntingQueries", + "_CiscoWSATopResources_HuntingQueries": "[variables('CiscoWSATopResources_HuntingQueries')]", + "CiscoWSAUncategorizedResources_HuntingQueries": "CiscoWSAUncategorizedResources_HuntingQueries", + "_CiscoWSAUncategorizedResources_HuntingQueries": "[variables('CiscoWSAUncategorizedResources_HuntingQueries')]", + "CiscoWSAUploadedFiles_HuntingQueries": "CiscoWSAUploadedFiles_HuntingQueries", + "_CiscoWSAUploadedFiles_HuntingQueries": "[variables('CiscoWSAUploadedFiles_HuntingQueries')]", + "CiscoWSAUrlRareErrorUrl_HuntingQueries": "CiscoWSAUrlRareErrorUrl_HuntingQueries", + "_CiscoWSAUrlRareErrorUrl_HuntingQueries": "[variables('CiscoWSAUrlRareErrorUrl_HuntingQueries')]", + "CiscoWSAUrlShortenerLinks_HuntingQueries": "CiscoWSAUrlShortenerLinks_HuntingQueries", + "_CiscoWSAUrlShortenerLinks_HuntingQueries": "[variables('CiscoWSAUrlShortenerLinks_HuntingQueries')]", + "CiscoWSAUrlSuspiciousResources_HuntingQueries": "CiscoWSAUrlSuspiciousResources_HuntingQueries", + "_CiscoWSAUrlSuspiciousResources_HuntingQueries": "[variables('CiscoWSAUrlSuspiciousResources_HuntingQueries')]", + "CiscoWSAUrlUsersWithErrors_HuntingQueries": "CiscoWSAUrlUsersWithErrors_HuntingQueries", + "_CiscoWSAUrlUsersWithErrors_HuntingQueries": "[variables('CiscoWSAUrlUsersWithErrors_HuntingQueries')]", + "CiscoWSAEvent_Parser": "CiscoWSAEvent_Parser", + "_CiscoWSAEvent_Parser": "[variables('CiscoWSAEvent_Parser')]", + "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]", + "_connector1-source": "[variables('connector1-source')]", + "CiscoWSAConnector": "CiscoWSAConnector", + "_CiscoWSAConnector": "[variables('CiscoWSAConnector')]", + "sourceId": "azuresentinel.azure-sentinel-solution-ciscowsa", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoWSAEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscowsa-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"blueDark\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Sources Summary\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr)\",\"size\":3,\"title\":\"IP Addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\n| where isnotempty(SrcUserName)\\n| where SrcUserName != '-'\\n| summarize dcount(SrcUserName)\",\"size\":3,\"title\":\"Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\n| where isnotempty(DstBytes)\\n| summarize tb = sum(tolong(DstBytes))\\n| project mb = tb / 1000000\",\"size\":3,\"title\":\"Total Traffic Volume (MB)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\n| where DvcAction startswith 'BLOCK_'\\n| summarize count()\",\"size\":3,\"title\":\"Threats Blocked\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"50\",\"name\":\"query - 3\"}]},\"customWidth\":\"40\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\n| summarize count() by UrlCategory\\n| project count_, ['URL Category'] = case(UrlCategory =~ 'IW_infr', \\\"Infrastructure and CDN\\\", \\n UrlCategory =~ 'IW_adv', \\\"Advertisements\\\", \\n UrlCategory =~ 'IW_art', \\\"Arts\\\",\\n UrlCategory =~ 'IW_busi', \\\"Business and Industry\\\",\\n UrlCategory =~ 'IW_csec', \\\"Computer Security\\\",\\n UrlCategory =~ 'IW_comp', \\\"Computers and Internet\\\",\\n UrlCategory =~ 'IW_edu', \\\"Education\\\",\\n UrlCategory =~ 'IW_ent', \\\"Entertainment\\\",\\n UrlCategory =~ 'IW_fts', \\\"File Transfer Services\\\",\\n UrlCategory =~ 'IW_fnnc', \\\"Finance\\\",\\n UrlCategory =~ 'IW_hmed', \\\"Health and Medicine\\\",\\n UrlCategory =~ 'IW_job', \\\"Job Search\\\",\\n UrlCategory =~ 'IW_news', \\\"News\\\",\\n UrlCategory =~ 'IW_docs', \\\"Online Document Sharing and Collaboration\\\",\\n UrlCategory =~ 'IW_meet', \\\"Online Meetings\\\",\\n \\\"Other\\\")\",\"size\":3,\"title\":\"URL Categories\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"35\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\r\\n| summarize count() by UrlCategory\\r\\n| project count_, ['URL Category'] = case(UrlCategory =~ 'IW_infr', \\\"Infrastructure and CDN\\\", \\r\\n UrlCategory =~ 'IW_adv', \\\"Advertisements\\\", \\r\\n UrlCategory =~ 