Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'Azure:master' into master

This commit is contained in:
Rambatla Venkat Rao 2021-08-30 11:16:29 +05:30 коммит произвёл GitHub
Родитель 80b5fd0c3d 9ab2fd683f
Коммит ff28078e40
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
352 изменённых файлов: 164453 добавлений и 1464 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -124,5 +124,6 @@
"Zscaler",
"illusiveAttackManagementSystem",
"WindowsSecurityEvents",
"IronNetIronDefense"
"IronNetIronDefense",
"Illusive"
]

Двоичные данные
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/SalesforceServiceCloud/SalesforceSentinelConnector/__init__.py
Просмотреть файл

@ -25,7 +25,7 @@ object = "EventLogFile"
interval = "hourly"
hours_interval = 1
days_interval = 1
url = "https://login.salesforce.com/services/oauth2/token"
url = os.environ['SalesforceTokenUri']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):

10
DataConnectors/SalesforceServiceCloud/azuredeploy_Connector_Salesforce_Service_Cloud_AzureFunction.json
Просмотреть файл

@ -28,6 +28,13 @@
"type": "securestring",
"defaultValue": "<SalesforceSecurityToken>"
},
"SalesforceTokenUri": {
"type": "string",
"defaultValue": "https://login.salesforce.com/services/oauth2/token",
"metadata": {
"description": "Use default value for Production environment, for sandbox environment update accordingly."
}
},
"SalesforceConsumerKey": {
"type": "securestring",
"defaultValue": "<SalesforceConsumerKey>"
@ -162,11 +169,12 @@
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"SalesforceUser": "[parameters('SalesforceUser')]",
"SalesforcePass": "[parameters('SalesforcePass')]",
"SalesforceTokenUri": "[parameters('SalesforceTokenUri')]",
"SalesforceSecurityToken": "[parameters('SalesforceSecurityToken')]",
"SalesforceConsumerKey": "[parameters('SalesforceConsumerKey')]",
"SalesforceConsumerSecret": "[parameters('SalesforceConsumerSecret')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/SalesforceServiceCloud/SalesforceSentinelConn.zip?raw=true"
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-SalesforceServiceCloud-functionapp"
}
}
]

42
Detections/AzureActivity/AADHybridHealthADFSNewServer.yaml Normal file
Просмотреть файл

@ -0,0 +1,42 @@
id: 88f453ff-7b9e-45bb-8c12-4058ca5e44ee
name: Azure Active Directory Hybrid Health AD FS New Server
description: |
'This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1578
tags:
- SimuLand
query: |
AzureActivity
| where CategoryValue == 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId contains 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid)
| extend AccountName = tostring(claimsJson.name)
| project-away claimsJson
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

43
Detections/AzureActivity/AADHybridHealthADFSServiceDelete.yaml Normal file
Просмотреть файл

@ -0,0 +1,43 @@
id: 86a036b2-3686-42eb-b417-909fc0867771
name: Azure Active Directory Hybrid Health AD FS Service Delete
description: |
'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
More information in this blog https://o365blog.com/post/hybridhealthagent/'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1578.003
tags:
- SimuLand
query: |
AzureActivity
| where CategoryValue == 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId contains 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid)
| extend AccountName = tostring(claimsJson.name)
| project-away claimsJson
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

48
Detections/AzureActivity/AADHybridHealthADFSSuspApp.yaml Normal file
Просмотреть файл

@ -0,0 +1,48 @@
id: d9938c3b-16f9-444d-bc22-ea9a9110e0fd
name: Azure Active Directory Hybrid Health AD FS Suspicious Application
description: |
'This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.
Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- DefenseEvasion
relevantTechniques:
- T1528
- T1550
tags:
- SimuLand
query: |
// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d
// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8
let appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);
let operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);
AzureActivity
| where CategoryValue == 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId contains 'AdFederationService'
| where OperationNameValue in~ (operationNamesList)
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid)
| extend AccountName = tostring(claimsJson.name)
| where AppId !in (appList)
| project-away claimsJson
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0

76
Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml Normal file
Просмотреть файл

@ -0,0 +1,76 @@
id: f819c592-c5f9-4d5c-a79f-1e6819863533
name: Azure AD Health Monitoring Agent Registry Keys Access
description: |
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
relevantTechniques:
- T1005
tags:
- SimuLand
query: |
// ADHealth Monitoring Agent Registry Key
let aadHealthMonAgentRegKey = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent";
// Filter out known processes
let aadConnectHealthProcs = dynamic ([
'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',
'Microsoft.Identity.Health.Adfs.InsightsService.exe',
'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',
'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',
'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
]);
(union isfuzzy=true
(
SecurityEvent
| where EventID == '4656'
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)
| extend SubjectUserName = column_ifexists("SubjectUserName", ""),
SubjectDomainName = column_ifexists("SubjectDomainName", ""),
ObjectName = column_ifexists("ObjectName", ""),
ObjectType = column_ifexists("ObjectType", ""),
ProcessName = column_ifexists("ProcessName", "")
| extend Process = split(ProcessName, '\\', -1)[-1],
Account = strcat(SubjectDomainName, "\\", SubjectUserName)
| where ObjectType == 'Key'
| where ObjectName == aadHealthMonAgentRegKey
| where Process !in (aadConnectHealthProcs)
),
(
SecurityEvent
| where EventID == '4663'
| extend Process = split(ProcessName, '\\', -1)[-1]
| where ObjectType == 'Key'
| where ObjectName == aadHealthMonAgentRegKey
| where Process !in (aadConnectHealthProcs)
)
)
// You can filter out potential machine accounts
//| where AccountType != 'Machine'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
| summarize count() by ProcessName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0

76
Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml Normal file
Просмотреть файл

@ -0,0 +1,76 @@
id: 06bbf969-fcbe-43fa-bac2-b2fa131d113a
name: Azure AD Health Service Agents Registry Keys Access
description: |
'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
relevantTechniques:
- T1005
tags:
- SimuLand
query: |
// ADHealthAgent Registry Key
let aadConnectHealthRegKey = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent";
// Filter out known processes
let aadConnectHealthProcs = dynamic ([
'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',
'Microsoft.Identity.Health.Adfs.InsightsService.exe',
'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',
'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',
'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
]);
(union isfuzzy=true
(
SecurityEvent
| where EventID == '4656'
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)
| extend SubjectUserName = column_ifexists("SubjectUserName", ""),
SubjectDomainName = column_ifexists("SubjectDomainName", ""),
ObjectName = column_ifexists("ObjectName", ""),
ObjectType = column_ifexists("ObjectType", ""),
ProcessName = column_ifexists("ProcessName", "")
| extend Process = split(ProcessName, '\\', -1)[-1],
Account = strcat(SubjectDomainName, "\\", SubjectUserName)
| where ObjectType == 'Key'
| where ObjectName startswith aadConnectHealthRegKey
| where Process !in (aadConnectHealthProcs)
),
(
SecurityEvent
| where EventID == '4663'
| extend Process = split(ProcessName, '\\', -1)[-1]
| where ObjectType == 'Key'
| where ObjectName startswith aadConnectHealthRegKey
| where Process !in (aadConnectHealthProcs)
)
)
// You can filter out potential machine accounts
//| where AccountType != 'Machine'
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0

45
Hunting Queries/MultipleDataSources/ReconActivitywithInteractiveLogonCorrelation.yaml Normal file
Просмотреть файл

@ -0,0 +1,45 @@
id: 346d36c9-2e79-4d8f-8c14-1eef73d38737
name: Recon Activity with Interactive Logon Correlation
description: |
'This query looks at correlating different reconnaissance alerts with interactive logon logs to help analysts investigate initial possible compromise activity'
requiredDataConnectors:
- connectorId: AzureSecurityCenter
dataTypes:
- SecurityAlert (ASC)
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
tactics:
- InitialAccess
- Impact
relevantTechniques:
- T1190
- T1078
query: |
SecurityAlert
| where AlertName has_any ('Atypical travel','Unfamiliar sign-in properties','Anonymous IP address','Malware linked IP address','Malicious IP address','Password Spray','Targeted port scans')
| summarize count(),make_set(AlertName) by WorkspaceSubscriptionId,CompromisedEntity= toupper(CompromisedEntity),TimeGenerated
| extend number_alerts = array_length(set_AlertName)
| join kind=inner
(
SecurityEvent
| where EventID == 4624 and LogonType == 10
| project Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName,Interactivelogontime=TimeGenerated
) on $left.CompromisedEntity==$right.Computer
| project TimeGenerated,Interactivelogontime,AccountCustomEntity=Account,AccountType,CompromisedEntity,Activity,IpAddress
| extend TimeWindow = TimeGenerated + 15m
| where Interactivelogontime between (TimeGenerated .. TimeWindow)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IpAddress

76
Hunting Queries/MultipleDataSources/UnfamiliarsignincorrelationwithPortalSigninandAuditlogs.yaml Normal file
Просмотреть файл

@ -0,0 +1,76 @@
id: 6962473c-bcb8-421d-a0db-826078cad280
name: Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs
description: |
'This query looks for unfamiliar Sign-in's thats not seen recently for the given user
with azure portal login attempts and audit logs to help detect and reduce the analysis timeline for defenders'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
- connectorId: AzureSecurityCenter
dataTypes:
- SecurityAlert (ASC)
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
tactics:
- InitialAccess
- Impact
relevantTechniques:
- T1190
- T1078
query: |
SecurityAlert
| where AlertName == "Unfamiliar sign-in properties"
| extend Extprop = parsejson(Entities)
| mv-expand Extprop
| extend Extprop = parsejson(Extprop)
| extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
| extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| extend Process = iff(isnotempty(CmdLine), CmdLine, File)
| summarize count() by AlertName,AlertSeverity,CompromisedEntity,Account
| join kind=inner
(
SigninLogs
| where AppDisplayName == "Azure Portal"
// 50126 - Invalid username or password, or invalid on-premises username or password.
| where ResultType == "50126"
| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| project UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State,IPAddress
| extend AccountCustomEntity = UserPrincipalName
) on $left.Account == $right.AccountCustomEntity
| project AccountCustomEntity = tolower(AccountCustomEntity),State,StatusCode,StatusDetails,IPAddress,ResultDescription,AppDisplayName,Location,AlertName
| join kind=inner
(
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "RoleManagement"
| where OperationName has_any ("Add member to role","Add member to role in PIM requested (permanent)")
| extend IpAddress = case(
isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress),
isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),
'Not Available')
| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)),
tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))
| project InitiatedBy = tolower(InitiatedBy), ActivityDateTime, ActivityDisplayName,IpAddress, AADOperationType, AADTenantId
) on $left.AccountCustomEntity == $right.InitiatedBy
| project AccountCustomEntity,AppDisplayName,IPAddress,Location,StatusCode,StatusDetails
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity

45
Logos/Illusive.svg Normal file
Просмотреть файл

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 25.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="4d489b18-0df0-4765-831b-08f7a8fc084e" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px"
viewBox="0 0 230 230" xml:space="preserve">
<g>
<path fill="#0000BA" class="st0" d="M17.74,125.18L24,114.47h-3.59l3.7-6.38h12.4l-9.61,16.43c-0.3,0.52-0.66,1.17-0.87,1.69
c-0.45,1.17-0.16,1.83,1.27,1.83c0.4,0,0.98-0.05,0.98-0.05l-3.7,6.38c0,0-1.29,0.16-2.72,0.16c-4.03,0-8.09-0.35-5.86-6.07
C16.4,127.52,16.99,126.44,17.74,125.18z M33.75,97.87h8.63l-4.01,6.89h-8.63L33.75,97.87z"/>
<path fill="#0000BA" class="st0" d="M34.87,124.66l11.91-20.42h-3.56l3.7-6.38h12.4L44.2,123.89c-0.42,0.7-0.84,1.52-1.03,1.99
c-0.47,1.22-0.09,1.69,1.34,1.69c0.56,0,1.1-0.05,1.1-0.05l-4.08,6.94c0,0-1.29,0.16-2.72,0.16c-4.03,0-7.85-0.82-5.58-6.63
C33.61,127.01,34.12,125.93,34.87,124.66z"/>
<path fill="#0000BA" class="st0" d="M51.87,124.66l11.91-20.42h-3.56l3.7-6.38h12.4l-15.12,26.02c-0.42,0.7-0.84,1.52-1.03,1.99
c-0.47,1.22-0.09,1.69,1.34,1.69c0.56,0,1.1-0.05,1.1-0.05l-4.08,6.94c0,0-1.29,0.16-2.72,0.16c-4.03,0-7.85-0.82-5.58-6.63
C50.6,127.01,51.12,125.93,51.87,124.66z"/>
<path fill="#0000BA" class="st0" d="M70.03,124.76l6-10.31h-3.56l3.75-6.38h12.4l-9,15.4c-0.33,0.56-0.63,1.13-0.77,1.48
c-0.61,1.57-0.05,2.25,1.43,2.25c3.63,0,7.9-4.03,9.92-7.5l3.07-5.25H89.7l3.75-6.38h12.4l-9.61,16.43
c-0.3,0.52-0.66,1.17-0.87,1.69c-0.45,1.17-0.16,1.83,1.27,1.83c0.4,0,0.98-0.05,0.98-0.05l-3.7,6.38c0,0-1.29,0.16-3.47,0.16
c-2.81,0-6.49-0.09-5.2-4.85h-0.12c-3.33,3.07-7.31,5.3-11.56,5.3c-4.24,0-6.94-2.25-4.97-7.29
C68.91,126.87,69.45,125.79,70.03,124.76z"/>
<path fill="#0000BA" class="st0" d="M102.38,125.06h7.41l-0.56,0.91c-1.17,1.95,1.45,2.3,3.14,2.3c2.6,0,3.7-0.87,4.03-1.73
c1.29-3.31-11.13-1.95-7.88-10.31c2.44-6.28,9.84-8.77,16.13-8.77c4.55,0,9.54,1.69,6.87,6.33l-1.71,2.95h-7.41l0.54-1.03
c0.75-1.43-0.87-1.57-1.95-1.57c-2.13,0-3.33,0.56-3.73,1.57c-1.41,3.63,11.34,1.64,8.13,9.89c-2.27,5.86-9.31,9.33-16.81,9.33
c-4.5,0-11.04-1.69-7.81-7.24L102.38,125.06z"/>
<path fill="#0000BA" class="st0" d="M132.12,125.18l6.26-10.71h-3.56l3.7-6.38h12.4l-9.61,16.43c-0.3,0.52-0.66,1.17-0.87,1.69
c-0.45,1.17-0.16,1.83,1.27,1.83c0.4,0,0.98-0.05,0.98-0.05l-3.7,6.38c0,0-1.29,0.16-2.72,0.16c-4.03,0-8.09-0.35-5.86-6.07
C130.81,127.52,131.37,126.44,132.12,125.18z"/>
<path fill="#0000BA" class="st0" d="M155.07,114.47h-2.95l3.75-6.38h13.74l-3.75,6.38h-2.34l-2.51,9.49c-0.35,1.57-1.29,3.47-1.29,3.47h0.21
c0,0,1.24-1.9,2.72-3.47l8.53-9.49h-2.34l3.75-6.38h14.23l-3.75,6.38h-2.95l-18.92,19.9h-10.43L155.07,114.47z"/>
<path fill="#0000BA" class="st0" d="M201.32,107.46c7.45,0,9.59,4.24,7.22,10.31c-0.94,2.39-2.93,5.06-2.93,5.06h-16.53c0,0-0.14,0.26-0.26,0.52
c-1.03,2.65,0.35,4.34,3.47,4.34c3.82,0,8.84-2.65,8.84-2.65l-0.3,6.54c0,0-5.98,3.42-11.95,3.42c-8.98,0-11.34-5.3-8.95-11.49
C183.48,114.35,192.65,107.46,201.32,107.46z M199.8,117.98c0,0,0.38-0.7,0.49-1.03c0.63-1.64,0.09-2.86-1.69-2.86
c-2.55,0-4.92,1.78-6.56,3.87h7.76V117.98z"/>
<path fill="#0000BA" class="st0" d="M151.46,96.89h5.44l-3.21,5.27h-5.44L151.46,96.89z"/>
<path fill="#0000BA" class="st1" d="M158.59,96.89h5.44l-3.21,5.27h-5.44L158.59,96.89z"/>
<path fill="#0000BA" class="st2" d="M165.74,96.89h5.44l-3.21,5.27h-5.44L165.74,96.89z"/>
<path fill="#0000BA" class="st3" d="M172.86,96.89h5.44l-3.21,5.27h-5.44L172.86,96.89z"/>
<path fill="#0000BA" class="st4" d="M180.01,96.89h5.44l-3.21,5.27h-5.44L180.01,96.89z"/>
<path fill="#0000BA" class="st5" d="M187.16,96.89h5.44l-3.21,5.27h-5.44L187.16,96.89z"/>
<path fill="#0000BA" class="st6" d="M194.29,96.89h5.44l-3.21,5.27h-5.44L194.29,96.89z"/>
<path fill="#0000BA" class="st7" d="M201.44,96.89h5.44l-3.21,5.27h-5.44L201.44,96.89z"/>
<path fill="#0000BA" class="st8" d="M208.56,96.89H214l-3.21,5.27h-5.41L208.56,96.89z"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.9 KiB

4
Logos/tenableio_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,4 @@
<svg id="87b003e3-ad99-4399-be20-ffcdafb8ac2b" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 326 72.5">
<path d="M322.46 21.53h.37c.44 0 .66-.17.66-.49a.4.4 0 00-.17-.36.89.89 0 00-.52-.11h-.34v1zm1.53.07a1.26 1.26 0 01-.57.34l.9 1.34h-.82l-.75-1.28h-.29v1.24h-.7v-3.19h1c1 0 1.49.33 1.49 1a.76.76 0 01-.22.56zm.15 2.22A2.18 2.18 0 00325 23a2.58 2.58 0 000-2.49 2.23 2.23 0 00-.87-.88 2.5 2.5 0 00-1.26-.31 2.46 2.46 0 00-1.24.31 2.27 2.27 0 00-.86.88 2.58 2.58 0 000 2.49 2.22 2.22 0 00.86.86 2.56 2.56 0 001.24.31 2.61 2.61 0 001.26-.31zm.32-4.71a2.95 2.95 0 011.54 2.6 2.93 2.93 0 01-.41 1.51 2.87 2.87 0 01-1.13 1.08 3.28 3.28 0 01-3.14 0 2.93 2.93 0 01-1.53-2.59 3 3 0 01.41-1.51 3 3 0 011.12-1.09 3.21 3.21 0 013.14 0zm-219.73 9.75a1 1 0 01-.73.29h-8.73a.37.37 0 00-.42.41v19.83c0 2.08.47 3.59 1.41 4.52a6.15 6.15 0 004.49 1.4h2.57a1 1 0 01.72.29.94.94 0 01.3.7v6.17c0 .6-.34 1-1 1.07l-4.45.08q-6.77 0-10.1-2.22T85.35 53V29.56c0-.27-.14-.41-.43-.41h-4.87a1 1 0 01-.73-.29.92.92 0 01-.3-.7V22.4a1 1 0 01.3-.7 1 1 0 01.73-.28h4.87a.37.37 0 00.43-.42v-9.62a.92.92 0 01.3-.7 1 1 0 01.73-.29h7.44a1 1 0 01.73.29.92.92 0 01.3.7V21a.37.37 0 00.42.42H104a1 1 0 01.73.28 1 1 0 01.3.7v5.76a.92.92 0 01-.3.7zm14.64 1.65a8 8 0 00-3 4.23 13.81 13.81 0 00-.68 3.62c-.12.28 0 .41.34.41h17.37c.28 0 .42-.13.42-.41a14.52 14.52 0 00-.51-3.12 8 8 0 00-3-4.61 9.42 9.42 0 00-5.68-1.63 8.69 8.69 0 00-5.26 1.53zM144 42.31l-.09 2.55a.89.89 0 01-1 1h-26.83c-.29 0-.43.14-.43.41a11.34 11.34 0 00.77 3.7q2.06 5.92 10 6a10.89 10.89 0 009.24-4.61 1 1 0 01.86-.49.81.81 0 01.59.25l5.31 4.19a.86.86 0 01.25 1.32 17.27 17.27 0 01-7.05 5.59 23.67 23.67 0 01-9.8 2 21.12 21.12 0 01-11.33-2.88 16.68 16.68 0 01-6.8-8.07q-2-4.44-2-12.34a24.27 24.27 0 011-7.73 16.52 16.52 0 016.46-9.09 19.41 19.41 0 0111.42-3.33q16.86 0 19 17a29.07 29.07 0 01.34 4.6zm35.76-17.6q4.16 3.95 4.15 10.77v27a.94.94 0 01-.3.7 1 1 0 01-.73.29H175a1 1 0 01-.72-.29.94.94 0 01-.3-.7v-25a8.56 8.56 0 00-2.23-6.13 7.76 7.76 0 00-5.9-2.35 8 8 0 00-6 2.31 8.29 8.29 0 00-2.26 6.09v25.07a.94.94 0 01-.3.7 1 1 0 01-.73.29h-7.87a1 1 0 01-.73-.29.94.94 0 01-.3-.7V22.4a1 1 0 01.3-.7 1 1 0 01.73-.28h7.87a1 1 0 01.73.28 1 1 0 01.3.7V25a.31.31 0 00.17.32c.11.06.2 0 .25-.16q3.51-4.44 10.61-4.44 6.93 0 11.08 3.95zm32 29.7a6.46 6.46 0 003-5.43v-3.87c0-.27-.14-.41-.43-.41h-7.18a13.4 13.4 0 00-7.15 1.64 5.25 5.25 0 00-2.62 4.66 4.71 4.71 0 002 4.08 8.64 8.64 0 005.17 1.44 12.11 12.11 0 007.19-2.14zm4.68-31.84a14.71 14.71 0 016.33 5 12.22 12.22 0 012.23 7.2v27.7a.94.94 0 01-.3.7 1 1 0 01-.73.29h-7.87a1 1 0 01-.73-.29.94.94 0 01-.3-.7v-2.63c0-.17 0-.26-.17-.29a.36.36 0 00-.34.12q-4.19 4.44-12.15 4.45A17.09 17.09 0 01191.85 61q-4.15-3.12-4.15-9.3a11.86 11.86 0 014.66-10q4.66-3.59 13.13-3.58h9.16a.37.37 0 00.42-.41v-2a6.35 6.35 0 00-2-5c-1.32-1.18-3.28-1.77-5.91-1.77a10.75 10.75 0 00-5.26 1.12 4.83 4.83 0 00-2.52 3.08 1 1 0 01-1.2.82l-8.3-1a2 2 0 01-.72-.29.47.47 0 01-.22-.54 11.51 11.51 0 015.65-8.13c3.27-2.14 7.4-3.21 12.36-3.21a23.25 23.25 0 019.49 1.81zM257 42.48q0-6.42-2.56-10a7.71 7.71 0 00-6.86-3.48 7.1 7.1 0 00-6.41 3.62c-1.43 2.25-2.14 5.52-2.14 9.79s.65 7.41 2 9.55a7.19 7.19 0 006.67 4 8.74 8.74 0 004.28-1 7.76 7.76 0 003-2.92q2.02-3.56 2.02-9.56zm10.18-.17a30 30 0 01-1.62 10.29 16.3 16.3 0 01-16.34 11.52 12.55 12.55 0 01-9.84-4.37c-.11-.16-.23-.21-.34-.16a.32.32 0 00-.17.33v2.55a.94.94 0 01-.3.7 1 1 0 01-.73.29H230a1 1 0 01-.73-.29.94.94 0 01-.3-.7V6.85a1 1 0 01.3-.7 1 1 0 01.73-.28h7.87a1 1 0 01.73.28 1 1 0 01.3.7v17.86a.33.33 0 00.1.29.29.29 0 00.34-.09 12.34 12.34 0 019.75-4.19 17.23 17.23 0 0110.48 3 17.62 17.62 0 016.12 8.48 33.12 33.12 0 011.45 10zm4.09 20.92a.92.92 0 01-.3-.7V6.92a.92.92 0 01.3-.7 1 1 0 01.73-.29h7.87a1 1 0 01.73.29.92.92 0 01.3.7v55.61a.92.92 0 01-.3.7 1 1 0 01-.73.29H272a1 1 0 01-.73-.29z" class="cls-1" />
<path d="M298.38 30.44a8.06 8.06 0 00-2.95 4.24 13.29 13.29 0 00-.69 3.62c-.11.28 0 .41.34.41h17.37c.28 0 .43-.13.43-.41a15.31 15.31 0 00-.52-3.13 7.91 7.91 0 00-3-4.6 9.42 9.42 0 00-5.69-1.65 8.73 8.73 0 00-5.26 1.52zM323 42.25l-.08 2.55c0 .66-.34 1-1 1h-26.84a.37.37 0 00-.42.41 11.14 11.14 0 00.77 3.7q2 5.93 10 6a10.92 10.92 0 009.24-4.61 1 1 0 01.86-.49.85.85 0 01.6.24l5.3 4.2a.86.86 0 01.26 1.32 17.39 17.39 0 01-7.06 5.59 23.62 23.62 0 01-9.79 2 21.18 21.18 0 01-11.34-2.87 16.68 16.68 0 01-6.8-8.07q-2-4.44-2-12.34a23.91 23.91 0 011-7.73 16.47 16.47 0 016.52-9.15 19.3 19.3 0 0111.42-3.34q16.85 0 19 17a28.06 28.06 0 01.34 4.61zM71 44.37L57.15 59.89l12.12-23a5.56 5.56 0 00.63-2.2l1.92 5.71a4.08 4.08 0 01-.82 4zM50 67.84a4.08 4.08 0 01-3.81 1.29L27 65.37l24.84-1.27a5.47 5.47 0 002-.47l-3.76 4.21zm-37.72-7.43L5.77 41.09 19.6 62.9a5.36 5.36 0 001.08 1.24l-5.32-1a4.06 4.06 0 01-3.08-2.69zM3.21 27l13.85-15.5-12.13 23a5.64 5.64 0 00-.62 2.21L2.39 31a4 4 0 01.82-4zM24.15 3.54A4 4 0 0128 2.26L47.25 6 22.36 7.28a5.74 5.74 0 00-2 .47l3.76-4.21zM61.5 23.43l5.71 9a3.39 3.39 0 01.14 3.4l-5.76 10.96V24.31a4.31 4.31 0 00-.09-.88zM12.7 48L7 39a3.43 3.43 0 01-.14-3.41l5.76-10.99v22.48a5.24 5.24 0 00.08.88zm46.71-.88a2.67 2.67 0 01-1.32 2.3L38.43 60.75a2.64 2.64 0 01-2.66 0L16.12 49.38a2.68 2.68 0 01-1.33-2.3V24.31A2.65 2.65 0 0116.12 22l19.65-11.37a2.64 2.64 0 012.66 0L58.09 22a2.65 2.65 0 011.32 2.3v22.78zM52.77 9.65l6.81 10.74c-.13-.09-.26-.18-.4-.26L39.52 8.75l-.28-.15 10.48-.53a3.4 3.4 0 013.05 1.58zm-30.3-.2l12.06-.61L15 20.13l-.09.05 4.69-8.91a3.43 3.43 0 012.84-1.82zm-1 52.29L14.63 51c.13.09.26.18.4.26l19.65 11.38.28.14-10.48.54a3.43 3.43 0 01-3-1.58zm30.29.19l-12 .61 19.5-11.28.08-.06-4.69 8.92a3.41 3.41 0 01-2.84 1.81zM61.93 11l6.5 19.32L54.6 8.48a5.79 5.79 0 00-1.07-1.24l5.32 1A4.09 4.09 0 0161.93 11zm11.95 28.66L64 10.29a6.27 6.27 0 00-4.73-4.14L28.39.12a6.27 6.27 0 00-5.86 2l-21 23.47a6.24 6.24 0 00-1.2 6.13l9.89 29.38a6.25 6.25 0 004.72 4.14l30.88 6a5.91 5.91 0 001.18.12 6.29 6.29 0 004.68-2.09l20.94-23.45a6.29 6.29 0 001.26-6.16z" class="cls-1" />
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 5.8 KiB

2
Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftWindowsEvent/AuthenticationMicrosoftWindowsEvent.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

4
Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftWindowsEvent/README.md
Просмотреть файл

@ -1,6 +1,6 @@
# Microsoft Windows ASIM Authentication Normalization Parser
# Microsoft Windows Events ASIM Authentication Normalization Parser
This template deploys the ASIM Authentication schema parser for Microsoft Windows. The parser is a part of the Azure Sentinel Information Mode.
This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Mode.
The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