'IW_art', \\\"Arts\\\",\\r\\n UrlCategory =~ 'IW_busi', \\\"Business and Industry\\\",\\r\\n UrlCategory =~ 'IW_csec', \\\"Computer Security\\\",\\r\\n UrlCategory =~ 'IW_comp', \\\"Computers and Internet\\\",\\r\\n UrlCategory =~ 'IW_edu', \\\"Education\\\",\\r\\n UrlCategory =~ 'IW_ent', \\\"Entertainment\\\",\\r\\n UrlCategory =~ 'IW_fts', \\\"File Transfer Services\\\",\\r\\n UrlCategory =~ 'IW_fnnc', \\\"Finance\\\",\\r\\n UrlCategory =~ 'IW_hmed', \\\"Health and Medicine\\\",\\r\\n UrlCategory =~ 'IW_job', \\\"Job Search\\\",\\r\\n UrlCategory =~ 'IW_news', \\\"News\\\",\\r\\n UrlCategory =~ 'IW_docs', \\\"Online Document Sharing and Collaboration\\\",\\r\\n UrlCategory =~ 'IW_meet', \\\"Online Meetings\\\",\\r\\n \\\"Other\\\")\\r\\n| top 8 by ['URL Category'] desc\\r\\n\",\"size\":3,\"title\":\"Top URL Categories\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"URL Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\n| where isnotempty(DstDvcHostname)\\n| summarize count() by DstDvcHostname\\n| top 10 by DstDvcHostname\\n| order by count_\\n| project-rename Domain = DstDvcHostname, ['Total Events'] = count_\",\"size\":0,\"title\":\"Top visited domains\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize TotalBytes = sum(DstBytes) by SrcUserName\\r\\n| top 10 by TotalBytes\\r\\n| project User=SrcUserName, ['Total Bytes (KB)'] = TotalBytes/1000\",\"size\":3,\"title\":\"Top Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total Bytes (KB)\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}]}},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\n| where isnotempty(ThreatName)\\n| summarize count() by ThreatName\",\"size\":3,\"title\":\"Discovered Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoWSAEvent\\r\\n| where isnotempty(AmpFileName)\\r\\n| project TimeGenerated, SrcUserName, AmpFileName, Result=strcat(iff(isnotempty(AmpScanningVerdict) or AmpScanningVerdict !has 'clean', '❌ - Infected', '✅ - Clean'))\\r\\n\",\"size\":1,\"title\":\"Latest scanned files\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"34\",\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-CiscoWSAWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when users attempting to access sites from high risk category.", + "displayName": "Cisco WSA - Access to unwanted site", + "enabled": false, + "query": "let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where UrlCategory in~ (risky_sites)\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects unexpected file uploads.", + "displayName": "Cisco WSA - Unexpected uploads", + "enabled": false, + "query": "CiscoWSAEvent\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where isnotempty(AmpFileName)\n| where UrlCategory in~ ('IW_fts', 'IW_osb')\n| summarize count() by AmpFileName, SrcUserName, bin(TimeGenerated, 10m)\n| where count_ >= 5\n| extend AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Exfiltration" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects multiple connection errors to resource from risky category.", + "displayName": "Cisco WSA - Multiple errors to resource from risky category", + "enabled": false, + "query": "let threshold = 10;\nlet risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| where UrlCategory in~ (risky_sites)\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess", + "CommandAndControl" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects multiple connection errors to URL.", + "displayName": "Cisco WSA - Multiple errors to URL", + "enabled": false, + "query": "let threshold = 5;\nCiscoWSAEvent\n| where DvcAction =~ 'NONE'\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "CommandAndControl" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects multiple infected files on same source.", + "displayName": "Cisco WSA - Multiple infected files", + "enabled": false, + "query": "CiscoWSAEvent\n| where isnotempty(AmpFileName)\n| where isnotempty(ThreatName)\n| summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)\n| where count_ > 1\n| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic6-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when multiple attempts to download unwanted file occur.", + "displayName": "Cisco WSA - Multiple attempts to download unwanted file", + "enabled": false, + "query": "let threshold = 2;\nCiscoWSAEvent\n| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'\n| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)\n| where array_length(i_src) >= threshold\n| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "UrlCustomEntity" + } + ], + "entityType": "URL" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic7-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects possible protocol abuse.", + "displayName": "Cisco WSA - Suspected protocol abuse", + "enabled": false, + "query": "CiscoWSAEvent\n| where DstPortNumber !in ('80', '443')\n| where NetworkApplicationProtocol in~ ('HTTP', 'HTTPs')\n| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Exfiltration" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic8-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects internet access from public IP.", + "displayName": "Cisco WSA - Internet access from public IP", + "enabled": false, + "query": "let ip_except = dynamic(['127.0.0.2']); //Add exceptions to this list\nCiscoWSAEvent\n| where ipv4_is_private(SrcIpAddr) == false\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic9-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects unexpected file type.", + "displayName": "Cisco WSA - Unexpected file type", + "enabled": false, + "query": "CiscoWSAEvent\n| where isnotempty(AmpFileName)\n| where isempty(AmpThreatName)\n| where ResponseBodyMimeType =~ 'application/octet-stream'\n| where AmpFileName !endswith '.exe'\n| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic10-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects unexpected URL.", + "displayName": "Cisco WSA - Unexpected URL", + "enabled": false, + "query": "let threshold = 5;\nCiscoWSAEvent\n| where UrlOriginal matches regex @'\\Ahttp(s)?[:][/][/]\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}'\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "CommandAndControl" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic11-id'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects unscanned downloaded file.", + "displayName": "Cisco WSA - Unscannable file or scan error", + "enabled": false, + "query": "CiscoWSAEvent\n| where isnotempty(AmpFileName)\n| where AmpScanningVerdict in ('2', '3')\n| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = AmpFileName, AccountCustomEntity = SrcUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "InitialAccess" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "FileCustomEntity" + } + ], + "entityType": "File" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "AccountCustomEntity" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2020-08-01", + "name": "[parameters('workspace')]", + "location": "[parameters('workspace-location')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 1", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Blocked files", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'\n| summarize count() by UrlOriginal\n| extend URLCustomEntity = UrlOriginal\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for blocked files." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 2", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Rare aplications", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| summarize count() by AvcApplicationName, SrcUserName\n| order by count_ asc\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for rare applications." + }, + { + "name": "tactics", + "value": "CommandAndControl,Exfiltration" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 3", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Top aplications", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| summarize count() by AvcApplicationName, SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for top applications." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 4", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Top URLs", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| summarize count() by UrlOriginal, SrcUserName\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for top URLs." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 5", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Uncategorized URLs", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where UrlCategory in~ ('IW_nc', 'IW_nact')\n| project UrlOriginal, SrcUserName, SrcIpAddr\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for uncategorized URLs." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 6", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Uploaded files", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where isnotempty(AmpFileName)\n| project AmpFileName, SrcUserName\n| extend AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for uploaded files." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 7", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Rare URL with error", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'OTHER'\n| summarize count() by UrlOriginal\n| order by count_ asc\n| extend URLCustomEntity = UrlOriginal\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for rare URLs with errors." + }, + { + "name": "tactics", + "value": "InitialAccess,CommandAndControl" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 8", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - URL shorteners", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where UrlCategory =~ 'IW_shrt'\n| project UrlOriginal, SrcUserName, SrcIpAddr\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches connections to Url shorteners resources." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 9", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - Potentially risky resources", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'BLOCK_CONTINUE_WEBCAT'\n| project UrlOriginal, SrcUserName, SrcIpAddr\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for potentially risky resources." + }, + { + "name": "tactics", + "value": "InitialAccess" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Hunting Query 10", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "Cisco WSA - User errors", + "category": "Hunting Queries", + "query": "CiscoWSAEvent\n| where TimeGenerated > ago(24h)\n| where DvcAction =~ 'OTHER'\n| summarize count() by UrlOriginal, SrcUserName\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n", + "version": 1, + "tags": [ + { + "name": "description", + "value": "Query searches for user errors during accessing resource." + }, + { + "name": "tactics", + "value": "InitialAccess,CommandAndControl" + } + ] + } + }, + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "CiscoWSA Data Parser", + "dependsOn": [ + "[variables('workspace-dependency')]" + ], + "properties": { + "eTag": "*", + "displayName": "CiscoWSA Data Parser", + "category": "Samples", + "functionAlias": "CiscoWSAEvent", + "query": "\nlet cisco_wsa_access_logs =() {\r\nSyslog\r\n| where SyslogMessage matches regex @\"\\A\\d{10}\\.\\d{3}\\s\\d+\\s\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\"\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Web Security Appliance'\r\n| extend EventType = 'Access Log'\r\n| extend EventFields = split(SyslogMessage, ' ')\r\n| extend ScanningVerdictFields = parse_csv(tostring(extract(@'<(.*?)>', 1, SyslogMessage)))\r\n| extend EventStartTime = unixtime_seconds_todatetime(todouble(EventFields[0]))\r\n| extend Latency = toint(EventFields[1])\r\n| extend SrcIpAddr = tostring(EventFields[2])\r\n| extend EventResultDetails = extract(@'\\A(.*?)\\/[1-5]\\d{2}', 1, tostring(EventFields[3]))\r\n| extend HttpStatusCode = extract(@'\\A.*?