228
Parsers/ASimAuthentication/ProductParsers/AuthenticationMicrosoftWindowsEvent.yaml
Просмотреть файл

@ -16,117 +16,117 @@ Description: |
This Query Parser maps Windows sign in logs (WindowsEvent) to the Azure Sentinel Information Model authenticaion schema.
ParserName: vimAuthenticationMicrosoftWindowsEvent
ParserQuery: |
let LogonEvents=dynamic([4624,4625]);
let LogoffEvents=dynamic([4634,4647]);
let LogonTypes=datatable(LogonType:string, EventSubType:string)[
2, 'Interactive',
3, 'Network',
4, 'Batch',
5, 'Service',
7, 'Unlock',
8, 'NetworkCleartext',
9, 'NewCredentials',
10, 'RemoteInteractive',
11, 'CachedInteractive'];
// for more information about this parser, please refer to: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
let LogonStatus=datatable
(EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
'0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
'0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
'0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
'0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
'0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
'0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
'0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
'0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
'0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
'0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
'0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
'0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
'0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
'0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
'0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
'0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
'0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
'0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
'0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
'0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
'0x80090308', 'SEC_E_INVALID_TOKEN','Other',
'0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
'0xc0000008', 'STATUS_INVALID_HANDLE','Other',
'0xc0000017', 'STATUS_NO_MEMORY','Other',
'0xc0000022', 'STATUS_ACCESS_DENIED','Other',
'0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
'0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
'0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
'0xc000006d', 'STATUS_LOGON_FAILURE','Other',
'0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
'0xc0000073', 'STATUS_NONE_MAPPED','Other',
'0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
'0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
'0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
'0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
'0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
'0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
'0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
'0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
'0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
'0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
let WinLogon=(){ // TODO: update later "Data" to "EventData", and add EventOriginalUid and AccountType
WindowsEvent
| where Provider == 'Microsoft-Windows-Security-Auditing'
| where EventID in (LogonEvents) or EventID in (LogoffEvents)
| extend LogonProtocol = tostring(Data.AuthenticationPackageName),
SrcDvcIpAddr = tostring(Data.IpAddress),
TargetPortNumber = toint(Data.IpPort),
LogonGuid = tostring(Data.LogonGuid),
LogonType = tostring(Data.LogonType),
ActingProcessCreationTime = Data.ProcessCreationTime,
ActingProcessId = tostring(toint(Data.ProcessId)),
ActingProcessName = tostring(Data.ProcessName),
Status = tostring(Data.Status),
ActorSessionId = tostring(Data.SubjectLogonId),
ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @"\" , Data.SubjectUserName))),
ActorUserId = tostring(Data.SubjectUserSid),
SubStatus = tostring(Data.SubStatus),
TargetDomainName = tostring(Data.TargetDomainName),
TargetSessionId = tostring(Data.TargetLogonId),
TargetUserId = tostring(Data.TargetUserSid),
TargetUsername = tostring(iff (Data.TargetDomainName == '-', Data.TargetUserName, strcat(Data.TargetDomainName, @"\" , Data.TargetUserName))),
SrcDvcHostname = tostring(Data.WorkstationName),
EventProduct = "Security Events"
| extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
// -- creating EventMessage matching EventMessage in SecurityEvent table
| extend EventMessage = case(EventID == 4634, "4634 - An account was logged off.",
EventID == 4625, "4625 - An account failed to log on.",
EventID == 4624 ,"4624 - An account was successfully logged on.",
"4647 - User initiated logoff."),
EventResult = iff(EventID == 4625, 'Failure', 'Success')
| project-rename
TargetDvcHostname = Computer,
// TargetUserType=AccountType, - no AccountType in windowsEvents
// EventOriginalUid = EventOriginId, - no EventOriginalId in WindowsEvents
EventOriginId=EventID
| extend EventCount=int(1),
EventSchemaVersion='0.1.0',
ActorUserIdType='SID',
TargetUserIdType='SID',
EventVendor='Microsoft',
EventStartTime =TimeGenerated,
EventEndTime=TimeGenerated,
EventType=iff(EventOriginId in (LogoffEvents), 'Logoff', 'Logon'),
ActorUsername = tostring(Data.SubjectUserName),
ActorUsernameType= iff(Data.SubjectDomainName == '-','Simple', 'Windows' ),
TargetUsername = tostring(Data.TargetUsername),
TargetUsernameType=iff (TargetDomainName == '-', 'Simple', 'Windows'),
SrcDvcOs = 'Windows',
EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
| lookup LogonStatus on EventStatus
| lookup LogonTypes on LogonType
/// ** Aliases
| extend
User=TargetUsername
, LogonTarget=TargetDvcHostname
, Dvc=SrcDvcHostname
};
WinLogon
let LogonEvents=dynamic([4624,4625]);
let LogoffEvents=dynamic([4634,4647]);
let LogonTypes=datatable(LogonType:string, EventSubType:string)[
2, 'Interactive',
3, 'Network',
4, 'Batch',
5, 'Service',
7, 'Unlock',
8, 'NetworkCleartext',
9, 'NewCredentials',
10, 'RemoteInteractive',
11, 'CachedInteractive'];
// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
let LogonStatus=datatable
(EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
'0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
'0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
'0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
'0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
'0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
'0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
'0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
'0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
'0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
'0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
'0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
'0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
'0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
'0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
'0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
'0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
'0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
'0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
'0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
'0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
'0x80090308', 'SEC_E_INVALID_TOKEN','Other',
'0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
'0xc0000008', 'STATUS_INVALID_HANDLE','Other',
'0xc0000017', 'STATUS_NO_MEMORY','Other',
'0xc0000022', 'STATUS_ACCESS_DENIED','Other',
'0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
'0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
'0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
'0xc000006d', 'STATUS_LOGON_FAILURE','Other',
'0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
'0xc0000073', 'STATUS_NONE_MAPPED','Other',
'0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
'0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
'0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
'0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
'0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
'0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
'0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
'0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
'0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
'0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
let WinLogon=(){
WindowsEvent
| where Provider == 'Microsoft-Windows-Security-Auditing'
| where EventID in (LogonEvents) or EventID in (LogoffEvents)
| extend LogonProtocol = tostring(EventData.AuthenticationPackageName),
SrcDvcIpAddr = tostring(EventData.IpAddress),
TargetPortNumber = toint(EventData.IpPort),
LogonGuid = tostring(EventData.LogonGuid),
LogonType = tostring(EventData.LogonType),
ActingProcessCreationTime = EventData.ProcessCreationTime,
ActingProcessId = tostring(toint(EventData.ProcessId)),
ActingProcessName = tostring(EventData.ProcessName),
Status = tostring(EventData.Status),
ActorSessionId = tostring(EventData.SubjectLogonId),
ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
ActorUserId = tostring(EventData.SubjectUserSid),
SubStatus = tostring(EventData.SubStatus),
TargetDomainName = tostring(EventData.TargetDomainName),
TargetSessionId = tostring(EventData.TargetLogonId),
TargetUserId = tostring(EventData.TargetUserSid),
TargetUsername = tostring(iff (EventData.TargetDomainName == '-', EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\" , EventData.TargetUserName))),
SrcDvcHostname = tostring(EventData.WorkstationName),
EventProduct = "Security Events"
| extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
// -- creating EventMessage matching EventMessage in SecurityEvent table
| extend EventMessage = case(EventID == 4634, "4634 - An account was logged off.",
EventID == 4625, "4625 - An account failed to log on.",
EventID == 4624 ,"4624 - An account was successfully logged on.",
"4647 - User initiated logoff."),
EventResult = iff(EventID == 4625, 'Failure', 'Success')
| project-rename
TargetDvcHostname = Computer
// , TargetUserType=AccountType - no AccountType in windowsEvents
// , EventOriginalUid = EventOriginId - no EventOriginalId in WindowsEvents
, EventOriginId=EventID
| extend EventCount=int(1)
, EventSchemaVersion='0.1.0'
, ActorUserIdType='SID'
, TargetUserIdType='SID'
, EventVendor='Microsoft'
, EventStartTime =TimeGenerated
, EventEndTime=TimeGenerated
, EventType=iff(EventOriginId in (LogoffEvents), 'Logoff', 'Logon')
, ActorUsername = tostring(EventData.SubjectUserName)
, ActorUsernameType= iff(EventData.SubjectDomainName == '-','Simple', 'Windows' )
, TargetUsername = tostring(EventData.TargetUsername)
, TargetUsernameType=iff (TargetDomainName == '-', 'Simple', 'Windows')
, SrcDvcOs = 'Windows'
, EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
| lookup LogonStatus on EventStatus
| lookup LogonTypes on LogonType
/// ** Aliases
| extend
User=TargetUsername
, LogonTarget=TargetDvcHostname
, Dvc=SrcDvcHostname
};
WinLogon

2
Parsers/ASimProcessEvent/ARM/ProcessEventMicrosoftWindowsEventCreate/ProcessEventMicrosoftWindowsEventCreate.json
Просмотреть файл

@ -28,7 +28,7 @@
"displayName": "ASIM Microsoft WindowsEvent Process Creation Events Parser",
"category": "Security",
"FunctionAlias": "vimProcessCreateMicrosoftWindowsEvents",
"query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n let ProcessEvents=(){\n WindowsEvent\n | where EventID == 4688\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Event',\n EventSchemaVersion = '0.1.0',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n // EventOriginalUid = EventOriginId, will be added later to the schema\n // \"Data\" field will move to \"EventData\" later\n // Device\n // DvcId = SourceComputerId, \n DvcHostname = Computer,\n DvcOs = 'Windows',\n // Users\n ActorUserId = tostring(Data.SubjectUserSid),\n ActorUserIdType = 'SID',\n ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @\"\\\" , Data.SubjectUserName))),\n ActorUsernameType = iff(Data.SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = tostring(toint(Data.SubjectLogonId)),\n // ActorType = AccountType, No such field in WindowsEvent\n TargetUserId = tostring(Data.TargetUserSid), \n TargetUserIdType = 'SID',\n TargetUsername = tostring(iff (Data.TargetDomainName == '-', Data.TargetUserName, strcat(Data.TargetDomainName, @\"\\\" , Data.TargetUserName))),\n TargetUsernameType = iff (Data.TargetDomainName == '-', 'Simple', 'Windows'),\n TargetUserSessionId = tostring(toint(Data.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(Data.ProcessId)),\n ActingProcessName = tostring(Data.ParentProcessName),\n TargetProcessId = tostring(Data.NewProcessId),\n TargetProcessName = tostring(Data.NewProcessName),\n TargetProcessCommandLine = tostring(Data.CommandLine),\n TargetProcessTokenElevation = tostring(Data.TokenElevationType),\n MandatoryLabel = tostring(Data.MandatoryLabel)\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents",
"query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n let ProcessEvents=(){\n WindowsEvent\n | where EventID == 4688\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Event',\n EventSchemaVersion = '0.1.0',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n // EventOriginalUid = EventOriginId, will be added later to the schema\n // Device\n // DvcId = SourceComputerId, \n DvcHostname = Computer,\n DvcOs = 'Windows',\n // Users\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUserIdType = 'SID',\n ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n ActorUsernameType = iff(EventData.SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // ActorType = AccountType, No such field in WindowsEvent\n TargetUserId = tostring(EventData.TargetUserSid), \n TargetUserIdType = 'SID',\n TargetUsername = tostring(iff (EventData.TargetDomainName == '-', EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName))),\n TargetUsernameType = iff (EventData.TargetDomainName == '-', 'Simple', 'Windows'),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(EventData.NewProcessId),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents",
"version": 1
}
}

2
Parsers/ASimProcessEvent/ARM/ProcessEventMicrosoftWindowsEventTerminate/ProcessEventMicrosoftWindowsEventTerminate.json
Просмотреть файл

@ -28,7 +28,7 @@
"displayName": "ASIM Microsoft WindowsEvent Process Termination Events Parser",
"category": "Security",
"FunctionAlias": "vimProcessTerminateMicrosoftWindowsEvents",
"query": "let ProcessEvents=(){\n WindowsEvent | where EventID == 4689\n // -- Filter\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Event\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n // EventOriginalUid = EventOriginId, Field will be added later on\n EventResultDetails = tostring(Data.Status),\n EventOriginalResultDetails = tostring(Data.Status), \n // Device\n DvcId = tostring(Data.SourceComputerId),\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserId = tostring(Data.SubjectUserSid),\n ActorUserIdType = \"SID\",\n ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @\"\\\" , Data.SubjectUserName))),\n ActorUsernameType = iff(Data.SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = tostring(toint(Data.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(Data.ProcessId)),\n TargetProcessName = tostring(Data.ProcessName),\n TargetProcessCommandLine = tostring(Data.CommandLine),\n TargetProcessTokenElevation = tostring(Data.TokenElevationType)\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents",
"query": "let ProcessEvents=(){\nWindowsEvent | where EventID == 4689\n // -- Filter\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Event\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n// EventOriginalUid = EventOriginId, Field will be added later on\n EventResultDetails = tostring(EventData.Status),\n EventOriginalResultDetails = tostring(EventData.Status), \n// Device\n DvcId = tostring(EventData.SourceComputerId),\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n// Users\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUserIdType = \"SID\",\n ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n ActorUsernameType = iff(EventData.SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n// Processes \n TargetProcessId = tostring(toint(EventData.ProcessId)),\n TargetProcessName = tostring(EventData.ProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType)\n// Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents",
"version": 1
}
}

31
Parsers/ASimProcessEvent/ProductParsers/ProcessEventMicrosoftWindowsEventCreate.yaml
Просмотреть файл

@ -41,31 +41,30 @@ ParserQuery: |
EventType = 'ProcessCreated',
EventOriginalType = tostring(EventID),
// EventOriginalUid = EventOriginId, will be added later to the schema
// "Data" field will move to "EventData" later
// Device
// DvcId = SourceComputerId,
DvcHostname = Computer,
DvcOs = 'Windows',
// Users
ActorUserId = tostring(Data.SubjectUserSid),
ActorUserId = tostring(EventData.SubjectUserSid),
ActorUserIdType = 'SID',
ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @"\" , Data.SubjectUserName))),
ActorUsernameType = iff(Data.SubjectDomainName == '-','Simple', 'Windows'),
ActorSessionId = tostring(toint(Data.SubjectLogonId)),
ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
ActorUsernameType = iff(EventData.SubjectDomainName == '-','Simple', 'Windows'),
ActorSessionId = tostring(toint(EventData.SubjectLogonId)),
// ActorType = AccountType, No such field in WindowsEvent
TargetUserId = tostring(Data.TargetUserSid),
TargetUserId = tostring(EventData.TargetUserSid),
TargetUserIdType = 'SID',
TargetUsername = tostring(iff (Data.TargetDomainName == '-', Data.TargetUserName, strcat(Data.TargetDomainName, @"\" , Data.TargetUserName))),
TargetUsernameType = iff (Data.TargetDomainName == '-', 'Simple', 'Windows'),
TargetUserSessionId = tostring(toint(Data.TargetLogonId)),
TargetUsername = tostring(iff (EventData.TargetDomainName == '-', EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\" , EventData.TargetUserName))),
TargetUsernameType = iff (EventData.TargetDomainName == '-', 'Simple', 'Windows'),
TargetUserSessionId = tostring(toint(EventData.TargetLogonId)),
// Processes
ActingProcessId = tostring(toint(Data.ProcessId)),
ActingProcessName = tostring(Data.ParentProcessName),
TargetProcessId = tostring(Data.NewProcessId),
TargetProcessName = tostring(Data.NewProcessName),
TargetProcessCommandLine = tostring(Data.CommandLine),
TargetProcessTokenElevation = tostring(Data.TokenElevationType),
MandatoryLabel = tostring(Data.MandatoryLabel)
ActingProcessId = tostring(toint(EventData.ProcessId)),
ActingProcessName = tostring(EventData.ParentProcessName),
TargetProcessId = tostring(EventData.NewProcessId),
TargetProcessName = tostring(EventData.NewProcessName),
TargetProcessCommandLine = tostring(EventData.CommandLine),
TargetProcessTokenElevation = tostring(EventData.TokenElevationType),
MandatoryLabel = tostring(EventData.MandatoryLabel)
| lookup MandatoryLabelLookup on MandatoryLabel
// -- Aliases
| extend

76
Parsers/ASimProcessEvent/ProductParsers/ProcessEventMicrosoftWindowsEventTerminate.yaml
Просмотреть файл

@ -16,41 +16,41 @@ Description: ASIM WindowsEvents Parser
ParserName: vimProcessTerminateMicrosoftWindowsEvents
ParserQuery: |
let ProcessEvents=(){
WindowsEvent | where EventID == 4689
// -- Filter
// -- Map
| extend
// Event
EventCount = int(1),
EventVendor = "Microsoft",
EventProduct = "Security Event",
EventSchemaVersion = "0.1.0",
EventStartTime = todatetime(TimeGenerated),
EventEndTime = todatetime(TimeGenerated),
EventType = "ProcessTerminated",
EventResult = 'Success',
EventOriginalType = tostring(EventID),
// EventOriginalUid = EventOriginId, Field will be added later on
EventResultDetails = tostring(Data.Status),
EventOriginalResultDetails = tostring(Data.Status),
// Device
DvcId = tostring(Data.SourceComputerId),
DvcHostname = Computer,
DvcOs = "Windows",
// Users
ActorUserId = tostring(Data.SubjectUserSid),
ActorUserIdType = "SID",
ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @"\" , Data.SubjectUserName))),
ActorUsernameType = iff(Data.SubjectDomainName == '-','Simple', 'Windows'),
ActorSessionId = tostring(toint(Data.SubjectLogonId)),
// Processes
TargetProcessId = tostring(toint(Data.ProcessId)),
TargetProcessName = tostring(Data.ProcessName),
TargetProcessCommandLine = tostring(Data.CommandLine),
TargetProcessTokenElevation = tostring(Data.TokenElevationType)
// Aliases
| extend
User = ActorUsername,
Dvc = DvcHostname,
Process = TargetProcessName
}; ProcessEvents
WindowsEvent | where EventID == 4689
// -- Filter
// -- Map
| extend
// Event
EventCount = int(1),
EventVendor = "Microsoft",
EventProduct = "Security Event",
EventSchemaVersion = "0.1.0",
EventStartTime = todatetime(TimeGenerated),
EventEndTime = todatetime(TimeGenerated),
EventType = "ProcessTerminated",
EventResult = 'Success',
EventOriginalType = tostring(EventID),
// EventOriginalUid = EventOriginId, Field will be added later on
EventResultDetails = tostring(EventData.Status),
EventOriginalResultDetails = tostring(EventData.Status),
// Device
DvcId = tostring(EventData.SourceComputerId),
DvcHostname = Computer,
DvcOs = "Windows",
// Users
ActorUserId = tostring(EventData.SubjectUserSid),
ActorUserIdType = "SID",
ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
ActorUsernameType = iff(EventData.SubjectDomainName == '-','Simple', 'Windows'),
ActorSessionId = tostring(toint(EventData.SubjectLogonId)),
// Processes
TargetProcessId = tostring(toint(EventData.ProcessId)),
TargetProcessName = tostring(EventData.ProcessName),
TargetProcessCommandLine = tostring(EventData.CommandLine),
TargetProcessTokenElevation = tostring(EventData.TokenElevationType)
// Aliases
| extend
User = ActorUsername,
Dvc = DvcHostname,
Process = TargetProcessName
}; ProcessEvents