\\/([1-5]\\d{2})', 1, tostring(EventFields[3]))\r\n| extend DstBytes = toint(EventFields[4])\r\n| extend HttpRequestMethod = tostring(EventFields[5])\r\n| extend UrlOriginal = tostring(EventFields[6])\r\n| extend SrcUserName = tostring(EventFields[7])\r\n| extend ContactedServerCode = extract(@'\\A(\\w+)\\/\\d{1,3}', 1, tostring(EventFields[8]))\r\n| extend DstIpAddr = extract(@'\\A\\w+\\/(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, tostring(EventFields[8]))\r\n| extend DstDvcHostname = extract(@'\\A\\w+\\/(\\D+)', 1, tostring(EventFields[8]))\r\n| extend ResponseBodyMimeType = tostring(EventFields[9])\r\n| extend DvcAction = extract(@'\\A(.*?)\\-', 1, tostring(EventFields[10]))\r\n| extend PolicyGroupName = extract(@'\\A.*?\\-(.*?)\\-', 1, tostring(EventFields[10]))\r\n| extend IdentityPolicyGroupName = extract(@'\\A.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10]))\r\n| extend OutboundMalwareScanningPolicyGroupName = extract(@'\\A.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10]))\r\n| extend DataSecurityPolicyGroupName = extract(@'\\A.*?\\-.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10]))\r\n| extend ExternalDplPolicyGroupName = extract(@'\\A.*?\\-.*?\\-.*?\\-.*?\\-.*?\\-(.*?)\\-', 1, tostring(EventFields[10]))\r\n| extend RoutingPolicy = extract(@'\\A(.*?\\-){6}(.*)', 2, tostring(EventFields[10]))\r\n| extend SuspectedUserAgent = tostring(EventFields[-1])\r\n| extend UrlCategory = tostring(ScanningVerdictFields[0])\r\n| extend WebReputationScore = tostring(ScanningVerdictFields[1])\r\n| extend MalwareScanningVerdict = tostring(ScanningVerdictFields[2])\r\n| extend ThreatName = tostring(ScanningVerdictFields[3])\r\n| extend ThreatRiskRatioValue = tostring(ScanningVerdictFields[4])\r\n| extend ThreatIdentifier = tostring(ScanningVerdictFields[5])\r\n| extend TraceIdentifier = tostring(ScanningVerdictFields[6])\r\n| extend McAfeeMalwareScanningVerdict = tostring(ScanningVerdictFields[7])\r\n| extend McAfeeScannedFileName = tostring(ScanningVerdictFields[8])\r\n| extend McAfeeScanError = tostring(ScanningVerdictFields[9])\r\n| extend McAfeeDetectionType = tostring(ScanningVerdictFields[10])\r\n| extend McAfeeThreatCategory = tostring(ScanningVerdictFields[11])\r\n| extend McAfeeThreatName = tostring(ScanningVerdictFields[12])\r\n| extend SophosScanningVerdict = tostring(ScanningVerdictFields[13])\r\n| extend SophosScanReturnCode = tostring(ScanningVerdictFields[14])\r\n| extend SophosScannedFileName = tostring(ScanningVerdictFields[15])\r\n| extend SophosThreatName = tostring(ScanningVerdictFields[16])\r\n| extend CiscoDataSecurityScanningVerdict = case(tostring(ScanningVerdictFields[17]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[17]) == '1', 'Block',\r\n '-')\r\n| extend ExternalDlpScannningVerdict = case(tostring(ScanningVerdictFields[18]) == '0', 'Allow',\r\n tostring(ScanningVerdictFields[18]) == '1', 'Block',\r\n '-')\r\n| extend ResponseSideScanningUrlCategoryVerdict = tostring(ScanningVerdictFields[19])\r\n| extend DcaUrlCategoryVerdict = tostring(ScanningVerdictFields[20])\r\n| extend ResponseThreatCategory = tostring(ScanningVerdictFields[21])\r\n| extend WebReputationThreatType = tostring(ScanningVerdictFields[22])\r\n| extend GteEncapsulatedUrl = tostring(ScanningVerdictFields[23])\r\n| extend AvcApplicationName = tostring(ScanningVerdictFields[24])\r\n| extend AvcApplicationType = tostring(ScanningVerdictFields[25])\r\n| extend AvcApplicationBehavior = tostring(ScanningVerdictFields[26])\r\n| extend SafeBrowsingScanningVerdict = tostring(ScanningVerdictFields[27])\r\n| extend ['AvgBandwidth(Kb/sec)'] = todouble(ScanningVerdictFields[28])\r\n| extend Throttled = tostring(ScanningVerdictFields[29])\r\n| extend UserType = tostring(ScanningVerdictFields[30])\r\n| extend RequestSideAntiMalwareScanningVerdict = tostring(ScanningVerdictFields[31])\r\n| extend ClientRequestThreatName = tostring(ScanningVerdictFields[32])\r\n| extend AmpScanningVerdict = tostring(ScanningVerdictFields[33])\r\n| extend AmpThreatName = tostring(ScanningVerdictFields[34])\r\n| extend AmpReputationScore = tostring(ScanningVerdictFields[35])\r\n| extend AmpUploadIndicator = tostring(ScanningVerdictFields[36])\r\n| extend AmpFileName = tostring(ScanningVerdictFields[37])\r\n| extend AmpFileHashSha256 = tostring(ScanningVerdictFields[38])\r\n| extend ArchiveScanningVerdict = tostring(ScanningVerdictFields[39])\r\n| extend ArchiveScanningVerdictDetail = tostring(ScanningVerdictFields[40])\r\n| extend ArchiveScannerFileVerdict = tostring(ScanningVerdictFields[41])\r\n| extend WebTapBehavior = tostring(ScanningVerdictFields[42])\r\n| extend YouTubeUrlCategory = tostring(ScanningVerdictFields[43])\r\n| extend BlockedFileTypeDetail = extract_all(@\"(?P[a-zA-Z0-9- ]+):(?P[a-zA-Z0-9-_:/@.