2
Parsers/ASimRegistry/ARM/RegistryEventMicrosoftWindowsEvent/RegistryEventMicrosoftWindowsEvent.json
Просмотреть файл

@ -28,7 +28,7 @@
"displayName": "ASIM windows Event Registry Creation Event Parser",
"category": "Security",
"FunctionAlias": "vimRegistryEventMicrosoftWindowsEvent",
"query": "let RegistryType = datatable (TypeCode:string,TypeName:string)\n [\n \"%%1872\", \"Reg_None\",\n \"%%1873\",\t\"Reg_Sz\",\n \"%%1874\",\t\"Reg_Expand_Sz\",\n \"%%1875\",\t\"Reg_Binary\",\n \"%%1876\",\t\"Reg_DWord\",\n \"%%1879\",\t\"Reg_Multi_Sz\",\n \"%%1883\",\t\"Reg_QWord\"\n ];\nlet RegistryAction = datatable (EventOriginalSubType:string,EventType:string)\n [\n \"%%1904\", \"RegistryValueSet\",\n \"%%1905\", \"RegistryValueSet\", \n \"%%1906\", \"RegistryValueDeleted\" \n ];\nlet Hives = datatable (KeyPrefix:string,Hive:string)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\", \n ];\n let RegistryEvents=(){\n WindowsEvent \n | where EventID == 4657\n | extend\n EventCount = int(1), \n EventVendor = 'Microsoft', \n EventProduct = 'Windows Event', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated),\n EventOriginalType = tostring(EventID), \n ObjectName = tostring(Data.ObjectName),\n OldValue = tostring(Data.OldValue),\n NewValue = tostring(Data.NewValue),\n RegistryValue = tostring(Data.ObjectValueName),\n NewValueType = tostring(Data.NewValueType),\n OldValueType = tostring(Data.OldValueType)\n | extend\n EventOriginalSubType = tostring(Data.OperationType)\n //EventOriginalUid = EventOriginId - No EventOriginId field in WindowsEvent\n | lookup RegistryAction on EventOriginalSubType\n // Registry\n // Normalize key hive\n | parse ObjectName with \"\\\\REGISTRY\\\\\" KeyPrefix \"\\\\\" Key\n | lookup Hives on KeyPrefix\n | extend RegistryKey = strcat (Hive, \"\\\\\", Key)\n | project-away Hive, Key, KeyPrefix, ObjectName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue), \n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\"),\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\"),\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | lookup RegistryType on $left.NewValueType == $right.TypeCode | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode | project-rename RegistryPreviousValueType = TypeName\n | project-away OldValue, NewValue, OldValueType, NewValueType, EventOriginalSubType\n // Device\n | extend\n // DvcId = SourceComputerId, No such fields in WindowsEvent\n DvcHostname = Computer,\n DvcOs = 'Windows',\n // User\n ActorUserId = tostring(Data.SubjectUserSid), \n ActorSessionId = tostring( toint(Data.SubjectLogonId)), \n ActorDomainName = tostring(Data.SubjectDomainName),\n ActorUserIdType = 'SID',\n ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @\"\\\" , Data.SubjectUserName))), \n ActorUsernameType = iff(tostring(Data.ActorDomainName) == '-','Simple', 'Windows'), \n // Process \n ActingProcessId = tostring( toint(Data.ProcessId)), \n ActingProcessName = tostring(Data.ProcessName)\n | extend \n // -- Aliases\n User = ActorUsername,\n UserId = ActorUserId,\n Dvc = DvcHostname,\n Process = ActingProcessName\n }; RegistryEvents",
"query": "let RegistryType = datatable (TypeCode:string,TypeName:string)\n[\n \"%%1872\", \"Reg_None\",\n \"%%1873\",\t\"Reg_Sz\",\n \"%%1874\",\t\"Reg_Expand_Sz\",\n \"%%1875\",\t\"Reg_Binary\",\n \"%%1876\",\t\"Reg_DWord\",\n \"%%1879\",\t\"Reg_Multi_Sz\",\n \"%%1883\",\t\"Reg_QWord\"\n];\nlet RegistryAction = datatable (EventOriginalSubType:string,EventType:string)\n [\n \"%%1904\", \"RegistryValueSet\",\n \"%%1905\", \"RegistryValueSet\", \n \"%%1906\", \"RegistryValueDeleted\" \n ];\nlet Hives = datatable (KeyPrefix:string,Hive:string)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\", \n ];\nlet RegistryEvents=(){\n WindowsEvent \n | where EventID == 4657\n | extend\n EventCount = int(1), \n EventVendor = 'Microsoft', \n EventProduct = 'Windows Event', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated),\n EventOriginalType = tostring(EventID), \n ObjectName = tostring(EventData.ObjectName),\n OldValue = tostring(EventData.OldValue),\n NewValue = tostring(EventData.NewValue),\n RegistryValue = tostring(EventData.ObjectValueName),\n NewValueType = tostring(EventData.NewValueType),\n OldValueType = tostring(EventData.OldValueType)\n| extend\n EventOriginalSubType = tostring(EventData.OperationType)\n //EventOriginalUid = EventOriginId - No EventOriginId field in WindowsEvent\n| lookup RegistryAction on EventOriginalSubType\n // Registry\n // Normalize key hive\n | parse ObjectName with \"\\\\REGISTRY\\\\\" KeyPrefix \"\\\\\" Key\n | lookup Hives on KeyPrefix\n | extend RegistryKey = strcat (Hive, \"\\\\\", Key)\n | project-away Hive, Key, KeyPrefix, ObjectName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue), \n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\"),\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\"),\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | lookup RegistryType on $left.NewValueType == $right.TypeCode | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode | project-rename RegistryPreviousValueType = TypeName\n | project-away OldValue, NewValue, OldValueType, NewValueType, EventOriginalSubType\n // Device\n | extend\n // DvcId = SourceComputerId, No such fields in WindowsEvent\n DvcHostname = Computer,\n DvcOs = 'Windows',\n // User\n ActorUserId = tostring(EventData.SubjectUserSid), \n ActorSessionId = tostring( toint(EventData.SubjectLogonId)), \n ActorDomainName = tostring(EventData.SubjectDomainName),\n ActorUserIdType = 'SID',\n ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))), \n ActorUsernameType = iff(tostring(EventData.ActorDomainName) == '-','Simple', 'Windows'), \n // Process \n ActingProcessId = tostring( toint(EventData.ProcessId)), \n ActingProcessName = tostring(EventData.ProcessName)\n | extend \n // -- Aliases\n User = ActorUsername,\n UserId = ActorUserId,\n Dvc = DvcHostname,\n Process = ActingProcessName\n }; RegistryEvents",
"version": 1
}
}

156
Parsers/ASimRegistry/ProductParsers/RegistryEventMicrosoftWindowsEvent.yaml
Просмотреть файл

@ -15,81 +15,81 @@ References:
Description: ASIM Windows Event Registry Creation Event Parser (event number 4657)
ParserName: vimRegistryEventMicrosoftWindowsEvent
ParserQuery: |
let RegistryType = datatable (TypeCode:string,TypeName:string)
[
"%%1872", "Reg_None",
"%%1873", "Reg_Sz",
"%%1874", "Reg_Expand_Sz",
"%%1875", "Reg_Binary",
"%%1876", "Reg_DWord",
"%%1879", "Reg_Multi_Sz",
"%%1883", "Reg_QWord"
];
let RegistryAction = datatable (EventOriginalSubType:string,EventType:string)
[
"%%1904", "RegistryValueSet",
"%%1905", "RegistryValueSet",
"%%1906", "RegistryValueDeleted"
];
let Hives = datatable (KeyPrefix:string,Hive:string)
[
"MACHINE", "HKEY_LOCAL_MACHINE",
"USER", "HKEY_USERS",
];
let RegistryEvents=(){
WindowsEvent
| where EventID == 4657
| extend
EventCount = int(1),
EventVendor = 'Microsoft',
EventProduct = 'Windows Event',
EventSchemaVersion = '0.1.0',
EventStartTime = todatetime(TimeGenerated),
EventEndTime = todatetime(TimeGenerated),
EventOriginalType = tostring(EventID),
ObjectName = tostring(Data.ObjectName),
OldValue = tostring(Data.OldValue),
NewValue = tostring(Data.NewValue),
RegistryValue = tostring(Data.ObjectValueName),
NewValueType = tostring(Data.NewValueType),
OldValueType = tostring(Data.OldValueType)
| extend
EventOriginalSubType = tostring(Data.OperationType)
//EventOriginalUid = EventOriginId - No EventOriginId field in WindowsEvent
| lookup RegistryAction on EventOriginalSubType
// Registry
// Normalize key hive
| parse ObjectName with "\\REGISTRY\\" KeyPrefix "\\" Key
| lookup Hives on KeyPrefix
| extend RegistryKey = strcat (Hive, "\\", Key)
| project-away Hive, Key, KeyPrefix, ObjectName
| extend
RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue),
RegistryPreviousKey = iff (EventOriginalSubType == "%%1905", RegistryKey, ""),
RegistryPreviousValue = iff (EventOriginalSubType == "%%1905", RegistryValue, ""),
RegistryPreviousValueData = iff (EventOriginalSubType == "%%1905", OldValue, "")
| lookup RegistryType on $left.NewValueType == $right.TypeCode | project-rename RegistryValueType = TypeName
| lookup RegistryType on $left.OldValueType == $right.TypeCode | project-rename RegistryPreviousValueType = TypeName
| project-away OldValue, NewValue, OldValueType, NewValueType, EventOriginalSubType
// Device
| extend
// DvcId = SourceComputerId, No such fields in WindowsEvent
DvcHostname = Computer,
DvcOs = 'Windows',
// User
ActorUserId = tostring(Data.SubjectUserSid),
ActorSessionId = tostring( toint(Data.SubjectLogonId)),
ActorDomainName = tostring(Data.SubjectDomainName),
ActorUserIdType = 'SID',
ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @"\" , Data.SubjectUserName))),
ActorUsernameType = iff(tostring(Data.ActorDomainName) == '-','Simple', 'Windows'),
// Process
ActingProcessId = tostring( toint(Data.ProcessId)),
ActingProcessName = tostring(Data.ProcessName)
| extend
// -- Aliases
User = ActorUsername,
UserId = ActorUserId,
Dvc = DvcHostname,
Process = ActingProcessName
}; RegistryEvents
let RegistryType = datatable (TypeCode:string,TypeName:string)
[
"%%1872", "Reg_None",
"%%1873", "Reg_Sz",
"%%1874", "Reg_Expand_Sz",
"%%1875", "Reg_Binary",
"%%1876", "Reg_DWord",
"%%1879", "Reg_Multi_Sz",
"%%1883", "Reg_QWord"
];
let RegistryAction = datatable (EventOriginalSubType:string,EventType:string)
[
"%%1904", "RegistryValueSet",
"%%1905", "RegistryValueSet",
"%%1906", "RegistryValueDeleted"
];
let Hives = datatable (KeyPrefix:string,Hive:string)
[
"MACHINE", "HKEY_LOCAL_MACHINE",
"USER", "HKEY_USERS",
];
let RegistryEvents=(){
WindowsEvent
| where EventID == 4657
| extend
EventCount = int(1),
EventVendor = 'Microsoft',
EventProduct = 'Windows Event',
EventSchemaVersion = '0.1.0',
EventStartTime = todatetime(TimeGenerated),
EventEndTime = todatetime(TimeGenerated),
EventOriginalType = tostring(EventID),
ObjectName = tostring(EventData.ObjectName),
OldValue = tostring(EventData.OldValue),
NewValue = tostring(EventData.NewValue),
RegistryValue = tostring(EventData.ObjectValueName),
NewValueType = tostring(EventData.NewValueType),
OldValueType = tostring(EventData.OldValueType)
| extend
EventOriginalSubType = tostring(EventData.OperationType)
//EventOriginalUid = EventOriginId - No EventOriginId field in WindowsEvent
| lookup RegistryAction on EventOriginalSubType
// Registry
// Normalize key hive
| parse ObjectName with "\\REGISTRY\\" KeyPrefix "\\" Key
| lookup Hives on KeyPrefix
| extend RegistryKey = strcat (Hive, "\\", Key)
| project-away Hive, Key, KeyPrefix, ObjectName
| extend
RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue),
RegistryPreviousKey = iff (EventOriginalSubType == "%%1905", RegistryKey, ""),
RegistryPreviousValue = iff (EventOriginalSubType == "%%1905", RegistryValue, ""),
RegistryPreviousValueData = iff (EventOriginalSubType == "%%1905", OldValue, "")
| lookup RegistryType on $left.NewValueType == $right.TypeCode | project-rename RegistryValueType = TypeName
| lookup RegistryType on $left.OldValueType == $right.TypeCode | project-rename RegistryPreviousValueType = TypeName
| project-away OldValue, NewValue, OldValueType, NewValueType, EventOriginalSubType
// Device
| extend
// DvcId = SourceComputerId, No such fields in WindowsEvent
DvcHostname = Computer,
DvcOs = 'Windows',
// User
ActorUserId = tostring(EventData.SubjectUserSid),
ActorSessionId = tostring( toint(EventData.SubjectLogonId)),
ActorDomainName = tostring(EventData.SubjectDomainName),
ActorUserIdType = 'SID',
ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
ActorUsernameType = iff(tostring(EventData.ActorDomainName) == '-','Simple', 'Windows'),
// Process
ActingProcessId = tostring( toint(EventData.ProcessId)),
ActingProcessName = tostring(EventData.ProcessName)
| extend
// -- Aliases
User = ActorUsername,
UserId = ActorUserId,
Dvc = DvcHostname,
Process = ActingProcessName
}; RegistryEvents