#{};= ]+)\", dynamic([\"key\",\"value\"]), tostring(ScanningVerdictFields[44]))\r\n| mv-apply BlockedFileTypeDetail on (\r\n summarize BlockedFileTypeDetail = make_list(pack(tostring(BlockedFileTypeDetail[0]), BlockedFileTypeDetail[1]))\r\n )\r\n};\r\nlet cisco_wsa_w3c_logs =() {\r\nSyslog\r\n| where SyslogMessage matches regex @\"\\A\\d{4}\\-\\d{2}\\-\\d{2}\\s\\d{2}:\\d{2}:\\d{2}\\s\\d{10}\\.\\d{3}\"\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Web Security Appliance'\r\n| extend EventType = 'Access Log'\r\n| extend EventFields = split(SyslogMessage, ' ')\r\n| extend EventStartTime = todatetime(strcat(EventFields[0], ' ', EventFields[1]))\r\n| extend Latency = toint(EventFields[3])\r\n| extend HttpReferrerOriginal = tostring(EventFields[4])\r\n| extend SrcIpAddr = tostring(EventFields[5])\r\n| extend EventResultDetails = tostring(EventFields[6])\r\n| extend SrcBytes = toint(EventFields[7])\r\n| extend DstBytes = toint(EventFields[8])\r\n| extend HttpRequestMethod = tostring(EventFields[9])\r\n| extend UrlOriginal = tostring(EventFields[10])\r\n| extend DstIpAddr = tostring(EventFields[11])\r\n| extend RequestUri = tostring(EventFields[12])\r\n| extend SrcUserName = tostring(EventFields[13])\r\n| extend ResponseBodyMimeType = tostring(EventFields[14])\r\n| extend DvcAction = tostring(EventFields[15])\r\n| extend HttpRequestXff = tostring(EventFields[16])\r\n| extend SrcPortNumber = tostring(EventFields[17])\r\n| extend DstDvcHostname = tostring(EventFields[18])\r\n| extend DstPortNumber = tostring(EventFields[19])\r\n| extend NetworkApplicationProtocol = tostring(EventFields[20])\r\n| extend UrlCategory = tostring(EventFields[21])\r\n| extend WbrsScore = tostring(EventFields[22])\r\n| extend WebrootScanningVerdict = tostring(EventFields[23])\r\n| extend WebrootThreatName = tostring(EventFields[24])\r\n| extend WebrootThreatRiskRatio = tostring(EventFields[25])\r\n| extend WebrootSpyId = tostring(EventFields[26])\r\n| extend WebrootTraceId = tostring(EventFields[27])\r\n| extend McAfeeMalwareScanningVerdict = tostring(EventFields[28])\r\n| extend McAfeeScannedFileName = tostring(EventFields[29])\r\n| extend McAfeeScanError = tostring(EventFields[30])\r\n| extend McAfeeDetectionType = tostring(EventFields[31])\r\n| extend McAfeeThreatCategory = tostring(EventFields[32])\r\n| extend McAfeeThreatName = tostring(EventFields[33])\r\n| extend SophosScanningVerdict = tostring(EventFields[34])\r\n| extend SophosScanReturnCode = tostring(EventFields[35])\r\n| extend SophosScannedFileName = tostring(EventFields[36])\r\n| extend SophosThreatName = tostring(EventFields[37])\r\n| extend CiscoDataSecurityScanningVerdict = tostring(EventFields[38])\r\n| extend ExternalDlpScannningVerdict = tostring(EventFields[39])\r\n| extend RequestSideScanningUrlCategoryVerdict = tostring(EventFields[40])\r\n| extend ResponseSideScanningUrlCategoryVerdict = tostring(EventFields[41])\r\n| extend WebReputationThreatCategory = tostring(EventFields[42])\r\n| extend AvcApplicationName = tostring(EventFields[43])\r\n| extend AvcApplicationType = tostring(EventFields[44])\r\n| extend AvcApplicationBehavior = tostring(EventFields[45])\r\n| extend SafeBrowsingScanningVerdict = tostring(EventFields[46])\r\n| extend ['AvgBandwidth(Kb/sec)'] = todouble(EventFields[47])\r\n| extend Throttled = tostring(EventFields[48])\r\n| extend UserType = tostring(EventFields[49])\r\n| extend ResponseSideThreatName = tostring(EventFields[50])\r\n| extend ResponseSideThreatCategoryCode = tostring(EventFields[51])\r\n| extend ResponseSideThreatCategory = tostring(EventFields[52])\r\n| extend RequestSideDvsThreatName = tostring(EventFields[53])\r\n| extend RequestSideDvsScanningVerdict = tostring(EventFields[54])\r\n| extend RequestSideDvsVerdictName = tostring(EventFields[55])\r\n| extend AmpScanningVerdict = tostring(EventFields[56])\r\n| extend AmpThreatName = tostring(EventFields[57])\r\n| extend AmpReputationScore = tostring(EventFields[58])\r\n| extend AmpUploadIndicator = tostring(EventFields[59])\r\n| extend AmpFileName = tostring(EventFields[60])\r\n| extend AmpFileHashSha256 = tostring(EventFields[61])\r\n| extend SuspectedUserAgent = tostring(EventFields[62])\r\n| extend NetworkBytes = toint(EventFields[63])\r\n};\r\nunion isfuzzy=true cisco_wsa_access_logs, cisco_wsa_w3c_logs\r\n| project-away SyslogMessage\r\n , EventFields\r\n , ScanningVerdictFields\r\n", + "version": 1 + } + } + ] + }, + { + "id": "[variables('_connector1-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Cisco Web Security Appliance", + "publisher": "Cisco", + "descriptionMarkdown": "[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Azure Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CiscoWSAEvent", + "baseQuery": "CiscoWSAEvent" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Clients (Source IP)", + "query": "CiscoWSAEvent\n | where notempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "Syslog (CiscoWSAEvent)", + "lastDataReceivedQuery": "CiscoWSAEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CiscoWSAEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoWSAEvent**](https://aka.ms/sentinel-CiscoWSA-parser) which is deployed with the Azure Sentinel Solution." + }, + { + "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Web Security Appliance" + }, + { + "description": "[Follow these steps](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718) to configure Cisco Web Security Appliance to forward logs via Syslog\n\n>**NOTE:** Select **Syslog Push** as a Retrieval Method.", + "title": "1. Configure Cisco Web Security Appliance to forward logs via Syslog to remote server where you will install the agent." + }, + { + "description": "Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents.", + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Linux agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Linux Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Linux Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnLinuxNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Install and onboard the agent for Linux or Windows" + }, + { + "instructions": [ + { + "parameters": { + "title": "Choose where to install the Windows agent:", + "instructionSteps": [ + { + "title": "Install agent on Azure Windows Virtual Machine", + "description": "Select the machine to install the agent on and then click **Connect**.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnVirtualMachine" + }, + "type": "InstallAgent" + } + ] + }, + { + "title": "Install agent on a non-Azure Windows Machine", + "description": "Download the agent on the relevant machine and follow the instructions.", + "instructions": [ + { + "parameters": { + "linkType": "InstallAgentOnNonAzure" + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table.", + "title": "3. Check logs in Azure Sentinel" + } + ], + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoWSAEvent**](https://aka.ms/sentinel-CiscoWSA-parser) which is deployed with the Azure Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.3", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "CiscoWSA", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Sanmit