92
Sample Data/Custom/Nessus_VM_CL
Просмотреть файл

@ -1,92 +0,0 @@
[
{
"scan_name":"My Basic Network Scan",
"scan_owner":"nessus",
"scan_last_modification_date":1620734588,
"scan_creation_date":1620734155,
"host_start_time":"Tue May 11 14:55:57 2021",
"host_end_time":"Tue May 11 15:02:57 2021",
"host_mac_addr":"00:50:56:B4:6B:1D",
"host_fqdn":"srv-1.company.com",
"host_operating_system":"CentOS Linux 7 Linux Kernel 3.10",
"host_ip_addr":"10.112.15.144",
"vulnerability_plugin_name":"Service Detection",
"vulnerability_severity":0,
"vulnerability_cpe":"None",
"vulnerability_plugin_family":"Service detection",
"vulnerability_count": 1,
"type":"host_vulnerability_info"
},
{
"scan_name":"My Basic Network Scan",
"scan_owner":"nessus",
"scan_last_modification_date":1620734588,
"scan_creation_date":1620734155,
"host_start_time":"Tue May 11 14:55:57 2021",
"host_end_time":"Tue May 11 15:02:57 2021",
"host_mac_addr":"00:50:56:B4:6B:1D",
"host_fqdn":"srv-2.company.com",
"host_operating_system":"CentOS Linux 7 Linux Kernel 3.10",
"host_ip_addr":"10.111.15.144",
"vulnerability_plugin_name":"SSH Server CBC Mode Ciphers Enabled",
"vulnerability_severity":1,
"vulnerability_cpe":"None",
"vulnerability_plugin_family":"Misc.",
"vulnerability_count": 1,
"type":"host_vulnerability_info"
},
{
"scan_name":"My Basic Network Scan",
"scan_owner":"nessus",
"scan_last_modification_date":1620734588,
"scan_creation_date":1620734155,
"host_start_time":"Tue May 11 14:55:57 2021",
"host_end_time":"Tue May 11 15:02:57 2021",
"host_mac_addr":"00:50:56:B4:6B:1D",
"host_fqdn":"srv-3.company.com",
"host_operating_system":"CentOS Linux 7 Linux Kernel 3.10",
"host_ip_addr":"10.111.115.44",
"vulnerability_plugin_name":"SSL Certificate Cannot Be Trusted",
"vulnerability_severity":2,
"vulnerability_cpe":"None",
"vulnerability_plugin_family":"General",
"vulnerability_count": 1,
"type":"host_vulnerability_info"
},
{
"scan_name":"My Basic Network Scan",
"scan_owner":"nessus",
"scan_last_modification_date":1620734588,
"scan_creation_date":1620734155,
"host_start_time":"Tue May 11 14:55:57 2021",
"host_end_time":"Tue May 11 15:02:57 2021",
"host_mac_addr":"00:50:56:B4:6B:1D",
"host_fqdn":"srv-4.company.com",
"host_operating_system":"CentOS Linux 7 Linux Kernel 3.10",
"host_ip_addr":"10.111.115.144",
"vulnerability_plugin_name":"HSTS Missing From HTTPS Server (RFC 6797)",
"vulnerability_severity":2,
"vulnerability_cpe":"None",
"vulnerability_plugin_family":"Web Servers",
"vulnerability_count": 1,
"type":"host_vulnerability_info"
},
{
"scan_name":"My Host Discovery Scan",
"scan_owner":"nessus",
"scan_last_modification_date":1620734161,
"scan_creation_date":1620734116,
"host_start_time":"Tue May 11 14:55:16 2021",
"host_end_time":"Tue May 11 14:55:57 2021",
"host_mac_addr":"None",
"host_fqdn":"srv-5.company.com",
"host_operating_system":"None",
"host_ip_addr":"10.111.115.110",
"vulnerability_plugin_name":"Ping the remote host",
"vulnerability_severity":0,
"vulnerability_cpe":"None",
"vulnerability_plugin_family":"Port scanners",
"vulnerability_count": 1,
"type":"host_vulnerability_info"
}
]

105
Sample Data/Custom/Tenable_IO_Assets_CL.json Normal file
Просмотреть файл

@ -0,0 +1,105 @@
[
{
"id": "95c2725c-7298-4a44-8a1d-63131ca3f01f",
"has_agent": false,
"has_plugin_results": true,
"created_at": "2017-12-31T20:40:44.535Z",
"terminated_at": null,
"terminated_by": null,
"updated_at": "2018-12-31T22:27:58.599Z",
"deleted_at": null,
"deleted_by": null,
"first_seen": "2017-12-31T20:40:23.447Z",
"last_seen": "2018-12-31T22:27:52.869Z",
"first_scan_time": "2017-12-31T20:40:23.447Z",
"last_scan_time": "2018-02-31T22:27:52.869Z",
"last_authenticated_scan_date": null,
"last_licensed_scan_date": "2018-12-31T22:27:52.869Z",
"last_scan_id": "00283024-afee-44ea-b467-db5a6ed9fd50ab8f7ecb158c480e",
"last_schedule_id": "72284901-7c68-42b2-a0c4-c1e75568849df60557ee0e264228",
"azure_vm_id": null,
"azure_resource_id": null,
"gcp_project_id": null,
"gcp_zone": null,
"gcp_instance_id": null,
"aws_ec2_instance_ami_id": null,
"aws_ec2_instance_id": null,
"agent_uuid": null,
"bios_uuid": null,
"aws_owner_id": null,
"aws_availability_zone": null,
"aws_region": null,
"aws_vpc_id": null,
"aws_ec2_instance_group_name": null,
"aws_ec2_instance_state_name": null,
"aws_ec2_instance_type": null,
"aws_subnet_id": null,
"aws_ec2_product_code": null,
"aws_ec2_name": null,
"mcafee_epo_guid": null,
"mcafee_epo_agent_guid": null,
"servicenow_sysid": null,
"bigfix_asset_id": null,
"agent_names": [],
"installed_software": [
"cpe:/a:apple:itunes:12.8",
"cpe:/a:apple:quicktime:7.7.3",
"cpe:/a:openbsd:openssh:6.9",
"cpe:/a:google:chrome"
],
"ipv4s": [
"192.0.2.57"
],
"ipv6s": [],
"fqdns": [
"192.0.2.57.lightspeed.hstntx.sbcglobal.net"
],
"mac_addresses": [],
"netbios_names": [],
"operating_systems": [],
"system_types": [],
"hostnames": [],
"ssh_fingerprints": [],
"qualys_asset_ids": [],
"qualys_host_ids": [],
"manufacturer_tpm_ids": [],
"symantec_ep_hardware_keys": [],
"sources": [
{
"name": "NESSUS_SCAN",
"first_seen": "2017-12-31T20:40:23.447Z",
"last_seen": "2018-12-31T22:27:52.869Z"
}
],
"tags": [
{
"uuid": "47e7f5f6-1013-4401-a705-479bfadc7826",
"key": "Geographic Area",
"value": "APAC",
"added_by": "ac2e7ef6-fac9-47bf-9170-617331322885",
"added_at": "2018-12-31T14:53:13.817Z"
}
],
"network_interfaces": [
{
"name": "enccw0.0.1234",
"mac_address": [
"00-00-5E-00-53-00",
"00-00-5E-00-53-FF"
],
"ipv4": [
"192.0.2.57",
"192.0.2.177"
],
"ipv6": [
"2001:DB8:1234:1234/32"
],
"fqdn": [
"example.com"
]
}
],
"acr_score": "3",
"exposure_score": "721"
}
]

94
Sample Data/Custom/Tenable_IO_Vuln_CL.json Normal file
Просмотреть файл

@ -0,0 +1,94 @@
[
{
"asset": {
"fqdn": "example.com",
"hostname": "192.0.2.225",
"uuid": "cf165808-6a31-48e1-9cf3-c6c3174df51d",
"ipv4": "192.0.2.8",
"operating_system": [
"Apple Mac OS X 10.5.8"
],
"network_id": "00000000-0000-0000-0000-000000000000",
"tracked": true
},
"output": "The observed version of Google Chrome is : \n Chrome/21.0.1180.90",
"plugin": {
"cve": [
"CVE-2016-1620",
"CVE-2016-1614",
"CVE-2016-1613",
"CVE-2016-1612",
"CVE-2016-1618",
"CVE-2016-1617",
"CVE-2016-1616",
"CVE-2016-1615",
"CVE-2016-1619"
],
"cvss_base_score": 9.3,
"cvss_temporal_score": 6.9,
"cvss_temporal_vector": {
"exploitability": "Unproven",
"remediation_level": "Official-fix",
"report_confidence": "Confirmed",
"raw": "E:U/RL:OF/RC:C"
},
"cvss_vector": {
"access_complexity": "Medium",
"access_vector": "Network",
"authentication": "None required",
"confidentiality_impact": "Complete",
"integrity_impact": "Complete",
"availability_impact": "Complete",
"raw": "AV:N/AC:M/Au:N/C:C/I:C/A:C"
},
"description": "The version of Google Chrome on the remote host is prior to 48.0.2564.82 and is affected by the following vulnerabilities: \n\n - An unspecified vulnerability exists in Google V8 when handling compatible receiver checks hidden behind receptors. An attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-1612)\n - A use-after-free error exists in `PDFium` due to improper invalidation of `IPWL_FocusHandler` and `IPWL_Provider` upon destruction. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-1613)\n - An unspecified vulnerability exists in `Blink` that is related to the handling of bitmaps. An attacker can exploit this to access sensitive information. No other details are available. (CVE-2016-1614)\n - An unspecified vulnerability exists in `omnibox` that is related to origin confusion. An attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-1615)\n - An unspecified vulnerability exists that allows an attacker to spoof a displayed URL. No other details are available. (CVE-2016-1616)\n - An unspecified vulnerability exists that is related to history sniffing with HSTS and CSP. No other details are available. (CVE-2016-1617)\n - A flaw exists in `Blink` due to the weak generation of random numbers by the ARC4-based random number generator. An attacker can exploit this to gain access to sensitive information. No other details are available. (CVE-2016-1618)\n - An out-of-bounds read error exists in `PDFium` in file `fx_codec_jpx_opj.cpp` in the `sycc4{22,44}_to_rgb()` functions. An attacker can exploit this to cause a denial of service by crashing the application linked using the library. (CVE-2016-1619)\n - Multiple vulnerabilities exist, the most serious of which allow an attacker to execute arbitrary code via a crafted web page. (CVE-2016-1620)\n - A flaw in `objects.cc` is triggered when handling cleared `WeakCells`, which may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (CVE-2016-2051)",
"family": "Web Clients",
"family_id": 1000020,
"has_patch": false,
"id": 9062,
"name": "Google Chrome &lt; 48.0.2564.82 Multiple Vulnerabilities",
"risk_factor": "HIGH",
"see_also": [
"http://googlechromereleases.blogspot.com/2016/01/beta-channel-update_20.html"
],
"solution": "Update the Chrome browser to 48.0.2564.82 or later.",
"synopsis": "The remote host is utilizing a web browser that is affected by multiple vulnerabilities.",
"vpr": {
"score": 5.9,
"drivers": {
"age_of_vuln": {
"lower_bound": 366,
"upper_bound": 730
},
"exploit_code_maturity": "UNPROVEN",
"cvss_impact_score_predicted": false,
"cvss3_impact_score": 5.9,
"threat_intensity_last28": "VERY_LOW",
"threat_sources_last28": [
"No recorded events"
],
"product_coverage": "LOW"
},
"updated": "2019-12-31T10:08:58Z"
}
},
"port": {
"port": 0,
"protocol": "TCP"
},
"scan": {
"completed_at": "2018-12-31T20:59:47Z",
"schedule_uuid": "6f7db010-9cb6-4870-b745-70a2aea2f81ce1b6640fe8a2217b",
"started_at": "2018-12-31T20:59:47Z",
"uuid": "0e55ec5d-c7c7-4673-a618-438a84e9d1b78af3a9957a077904"
},
"severity": "high",
"severity_id": 3,
"severity_default_id": 3,
"severity_modification_type": "NONE",
"first_found": "2018-12-31T20:59:47Z",
"last_found": "2018-12-31T20:59:47Z",
"indexed_at": "1590006395",
"state": "OPEN"
}
]

274
Sample Data/Syslog/Forescout.json Normal file
Просмотреть файл

@ -0,0 +1,274 @@
[
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:47.913 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Potentially malicious running process found",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:47.923 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Port bite. Source: 10.10.10.10. Destination: 10.10.10.10:139",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:47.937 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Scan event. Source: 10.10.10.10",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:47.953 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Manual event. Source: 10.10.10.10",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:47.973 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Block Event: Host: 10.10.10.10, Target: 10.10.10.10, Time 1469975529, Service: 23/TCP, Is Virtual Firewall blocking rule: false, Reason: Port block",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:48.000 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Mail Infection Attempt. Source: 10.10.10.10. Details: mail_from=sanitized@sanitized.com,mail_to=sanitized@sanitized.com,mail_subject=Check out this report",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:22:48.017 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Port bite. Source: 10.10.10.10. Destination: 10.10.10.10:139",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.480 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Potentially malicious running process found",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.497 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Port bite. Source: 10.10.10.10. Destination: 10.10.10.10:139",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.507 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Scan event. Source: 10.10.10.10",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.527 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Manual event. Source: 10.10.10.10",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.550 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Block Event: Host: 10.10.10.10, Target: 10.10.10.10, Time 1469975529, Service: 23/TCP, Is Virtual Firewall blocking rule: false, Reason: Port block",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.580 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Mail Infection Attempt. Source: 10.10.10.10. Details: mail_from=sanitized@sanitized.com,mail_to=sanitized@sanitized.com,mail_subject=Check out this report",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:04:21.597 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Port bite. Source: 10.10.10.10. Destination: 10.10.10.10:139",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:21:48.863 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "6/24/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "Port bite. Source: 10.10.10.10. Destination: 10.10.10.10:139",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "8/12/2021, 1:49:33.967 PM",
"Computer": "10.10.10.10",
"EventTime [UTC]": "8/12/2021, 3:20:06.000 PM",
"Facility": "user",
"HostName": "10.10.10.10",
"SeverityLevel": "notice",
"SyslogMessage": "NAC Policy Log: Source: 10.10.10.10, Rule: Policy \"1.1 Primary Classification\" , Details: Host cleared from policy. Status was \"Windows:Match\". Reason: Host removed.",
"ProcessID": "22835",
"HostIP": "10.10.10.10",
"ProcessName": "ACTIONidentity",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
}
]

53
Sample Data/Syslog/SecurID.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
[
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "7/12/2021, 8:48:41.630 AM",
"Computer": "localhost",
"EventTime [UTC]": "7/12/2021, 8:41:27.000 AM",
"Facility": "user",
"HostName": "localhost",
"SeverityLevel": "notice",
"SyslogMessage": "41:27,344,,audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl,INFO,a6c436a2e2e266a219d3d0a5504eff4a,6ceed1b2e2e266a20801cd23efb75fbd,192.168.1.99,192.168.46.46,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,a636cfbbe2e266a219d365ddeee982a4-x6l+XQokVhIt,ce3d7b2be2e266a21974b6f5ce9ba2ca,000000000000000000001000d0011000,000000000000000000001000e0011000,U328187,Ericka,Ryptography,2e0ca6e7e2e266a21bc6a77ef43a59e5,000000000000000000001000e0011000,192.168.1.99,mn-sv2-jp-sped-c6-sm2.securitydynamics.com,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,5,1,000000000000000000001000e0011000,SystemDomain,d83770c3e2e266a21b9dcacfc6c9cd78,SpED,2469ab36e2e266a21a69868bc4b6b808,xxxxxxxx2776,,",
"ProcessID": "",
"HostIP": "::1",
"ProcessName": "2021-07-12",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "7/8/2021, 9:47:51.537 AM",
"Computer": "localhost",
"EventTime [UTC]": "9/14/2021, 10:41:27.000 PM",
"Facility": "user",
"HostName": "localhost",
"SeverityLevel": "notice",
"SyslogMessage": "41:27,344, , audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl,INFO, a6c436a2e2e266a219d3d0a5504eff4a,6ceed1b2e2e266a20801cd23efb75fbd,192.168.1.99,192.168.46.46,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,a636cfbbe2e266a219d365ddeee982a4-x6l+XQokVhIt,ce3d7b2be2e266a21974b6f5ce9ba2ca,000000000000000000001000d0011000,000000000000000000001000e0011000,U328187,Ericka,Ryptography,2e0ca6e7e2e266a21bc6a77ef43a59e5,000000000000000000001000e0011000,192.168.1.99,mn-sv2-jp-sped-c6-sm2.securitydynamics.com,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,5,1,000000000000000000001000e0011000,SystemDomain,d83770c3e2e266a21b9dcacfc6c9cd78,SpED,2469ab36e2e266a21a69868bc4b6b808,xxxxxxxx2776,,",
"ProcessID": "",
"HostIP": "::1",
"ProcessName": "2016-09-15",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "Linux",
"TimeGenerated [UTC]": "7/8/2021, 9:51:22.300 AM",
"Computer": "localhost",
"EventTime [UTC]": "7/8/2021, 9:41:27.000 AM",
"Facility": "user",
"HostName": "localhost",
"SeverityLevel": "notice",
"SyslogMessage": "41:27,344,,audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl,INFO,a6c436a2e2e266a219d3d0a5504eff4a,6ceed1b2e2e266a20801cd23efb75fbd,192.168.1.99,192.168.46.46,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,a636cfbbe2e266a219d365ddeee982a4-x6l+XQokVhIt,ce3d7b2be2e266a21974b6f5ce9ba2ca,000000000000000000001000d0011000,000000000000000000001000e0011000,U328187,Ericka,Ryptography,2e0ca6e7e2e266a21bc6a77ef43a59e5,000000000000000000001000e0011000,192.168.1.99,mn-sv2-jp-sped-c6-sm2.securitydynamics.com,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,5,1,000000000000000000001000e0011000,SystemDomain,d83770c3e2e266a21b9dcacfc6c9cd78,SpED,2469ab36e2e266a21a69868bc4b6b808,xxxxxxxx2776,,",
"ProcessID": "",
"HostIP": "::1",
"ProcessName": "2021-07-08",
"MG": "00000000-0000-0000-0000-000000000002",
"Type": "Syslog",
"_ResourceId": ""
}
]

485
Solutions/Cisco ISE/Playbooks/CiscoISE-FalsePositivesClearPolicies/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,485 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoISE-FalsePositivesClearPolicies",
"type": "String"
},
"WatchlistName": {
"defaultValue": "[parameters('WatchlistName')]",
"type": "String",
"metadata": {
"description": "Name of the Watchlist that contains safe MAC addresses list"
}
},
"WatchlistFieldName": {
"defaultValue": "[parameters('WatchlistFieldName')]",
"type": "String",
"metadata": {
"description": "Watchlist field name that contains MAC address"
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"AzureMonitorLogsConnectionName": "[concat('azuremonitorlogs-', parameters('PlaybookName'))]",
"CiscoISEConnectionName": "[concat('ciscoise-connection-', parameters('PlaybookName'))]",
"customApis_ciscoise_name": "CiscoISE"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureMonitorLogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureMonitorLogsConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('CiscoISEConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('CiscoISEConnectionName')]",
"parameterValues": {
"authType": "basic"
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoise_name'))]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('CiscoISEConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong></strong><strong>@{outputs('Create_logo')}</strong><strong> CiscoISE-FalsePositivesClearPolicies</strong><br>\nThe following endpoints were released as they are in safe list @{variables('watchlist')}:<br>\n@{body('Create_released_endpoints_HTML_table')}<br>\nThe following endpoints were not released because of errors although they are in safe list @{variables('watchlist')}:<br>\n@{body('Create_not_released_endpoints_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_logo": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_logo": {
"inputs": "<img src=\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ISE/Playbooks/cisco-logo.png\" width=\"32\" height=\"32\">",
"runAfter": {
"Create_not_released_endpoints_HTML_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Create_not_released_endpoints_HTML_table": {
"inputs": {
"columns": [
{
"header": "MACaddress",
"value": "@item()"
}
],
"format": "HTML",
"from": "@variables('not_released_endpoints')"
},
"runAfter": {
"Create_released_endpoints_HTML_table": [
"Succeeded"
]
},
"type": "Table"
},
"Create_released_endpoints_HTML_table": {
"inputs": {
"columns": [
{
"header": "MACaddress",
"value": "@item()"
}
],
"format": "HTML",
"from": "@variables('released_endpoints')"
},
"runAfter": {
"For_each_MACAddress": [
"Succeeded"
]
},
"type": "Table"
},
"Filter_array": {
"inputs": {
"from": "@variables('mac_addresses')",
"where": "@contains(variables('rejected_endpoints'), item())"
},
"runAfter": {
"For_each_alert_in_incident": [
"Succeeded"
]
},
"type": "Query"
},
"For_each_MACAddress": {
"actions": {
"Find_MAC_in_watchlist": {
"inputs": {
"body": "let ls = _GetWatchlist('@{variables('watchlist')}'); find in (ls) where @{variables('watchlist_mac_field')}==\"@{items('For_each_MACAddress')}\" | take 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "@triggerBody()?['workspaceInfo']?['ResourceGroupName']",
"resourcename": "@triggerBody()?['workspaceInfo']?['WorkspaceName']",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@triggerBody()?['workspaceInfo']?['SubscriptionId']",
"timerange": "1d"
}
},
"runAfter": {},
"type": "ApiConnection"
},
"If_MAC_is_in_watchlist": {
"actions": {
"Append_MAC_to_not_released_endpoints_variable": {
"inputs": {
"name": "not_released_endpoints",
"value": "@items('For_each_MACAddress')"
},
"runAfter": {
"Release_rejected_endpoint": [
"Failed",
"TimedOut"
]
},
"type": "AppendToArrayVariable"
},
"Append_MAC_to_released_endpoints_variable": {
"inputs": {
"name": "released_endpoints",
"value": "@items('For_each_MACAddress')"
},
"runAfter": {
"Append_MAC_to_not_released_endpoints_variable": [
"Skipped"
]
},
"type": "AppendToArrayVariable"
},
"Release_rejected_endpoint": {
"inputs": {
"headers": {
"Accept": "application/json",
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['ciscoise']['connectionId']"
}
},
"method": "put",
"path": "/ers/config/endpoint/@{encodeURIComponent(items('For_each_MACAddress'))}/releaserejectedendpoint"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Find_MAC_in_watchlist'))",
0
]
}
]
},
"runAfter": {
"Find_MAC_in_watchlist": [
"Succeeded"
]
},
"type": "If"
}
},
"foreach": "@variables('mac_addresses')",
"runAfter": {
"Filter_array": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_alert_in_incident": {
"actions": {
"Append_MACAddress_to_mac_addresses_array": {
"inputs": {
"name": "mac_addresses",
"value": "@body('Parse_alert_custom_details')?['MACAddress'][0]"
},
"runAfter": {
"Parse_alert_custom_details": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Parse_alert_custom_details": {
"inputs": {
"content": "@items('For_each_alert_in_incident')?['properties']?['additionalData']?['Custom Details']",
"schema": {
"properties": {
"MACAddress": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
}
},
"runAfter": {},
"type": "ParseJson"
}
},
"foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"runAfter": {
"For_each_rejected_endpoint": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_rejected_endpoint": {
"actions": {
"Append_to_rejected_endpoints_variable": {
"inputs": {
"name": "rejected_endpoints",
"value": "@items('For_each_rejected_endpoint')?['value']"
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@body('Get_rejected_endpoints')?['OperationResult']?['resultValue']",
"runAfter": {
"Get_rejected_endpoints": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_rejected_endpoints": {
"inputs": {
"headers": {
"Accept": "application/json",
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['ciscoise']['connectionId']"
}
},
"method": "get",
"path": "/ers/config/endpoint/getrejectedendpoints"
},
"runAfter": {
"Initialize_variable_not_released_endpoints": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_variable_MAC_addresses": {
"inputs": {
"variables": [
{
"name": "mac_addresses",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable_rejected_endpoints": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_not_released_endpoints": {
"inputs": {
"variables": [
{
"name": "not_released_endpoints",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable_released_endpoints": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_rejected_endpoints": {
"inputs": {
"variables": [
{
"name": "rejected_endpoints",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable_watchlist_mac_field": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_released_endpoints": {
"inputs": {
"variables": [
{
"name": "released_endpoints",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable_MAC_addresses": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_watchlist": {
"inputs": {
"variables": [
{
"name": "watchlist",
"type": "string",
"value": "test_watchlist"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable_watchlist_mac_field": {
"inputs": {
"variables": [
{
"name": "watchlist_mac_field",
"type": "string",
"value": "test_watchlist_field"
}
]
},
"runAfter": {
"Initialize_variable_watchlist": [
"Succeeded"
]
},
"type": "InitializeVariable"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionName": "[variables('AzureSentinelConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]"
},
"azuremonitorlogs": {
"connectionName": "[variables('AzureMonitorLogsConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]",
"id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuremonitorlogs')]"
},
"ciscoise": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoISEConnectionName'))]",
"connectionName": "[variables('CiscoISEConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoise_name'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/Cisco ISE/Playbooks/CiscoISE-FalsePositivesClearPolicies/playbook_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 34 KiB

46
Solutions/Cisco ISE/Playbooks/CiscoISE-FalsePositivesClearPolicies/readme.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
# CiscoISE-FalsePositivesClearPolicies
## Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
1. For each MAC address (*MACAddress* provided in the alert custom entities) in the incident checks if it is was rejected in Cisco ISE.
2. If MAC address was rejected, checks if it is in the safe list (safe list is a custom [Watchlist](https://docs.microsoft.com/azure/sentinel/watchlists) that contains safe MAC addresses).
If it is in safe list, releases endpoint with this MAC address in Cisco ISE.
3. Adds comment to the incident with information about the released endpoints.
<img src="./playbook_screenshot.png" width="50%"/><br>
### Prerequisites
1. Prior to the deployment of this playbook, Cisco ISE Connector needs to be deployed under the same subscription.
2. Obtain Cisco ISE ERS API credentials. Refer to Cisco ISE Custom Connector documentation.
3. [Watchlist](https://docs.microsoft.com/azure/sentinel/watchlists) with safe MAC addresses list needs to be created.
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here
* Watchlist Name: Name of the Watchlist that contains safe MAC addresses list
* Watchlist Field Name: Watchlist field name that contains MAC address
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISE-FalsePositivesClearPolicies%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISE-FalsePositivesClearPolicies%2Fazuredeploy.json)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection.
1. Click the Azure Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections
#### b. Configurations in Sentinel
1. In Azure sentinel, analytical rules should be configured to trigger an incident. An incident should have the *MACAddress* custom entity that contains MAC address of an endpoint in Cisco ISE. It can be obtained from the corresponding field in Cisco ISE logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents.
2. Configure the automation rules to trigger the playbook.

274
Solutions/Cisco ISE/Playbooks/CiscoISE-SuspendGuestUser/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,274 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoISE-SuspendGuestUser",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"CiscoISEConnectionName": "[concat('ciscoise-connection-', parameters('PlaybookName'))]",
"customApis_ciscoise_name": "CiscoISE"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('CiscoISEConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('CiscoISEConnectionName')]",
"parameterValues": {
"authType": "basic"
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoise_name'))]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('CiscoISEConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><span style=\"font-size: 16px\"><strong></strong></span><span style=\"font-size: 16px\"><strong>@{outputs('Create_html_tag_with_Cisco_logo')}</strong></span><span style=\"font-size: 16px\"><strong> CiscoISE SuspendGuestUser Playbook<br>\n</strong></span><span style=\"font-size: 14px\">CiscoISE SuspendGuestUser playbook was triggered and suspended the following users:<br>\n</span><span style=\"font-size: 14px\">@{body('Create_HTML_table_with_suspended_users')}</span><span style=\"font-size: 14px\"><br>\nThe following users are not suspended:<br>\n</span><span style=\"font-size: 14px\">@{body('Create_HTML_table_with_not_suspended_users')}</span><span style=\"font-size: 14px\"><br>\n</span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_html_tag_with_Cisco_logo": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_HTML_table_with_not_suspended_users": {
"inputs": {
"columns": [
{
"header": "user",
"value": "@item()"
}
],
"format": "HTML",
"from": "@variables('not suspended users')"
},
"runAfter": {
"Create_HTML_table_with_suspended_users": [
"Succeeded"
]
},
"type": "Table"
},
"Create_HTML_table_with_suspended_users": {
"inputs": {
"columns": [
{
"header": "user",
"value": "@item()"
}
],
"format": "HTML",
"from": "@variables('suspended users')"
},
"runAfter": {
"For_each_Account_in_incident": [
"Succeeded"
]
},
"type": "Table"
},
"Create_html_tag_with_Cisco_logo": {
"inputs": "<img src=\"https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ISE/Playbooks/cisco-logo.png\" width=\"32\" height=\"32\">",
"runAfter": {
"Create_HTML_table_with_not_suspended_users": [
"Succeeded"
]
},
"type": "Compose"
},
"Entities_-_Get_Accounts": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each_Account_in_incident": {
"actions": {
"Append_user_to_\"not_suspended_users\"": {
"description": "Append user to \" not suspended users\" if API call was not successful",
"inputs": {
"name": "not suspended users",
"value": "@item()['Name']"
},
"runAfter": {
"Suspend_guest_user_by_name": [
"Failed",
"TimedOut"
]
},
"type": "AppendToArrayVariable"
},
"Append_user_to_\"suspended_users\"": {
"description": "Append user to \"suspended users\" if API call was successful",
"inputs": {
"name": "suspended users",
"value": "@item()['Name']"
},
"runAfter": {
"Append_user_to_\"not_suspended_users\"": [
"Skipped"
]
},
"type": "AppendToArrayVariable"
},
"Suspend_guest_user_by_name": {
"inputs": {
"headers": {
"Accept": "application/json",
"Cache-Control": "no-cache",
"Content-Type": "application/json; charset=utf-8"
},
"host": {
"connection": {
"name": "@parameters('$connections')['ciscoise']['connectionId']"
}
},
"method": "put",
"path": "/ers/config/guestuser/suspend/name/@{encodeURIComponent(item()['Name'])}"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"runAfter": {
"Initialize_variable_\"not_suspended_users\"": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable_\"not_suspended_users\"": {
"description": "This varaible will contain users that are not suspended.",
"inputs": {
"variables": [
{
"name": "not suspended users",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable_\"suspended_users\"": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_\"suspended_users\"": {
"description": "This varaible will contain users that are suspended.",
"inputs": {
"variables": [
{
"name": "suspended users",
"type": "array"
}
]
},
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "InitializeVariable"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionName": "[variables('AzureSentinelConnectionName')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]"
},
"ciscoise": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoISEConnectionName'))]",
"connectionName": "[variables('CiscoISEConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoise_name'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/Cisco ISE/Playbooks/CiscoISE-SuspendGuestUser/playbook_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 29 KiB

41
Solutions/Cisco ISE/Playbooks/CiscoISE-SuspendGuestUser/readme.md Normal file
Просмотреть файл

@ -0,0 +1,41 @@
# CiscoISE-SuspendGuestUser
## Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
1. For each Account in the incident suspends user in Cisco ISE by its name.
2. Adds comment to the incident with information about suspended users.
<img src="./playbook_screenshot.png" width="50%"/><br>
### Prerequisites
1. Prior to the deployment of this playbook, Cisco ISE Connector needs to be deployed under the same subscription.
2. Obtain Cisco ISE ERS API credentials. Refer to Cisco ISE Custom Connector documentation.
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISE-SuspendGuestUser%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISE-SuspendGuestUser%2Fazuredeploy.json)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection.
1. Click the Azure Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections
#### b. Configurations in Sentinel
1. In Azure sentinel, analytical rules have to be configured to trigger an incident with risky user account. In the *Entity maping* section of the analytics rule creation workflow, user's name has to be mapped to **Name** identitfier of the **Account** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities.
2. Configure the automation rules to trigger the playbook.