Biraj", + "email": "v-sabiraj@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_CiscoWSA_workbook')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAAccessToUnwantedSite_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSADataExfiltration_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAMultipleErrorsToUnwantedCategory_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAMultipleErrorsToUrl_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAMultipleInfectedFles_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAMultipleUnwantedFileTypes_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAProtocolAbuse_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAPublicIPSource_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAUnexpectedFileType_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAUnexpectedUrl_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_CiscoWSAUnscannableFile_AnalyticalRules')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSABlockedFiles_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSARareApplications_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSATopApplications_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSATopResources_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSAUncategorizedResources_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSAUploadedFiles_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSAUrlRareErrorUrl_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSAUrlShortenerLinks_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSAUrlSuspiciousResources_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_CiscoWSAUrlUsersWithErrors_HuntingQueries')]", + "version": "1.0.3" + }, + { + "kind": "Parser", + "contentId": "[variables('_CiscoWSAEvent_Parser')]", + "version": "1.0.3" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_CiscoWSAConnector')]", + "version": "1.0.3" + } + ] + }, + "firstPublishDate": "2021-06-29", + "providers": [ + "Cisco" + ], + "categories": { + "domains": [ + "Security – Network" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/CiscoWSA/SolutionMetadata.json b/Solutions/CiscoWSA/SolutionMetadata.json new file mode 100644 index 0000000000..6e7d776ba3 --- /dev/null +++ b/Solutions/CiscoWSA/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-ciscowsa", + "firstPublishDate": "2021-06-29", + "providers": ["Cisco"], + "categories": { + "domains" : ["Security – Network"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_CiscoWSA.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CiscoWSA.json new file mode 100644 index 0000000000..f839084466 --- /dev/null +++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CiscoWSA.json @@ -0,0 +1,43 @@ +{ + "Name": "CiscoWSA", + "Author": "Sanmit Biraj - v-sabiraj@microsoft.com", + "WorkbookDescription": "Sets the time name for analysis", + "Description": "[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Azure Sentinel.", + "Workbooks": [ + "Workbooks/CiscoWSA.json" + ], + "Analytic Rules": [ + "Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml", + "Analytic Rules/CiscoWSADataExfiltration.yaml", + "Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml", + "Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml", + "Analytic Rules/CiscoWSAMultipleInfectedFles.yaml", + "Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml", + "Analytic Rules/CiscoWSAProtocolAbuse.yaml", + "Analytic Rules/CiscoWSAPublicIPSource.yaml", + "Analytic Rules/CiscoWSAUnexpectedFileType.yaml", + "Analytic Rules/CiscoWSAUnexpectedUrl.yaml", + "Analytic Rules/CiscoWSAUnscannableFile.yaml" + ], + "Hunting Queries": [ + "Hunting Queries/CiscoWSABlockedFiles.yaml", + "Hunting Queries/CiscoWSARareApplications.yaml", + "Hunting Queries/CiscoWSATopApplications.yaml", + "Hunting Queries/CiscoWSATopResources.yaml", + "Hunting Queries/CiscoWSAUncategorizedResources.yaml", + "Hunting Queries/CiscoWSAUploadedFiles.yaml", + "Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml", + "Hunting Queries/CiscoWSAUrlShortenerLinks.yaml", + "Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml", + "Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml" + ], + "Parsers": [ + "Parsers/CiscoWSAEvent.txt" + ], + "Data Connectors": [ + "Data Connectors/Connector_WSA_Syslog.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoWSA", + "Version": "1.0.3" +} \ No newline at end of file