1035
Solutions/Cisco ISE/Playbooks/CiscoISE-TakeEndpointActionFromTeams/azuredeploy.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Двоичные данные
Solutions/Cisco ISE/Playbooks/CiscoISE-TakeEndpointActionFromTeams/playbook_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 24 KiB

50
Solutions/Cisco ISE/Playbooks/CiscoISE-TakeEndpointActionFromTeams/readme.md Normal file
Просмотреть файл

@ -0,0 +1,50 @@
# CiscoISE-TakeEndpointActionFromTeams
## Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken.
<img src="./teams_screenshot.png" width="50%"/><br>
2. Assigns a policy (policy name is provided during the deployment stage) to an andpoint (*MACAddress* of the endpoint is provided in the alert custom entities) depending on the action chosen in the adaptive card.
3. Changes incident status and severity depending on the action chosen in the adaptive card.
4. Adds comment to the incident with information about the actions taken.
<img src="./playbook_screenshot.png" width="50%"/><br>
### Prerequisites
1. Prior to the deployment of this playbook, Cisco ISE Connector needs to be deployed under the same subscription.
2. Obtain Cisco ISE ERS API credentials. Refer to Cisco ISE Custom Connector documentation.
3. Obtain Teams group id and channel id.
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here
* Teams Group Id: Id of the Teams Group where the adaptive card will be posted
* Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
* Policy Name: Policy name to be assigned to an endpoint
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISE-TakeEndpointActionFromTeams%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISE-TakeEndpointActionFromTeams%2Fazuredeploy.json)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection.
1. Click the Azure Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections
#### b. Configurations in Sentinel
1. In Azure sentinel, analytical rules should be configured to trigger an incident. An incident should have the *MACAddress* custom entity that contains MAC address of an endpoint in Cisco ISE. It can be obtained from the corresponding field in Cisco ISE logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents.
2. Configure the automation rules to trigger the playbook.

Двоичные данные
Solutions/Cisco ISE/Playbooks/CiscoISE-TakeEndpointActionFromTeams/teams_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 294 KiB

943
Solutions/Cisco ISE/Playbooks/CiscoISEConnector/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,943 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"API Hostname": {
"type": "String",
"defaultValue": "testhost.com",
"metadata": {
"description": "Hostname of the Cisco ISE instance."
}
},
"API Port": {
"type": "String",
"defaultValue": "9060",
"metadata": {
"description": "Port number of Cisco ISE ERS API. By default 9060."
}
}
},
"variables": {
"customApis_CiscoISE_name": "CiscoISE"
},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[variables('customApis_CiscoISE_name')]",
"location": "[resourceGroup().location]",
"properties": {
"connectionParameters": {
"username": {
"type": "securestring",
"uiDefinition": {
"displayName": "username",
"description": "The username for this api",
"tooltip": "Provide the username",
"constraints": {
"tabIndex": 2,
"clearText": true,
"required": "true",
"capability": [
"gateway"
]
}
}
},
"password": {
"type": "securestring",
"uiDefinition": {
"displayName": "password",
"description": "The password for this api",
"tooltip": "Provide the password",
"constraints": {
"tabIndex": 3,
"clearText": false,
"required": "true",
"capability": [
"gateway"
]
}
}
},
"authType": {
"type": "string",
"allowedValues": [
{
"value": "basic"
}
],
"uiDefinition": {
"displayName": "Authentication Type",
"description": "Authentication type to connect to your API",
"tooltip": "Authentication type to connect to your API",
"constraints": {
"tabIndex": 1,
"required": "true",
"allowedValues": [
{
"text": "basic",
"value": "basic"
}
],
"capability": [
"gateway"
]
}
}
},
"gateway": {
"type": "gatewaySetting",
"gatewaySettings": {
"dataSourceType": "CustomConnector",
"connectionDetails": []
},
"uiDefinition": {
"constraints": {
"tabIndex": 4,
"required": "true",
"capability": [
"gateway"
]
}
}
}
},
"brandColor": "#FFFFFF",
"description": "Cisco Identity Services Engine connector for on-premise gateway",
"displayName": "[variables('customApis_CiscoISE_name')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
"backendService": {
"serviceUrl": "[concat('https://', parameters('API Hostname'), ':', parameters('API Port'))]"
},
"capabilities": ["gateway"],
"apiType": "Rest",
"swagger": {
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "Cisco ISE custom connector",
"description": "Cisco Identity Services Engine connector for on-premise gateway"
},
"host": "[concat(parameters('API Hostname'), ':', parameters('API Port'))]",
"basePath": "/",
"schemes": [
"https"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"paths": {
"/ers/config/guestuser/suspend/name/{guestName}": {
"put": {
"summary": "Suspend guest user by name",
"parameters": [
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json; charset=utf-8",
"x-ms-visibility": "internal"
},
{
"name": "Cache-Control",
"in": "header",
"required": true,
"type": "string",
"default": "no-cache",
"x-ms-visibility": "internal"
},
{
"name": "guestName",
"in": "path",
"required": true,
"description": "User name to suspend",
"type": "string",
"x-ms-summary": "UserName"
}
],
"responses": {
"204": {
"description": "Indicates the REST API successfully carried out the desired action."
},
"400": {
"description": "Guest user is already suspended."
},
"401": {
"description": "This indicates that the action was undertaken with wrong credentials, no credentials or the account is not authorized to perform this action."
},
"404": {
"description": "Guest user is not found."
},
"500": {
"description": "Indicates an issue on the server side. Logs on ISE may help understand the cause."
}
},
"operationId": "SuspendGuestUser"
}
},
"/ers/config/ancendpoint/apply": {
"put": {
"responses": {
"default": {
"description": "default",
"schema": {}
}
},
"summary": "Assign an ANC policy to an endpoint",
"operationId": "ANCEndpointApply",
"parameters": [
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"OperationAdditionalData": {
"type": "object",
"properties": {
"additionalData": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name",
"title": "",
"enum": [
"macAddress",
"ipAddress",
"policyName"
]
},
"value": {
"type": "string",
"description": "value",
"title": ""
}
},
"required": [
"name",
"value"
]
},
"description": "additionalData"
}
},
"description": "OperationAdditionalData",
"required": [
"additionalData"
]
}
},
"required": [
"OperationAdditionalData"
]
}
}
]
}
},
"/ers/config/ancendpoint/clear": {
"put": {
"responses": {
"default": {
"description": "default",
"schema": {}
}
},
"summary": "Un-apply an ANC policy to an endpoint",
"operationId": "ANCEndpointClear",
"parameters": [
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"OperationAdditionalData": {
"type": "object",
"properties": {
"additionalData": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name",
"title": "",
"enum": [
"macAddress",
"ipAddress"
]
},
"value": {
"type": "string",
"description": "value",
"title": ""
}
},
"required": [
"name",
"value"
]
},
"description": "additionalData"
}
},
"description": "OperationAdditionalData",
"required": [
"additionalData"
]
}
},
"required": [
"OperationAdditionalData"
]
}
}
]
}
},
"/ers/config/ancendpoint/{id}": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"ErsAncEndpoint": {
"type": "object",
"properties": {
"macAddress": {
"type": "string",
"description": "macAddress"
},
"policyName": {
"type": "string",
"description": "policyName"
}
},
"description": "ErsAncEndpoint"
}
}
}
}
},
"summary": "Get an ANC Endpoint",
"operationId": "ANCEndpointGetById",
"parameters": [
{
"name": "id",
"in": "path",
"required": true,
"type": "string",
"x-ms-summary": "ANC Endpoint Id"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
}
]
}
},
"/ers/config/ancendpoint": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"SearchResult": {
"type": "object",
"properties": {
"total": {
"type": "integer",
"format": "int32",
"description": "Number of returned ANC endpoints",
"title": "total"
},
"resources": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "ANC endpoint id"
},
"name": {
"type": "string",
"description": "ANC endpoint name"
},
"description": {
"type": "string",
"description": "ANC endpoint description"
}
}
},
"description": "List of ANC endpoints"
},
"nextPage": {
"type": "object",
"properties": {
"rel": {
"type": "string",
"description": "rel",
"title": "",
"x-ms-visibility": "internal"
},
"href": {
"type": "string",
"description": "Link to next page"
},
"type": {
"type": "string",
"description": "type",
"title": "",
"x-ms-visibility": "internal"
}
},
"description": "nextPage"
},
"previousPage": {
"type": "object",
"properties": {
"rel": {
"type": "string",
"description": "rel",
"title": "",
"x-ms-visibility": "internal"
},
"href": {
"type": "string",
"description": "Link to previous page"
},
"type": {
"type": "string",
"description": "type",
"title": "",
"x-ms-visibility": "internal"
}
},
"description": "previousPage"
}
},
"description": "SearchResult"
}
}
}
}
},
"summary": "Get all ANC Endpoints",
"operationId": "ANCEndpointGetAll",
"parameters": [
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
}
]
}
},
"/ers/config/ancpolicy": {
"post": {
"responses": {
"default": {
"description": "default",
"schema": {}
}
},
"summary": "Create an ANC Policy",
"operationId": "CreateANCPolicy",
"parameters": [
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"ErsAncPolicy": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name",
"title": ""
},
"actions": {
"type": "array",
"items": {
"type": "string",
"title": "",
"enum": [
"QUARANTINE",
"PORTBOUNCE",
"SHUTDOWN"
]
},
"description": "actions"
}
},
"description": "ErsAncPolicy",
"required": [
"actions",
"name"
]
}
},
"required": [
"ErsAncPolicy"
]
}
}
]
}
},
"/ers/config/endpoint/{id}": {
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"UpdatedFieldsList": {
"type": "object",
"properties": {
"updatedField": {
"type": "array",
"items": {
"type": "object",
"properties": {
"field": {
"type": "string",
"description": "field"
},
"oldValue": {
"type": "string",
"description": "oldValue"
},
"newValue": {
"type": "string",
"description": "newValue"
}
}
},
"description": "updatedField"
}
},
"description": "UpdatedFieldsList"
}
}
}
}
},
"summary": "Update the group of an endpoint",
"operationId": "UpdateEndpointGroup",
"parameters": [
{
"name": "id",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"ERSEndPoint": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": ""
},
"name": {
"type": "string",
"description": "name"
},
"description": {
"type": "string",
"description": "description",
"title": ""
},
"mac": {
"type": "string",
"description": "mac",
"title": ""
},
"profileId": {
"type": "string",
"description": "profileId"
},
"staticProfileAssignment": {
"type": "boolean",
"description": "staticProfileAssignment",
"title": "",
"enum": [
"",
true,
false
]
},
"groupId": {
"type": "string",
"description": "groupId",
"title": ""
},
"staticGroupAssignment": {
"type": "boolean",
"description": "staticGroupAssignment",
"title": "",
"enum": [
"",
true,
false
]
},
"portalUser": {
"type": "string",
"description": "portalUser"
},
"identityStore": {
"type": "string",
"description": "identityStore"
},
"identityStoreId": {
"type": "string",
"description": "identityStoreId"
},
"customAttributes": {
"type": "object",
"properties": {
"customAttributes": {
"type": "object",
"properties": {
"key1": {
"type": "string",
"description": "key1"
},
"key2": {
"type": "string",
"description": "key2"
}
},
"description": "customAttributes"
}
},
"description": "customAttributes"
},
"mdmAttributes": {
"type": "object",
"properties": {
"mdmServerName": {
"type": "string",
"description": "mdmServerName"
},
"mdmReachable": {
"type": "boolean",
"description": "mdmReachable"
},
"mdmEnrolled": {
"type": "boolean",
"description": "mdmEnrolled"
},
"mdmComplianceStatus": {
"type": "boolean",
"description": "mdmComplianceStatus",
"title": "",
"enum": [
"",
true,
false
]
},
"mdmOS": {
"type": "string",
"description": "mdmOS"
},
"mdmManufacturer": {
"type": "string",
"description": "mdmManufacturer"
},
"mdmModel": {
"type": "string",
"description": "mdmModel"
},
"mdmSerial": {
"type": "string",
"description": "mdmSerial"
},
"mdmEncrypted": {
"type": "boolean",
"description": "mdmEncrypted",
"title": "",
"enum": [
"",
true,
false
]
},
"mdmPinlock": {
"type": "boolean",
"description": "mdmPinlock"
},
"mdmJailBroken": {
"type": "boolean",
"description": "mdmJailBroken"
},
"mdmIMEI": {
"type": "string",
"description": "mdmIMEI"
},
"mdmPhoneNumber": {
"type": "string",
"description": "mdmPhoneNumber"
}
},
"description": "mdmAttributes"
}
},
"description": "ERSEndPoint",
"required": [
"description",
"groupId",
"id",
"mac",
"staticGroupAssignment",
"staticProfileAssignment"
]
}
},
"required": [
"ERSEndPoint"
]
}
}
]
}
},
"/ers/config/endpoint/getrejectedendpoints": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"OperationResult": {
"type": "object",
"properties": {
"resultValue": {
"type": "array",
"items": {
"type": "object",
"properties": {
"value": {
"type": "string",
"description": "value"
},
"name": {
"type": "string",
"description": "name"
}
}
},
"description": "resultValue"
}
},
"description": "OperationResult"
}
}
}
}
},
"summary": "Get rejected endpoints",
"operationId": "GetRejectedEndpoints",
"parameters": [
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
}
]
}
},
"/ers/config/endpoint/{endpointMAC}/releaserejectedendpoint": {
"put": {
"responses": {
"default": {
"description": "default",
"schema": {}
}
},
"summary": "Release rejected endpoint",
"operationId": "ReleaseRejectedEndpoint",
"parameters": [
{
"name": "endpointMAC",
"in": "path",
"required": true,
"type": "string"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
},
{
"name": "Accept",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-visibility": "internal"
}
]
}
}
},
"definitions": {},
"parameters": {},
"responses": {},
"securityDefinitions": {
"basic_auth": {
"type": "basic"
}
},
"security": [
{
"basic_auth": []
}
],
"tags": []
}
}
}
]
}

31
Solutions/Cisco ISE/Playbooks/CiscoISEConnector/readme.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
# Cisco ISE API Logic Apps Custom connector
This custom connector connects to Cisco ISE External RESTful Services (ERS) API.
### Authentication methods this connector supports
* Basic authentication
### Prerequisites in Cisco ISE
To get Cisco ISE ERS API credentials [follow the instructions](https://developer.cisco.com/docs/identity-services-engine/#!setting-up).
Cisco ISE connector uses [On-Premises Data Gateway](https://docs.microsoft.com/data-integration/gateway/service-gateway-onprem). Therefore [installation of the On-Premises Data Gateway](https://docs.microsoft.com/azure/logic-apps/logic-apps-gateway-install) and [creation of the On-Premises Data Gateway resource](https://docs.microsoft.com/azure/logic-apps/logic-apps-gateway-connection#create-azure-gateway-resource) are required.
## Actions supported by Cisco Umbrella Management API custom connector
* Suspend guest user by name
* Assign an ANC policy to an endpoint
* Un-apply an ANC policy to an endpoint
* Get an ANC Endpoint
* Get all ANC Endpoints
* Create an ANC Policy
* Update the group of an endpoint
* Get rejected endpoints
* Release rejected endpoint
### Deployment instructions
1. Deploy the Custom Connector by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISEConnector%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2FCiscoISEConnector%2Fazuredeploy.json)

99
Solutions/Cisco ISE/Playbooks/README.md
Просмотреть файл

@ -1 +1,100 @@
# Cisco ISE Logic Apps connector and playbook templates
<img src="./cisco-logo.png" alt="drawing" width="20%"/><br>
## Table of Contents
1. [Overview](#overview)
1. [Custom Connector + 3 Playbook templates deployment](#deployall)
1. [Authentication](#importantnotes)
1. [Prerequisites](#prerequisites)
1. [Deployment](#deployment)
1. [Post-Deployment Steps](#postdeployment)
1. [References](#references)
1. [Known issues and limitations](#limitations)
<a name="overview">
# Overview
Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure access to network resources.
<a name="deployall">
## Custom Connectors + 3 Playbook templates deployment
This package includes:
* [Logic Apps custom connector for Cisco ISE ERS API](./CiscoISEConnector)
* These three playbook templates leverage Cisco ISE custom connector:
* [Response – release rejected endpoints](./Playbooks/CiscoISE-FalsePositivesClearPolicies) - releases rejected endpoints that are in safe list.
* [Response - suspend guest user](./Playbooks/CiscoISE-SuspendGuestUser) - suspends guest user.
* [Response - assign policy to an endpoint](./Playbooks/CiscoISE-TakeEndpointActionFromTeams) - posts adaptive card to Teams channel and assigns policy to an endpoint after approving in Teams.
You can choose to deploy the whole package: connectors + all three playbook templates, or each one seperately from its specific folder.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCisco%2520ISE%2FPlaybooks%2Fazuredeploy.json)
# Cisco ISE connector documentation
<a name="authentication">
## Authentication
This connector supports Basic authentication. When creating the connection for the custom connector, you will be asked to provide user and password which you generated in Cisco ISE admin UI.
<a name="prerequisites">
### Prerequisites in Cisco ISE
To get Cisco ISE ERS API credentials [follow the instructions](https://developer.cisco.com/docs/identity-services-engine/#!setting-up).
Cisco ISE connector uses [On-Premises Data Gateway](https://docs.microsoft.com/data-integration/gateway/service-gateway-onprem). Therefore [installation of the On-Premises Data Gateway](https://docs.microsoft.com/azure/logic-apps/logic-apps-gateway-install) and [creation of the On-Premises Data Gateway resource](https://docs.microsoft.com/azure/logic-apps/logic-apps-gateway-connection#create-azure-gateway-resource) are required.
<a name="deployment">
### Deployment instructions
1. To deploy Custom Connectors and Playbooks, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required parameters for deploying Custom Connectors and Playbooks
| Parameters | Description |
|----------------|--------------|
|**For Connector**|
|**API Hostname** | Hostname of the Cisco ISE instance.|
|**API Port** | Port number of Cisco ISE ERS API. By default 9060.|
|**For Playbooks**|
|**CiscoISE-FalsePositivesClearPolicies Playbook Name** | Enter the playbook name here (e.g. CiscoISE-FalsePositivesClearPolicies)|
|**CiscoISE-SuspendGuestUser Playbook Name** | Enter the playbook name here (e.g. CiscoISE-SuspendGuestUser)|
|**CiscoISE-TakeEndpointActionFromTeams Playbook Name** | Enter the playbook name here (e.g. CiscoISE-TakeEndpointActionFromTeams)|
|**WatchlistName** | Value of WatchlistName parameter in CiscoISE-FalsePositivesClearPolicies playbook. Name of the Watchlist that contains safe MAC addresses list|
|**WatchlistFieldName** | Value of WatchlistFieldName parameter in CiscoISE-FalsePositivesClearPolicies playbook. Watchlist field name that contains MAC address|
|**TeamsGroupId** | Value of TeamsGroupId parameter in CiscoISE-TakeEndpointActionFromTeams playbook. Id of the Teams Group where the adaptive card will be posted.|
|**TeamsChannelId** | Value of TeamsChannelId parameter in CiscoISE-TakeEndpointActionFromTeams playbook. Id of the Teams Channel where the adaptive card will be posted.|
|**PolicyName** | Value of PolicyName parameter in CiscoISE-TakeEndpointActionFromTeams playbook. Policy name to be assigned to an identity.|
<br>
<a name="postdeployment">
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection.
1. Click the Azure Sentinel connection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections
#### b. Configurations in Sentinel
Each Playbook requires a different type of configuration. Check documentation for each Playbook.
<a name="limitations">
## Known Issues and Limitations

170
Solutions/Cisco ISE/Playbooks/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,170 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"API Hostname": {
"type": "String",
"defaultValue": "testhost.com",
"metadata": {
"description": "Hostname of the Cisco ISE instance."
}
},
"API Port": {
"type": "String",
"defaultValue": "9060",
"metadata": {
"description": "Port number of Cisco ISE ERS API. By default 9060."
}
},
"CiscoISE-FalsePositivesClearPolicies_Playbook_Name": {
"defaultValue": "CiscoISE-FalsePositivesClearPolicies",
"type": "string",
"metadata": {
"description": "Name of the Playbook"
}
},
"CiscoISE-SuspendGuestUser_Playbook_Name": {
"defaultValue": "CiscoISE-SuspendGuestUser",
"type": "string",
"metadata": {
"description": "Name of the Playbook"
}
},
"CiscoISE-TakeEndpointActionFromTeams_Playbook_Name": {
"defaultValue": "CiscoISE-TakeEndpointActionFromTeams",
"type": "string",
"metadata": {
"description": "Name of the Playbook"
}
},
"WatchlistName": {
"defaultValue": "",
"type": "String",
"metadata": {
"description": "Value of WatchlistName parameter in CiscoISE-FalsePositivesClearPolicies playbook. Name of the Watchlist that contains safe MAC addresses list"
}
},
"WatchlistFieldName": {
"defaultValue": "",
"type": "String",
"metadata": {
"description": "Value of WatchlistFieldName parameter in CiscoISE-FalsePositivesClearPolicies playbook. Watchlist field name that contains MAC address"
}
},
"TeamsGroupId": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Value of TeamsGroupId parameter in CiscoISE-TakeEndpointActionFromTeams playbook. Id of the Teams Group where the adaptive card will be posted."
}
},
"TeamsChannelId": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Value of TeamsChannelId parameter in CiscoISE-TakeEndpointActionFromTeams playbook. Id of the Teams Channel where the adaptive card will be posted."
}
},
"PolicyName": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Value of PolicyName parameter in CiscoISE-TakeEndpointActionFromTeams playbook. Policy name to be assigned to an identity."
}
}
},
"variables": {},
"resources": [
{
"name": "CiscoISEConnector_LinkedTemplate",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Cisco%20ISE/Playbooks/CiscoISEConnector/azuredeploy.json"
},
"parameters": {
"API Hostname": {
"Value": "[parameters('API Hostname')]"
},
"API Port": {
"Value": "[parameters('API Port')]"
}
}
}
},
{
"name": "CiscoISE-FalsePositivesClearPolicies_LinkedTemplate",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'CiscoISEConnector_LinkedTemplate')]"
],
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Cisco%20ISE/Playbooks/CiscoISE-FalsePositivesClearPolicies/azuredeploy.json"
},
"parameters": {
"PlaybookName": {
"Value": "[parameters('CiscoISE-FalsePositivesClearPolicies_Playbook_Name')]"
},
"WatchlistName": {
"Value": "[parameters('WatchlistName')]"
},
"WatchlistFieldName": {
"Value": "[parameters('WatchlistFieldName')]"
}
}
}
},
{
"name": "CiscoISE-SuspendGuestUser_LinkedTemplate",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'CiscoISEConnector_LinkedTemplate')]"
],
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Cisco%20ISE/Playbooks/CiscoISE-SuspendGuestUser/azuredeploy.json"
},
"parameters": {
"PlaybookName": {
"Value": "[parameters('CiscoISE-SuspendGuestUser_Playbook_Name')]"
}
}
}
},
{
"name": "CiscoISE-TakeEndpointActionFromTeams_LinkedTemplate",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', 'CiscoISEConnector_LinkedTemplate')]"
],
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Cisco%20ISE/Playbooks/CiscoISE-TakeEndpointActionFromTeams/azuredeploy.json"
},
"parameters": {
"PlaybookName": {
"Value": "[parameters('CiscoISE-TakeEndpointActionFromTeams_Playbook_Name')]"
},
"TeamsGroupId": {
"Value": "[parameters('TeamsGroupId')]"
},
"TeamsChannelId": {
"Value": "[parameters('TeamsChannelId')]"
},
"PolicyName": {
"Value": "[parameters('PolicyName')]"
}
}
}
}
]
}

Двоичные данные
Solutions/Cisco ISE/Playbooks/cisco-logo.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.1 KiB

118
Solutions/Forescout/Data Connectors/Forescout_syslog.json Normal file
Просмотреть файл

@ -0,0 +1,118 @@
{
"id": "Forescout",
"title": "Forescout",
"publisher": "Forescout",
"descriptionMarkdown": "The [Forescout](https://www.forescout.com/) data connector provides the capability to ingest [Forescout events](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.How-to-Work-with-the-Syslog-Plugin.html) into Azure Sentinel. Refer to [Forescout documentation](https://docs.forescout.com/bundle/syslog-msg-3-6-tn/page/syslog-msg-3-6-tn.About-Syslog-Messages-in-Forescout.html) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ForescoutEvent**](https://aka.ms/sentinel-forescout-parser) which is deployed with the Azure Sentinel Solution.",
"graphQueries": [{
"metricName": "Total data received",
"legend": "Forescout",
"baseQuery": "ForescoutEvent"
}],
"sampleQueries": [{
"description": "Top 10 Sources",
"query": "ForescoutEvent\n | summarize count() by tostring(SrcIpAddr)\n | top 10 by count_"
}],
"dataTypes": [{
"name": "Syslog(ForescoutEvent)",
"lastDataReceivedQuery": "ForescoutEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}],
"connectivityCriterias": [{
"type": "IsConnectedQuery",
"value": [
"ForescoutEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ForescoutEvent**](https://aka.ms/sentinel-forescout-parser) which is deployed with the Azure Sentinel Solution.",
"instructions": []
},
{
"title": "",
"description": ">**NOTE:** This data connector has been developed using Forescout Syslog Plugin version: v3.6",
"instructions": []
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the Server where the Forescout logs are forwarded.\n\n> Logs from Forescout Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}]
}
]
},
"type": "InstructionStepsGroup"
}]
},
{
"instructions": [{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}]
}
]
},
"type": "InstructionStepsGroup"
}]
},
{
"title": "2. Configure Forescout event forwarding",
"description": "Follow the configuration steps below to get Forescout logs into Azure Sentinel.\n1. [Select an Appliance to Configure.](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Select-an-Appliance-to-Configure.html)\n2. [Follow these instructions](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Send-Events-To-Tab.html#pID0E0CE0HA) to forward alerts from the Forescout platform to a syslog server.\n3. [Configure](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html) the settings in the Syslog Triggers tab."
}
]
}

19
Solutions/Forescout/Parsers/ForescoutEvent.txt Normal file
Просмотреть файл

@ -0,0 +1,19 @@
// This parser has been developed using Forescout Syslog Plugin version: v3.6
// Usage instructions:
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as ForescoutEvent and specify Legacy Category.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ForescoutEvent | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
Syslog
| where ProcessName == ```ACTIONidentity```
| extend EventVendor = 'Forescout'
| extend EventProduct = 'Forescout'
| extend EventName = extract(@'([^\.:]+).*', 1, SyslogMessage)
| extend SrcIpAddr = extract(@'.*?(Source|Host):\s+?(\d+.\d+.\d+.\d+).*', 2, SyslogMessage)
| extend DstIpAddr = extract(@'.*?(Destination|Target):\s+?(\d+.\d+.\d+.\d+).*', 2, SyslogMessage)
| extend SrcUserUpn = extract(@'.*?mail_from=([^,]+).*', 1, SyslogMessage)
| extend DstUserUpn = extract(@'.*?mail_to=([^,]+).*', 1, SyslogMessage)
| extend EmailSubject = extract(@'.*?mail_subject=([^,]+).*', 1, SyslogMessage)
| extend EventResultDetails = extract(@'.*?Reason:\s+?([^,]+).*', 1, SyslogMessage)
| extend EventSchemaVersion = '0.1'
| extend EventCount = 1
| project-away SyslogMessage

46
Solutions/Illusive Active Defense/Analytic Rules/Illusive_Detection_Query.yaml Normal file
Просмотреть файл

@ -0,0 +1,46 @@
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
name: Illusive Incidents Analytic Rule
description: |
'Create a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
severity: Medium
requiredDataConnectors:
- connectorId: Illusive
dataTypes:
- CommonSecurityLog
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
query: |
CommonSecurityLog
| where DeviceProduct == "illusive"
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress, DestinationHostName, DestinationUserName, IncidentId, IncidentURL
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
- entityType: Host
fieldMappings:
- identifier: OMSAgentID
columnName: Computer
customDetails:
IllusiveIncidentId: IncidentId
HasForensics: HasForensics
Account: SourceUserName
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: |
Illusive Incident: {{IncidentId}}
alertDescriptionFormat: |
Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
version: 1.0.0

Двоичные данные
Solutions/Illusive Active Defense/Images/API_Permission.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 204 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/App_registration.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 64 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/App_registration_app-information.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 49 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/App_registration_secret-value.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 63 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/Certificates_and_Secrets.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 106 KiB

57
Solutions/Illusive Active Defense/Images/Illusive.svg Normal file
Просмотреть файл

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 25.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="02c3c89c-8d38-42d9-a7f2-1ef4384f7c8d" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px"
viewBox="0 0 230 230" xml:space="preserve">
<g>
<g>
<path fill="#0000BA" class="st0" d="M17.74,125.18L24,114.47h-3.59l3.7-6.38h12.4l-9.61,16.43c-0.3,0.52-0.66,1.17-0.87,1.69
c-0.45,1.17-0.16,1.83,1.27,1.83c0.4,0,0.98-0.05,0.98-0.05l-3.7,6.38c0,0-1.29,0.16-2.72,0.16c-4.03,0-8.09-0.35-5.86-6.07
C16.4,127.52,16.99,126.44,17.74,125.18z M33.75,97.87h8.63l-4.01,6.89h-8.63L33.75,97.87z"/>
<path fill="#0000BA" class="st0" d="M34.87,124.66l11.91-20.42h-3.56l3.7-6.38h12.4L44.2,123.89c-0.42,0.7-0.84,1.52-1.03,1.99
c-0.47,1.22-0.09,1.69,1.34,1.69c0.56,0,1.1-0.05,1.1-0.05l-4.08,6.94c0,0-1.29,0.16-2.72,0.16c-4.03,0-7.85-0.82-5.58-6.63
C33.61,127.01,34.12,125.93,34.87,124.66z"/>
<path fill="#0000BA" class="st0" d="M51.87,124.66l11.91-20.42h-3.56l3.7-6.38h12.4l-15.12,26.02c-0.42,0.7-0.84,1.52-1.03,1.99
c-0.47,1.22-0.09,1.69,1.34,1.69c0.56,0,1.1-0.05,1.1-0.05l-4.08,6.94c0,0-1.29,0.16-2.72,0.16c-4.03,0-7.85-0.82-5.58-6.63
C50.6,127.01,51.12,125.93,51.87,124.66z"/>
<path fill="#0000BA" class="st0" d="M70.03,124.76l6-10.31h-3.56l3.75-6.38h12.4l-9,15.4c-0.33,0.56-0.63,1.13-0.77,1.48
c-0.61,1.57-0.05,2.25,1.43,2.25c3.63,0,7.9-4.03,9.92-7.5l3.07-5.25H89.7l3.75-6.38h12.4l-9.61,16.43
c-0.3,0.52-0.66,1.17-0.87,1.69c-0.45,1.17-0.16,1.83,1.27,1.83c0.4,0,0.98-0.05,0.98-0.05l-3.7,6.38c0,0-1.29,0.16-3.47,0.16
c-2.81,0-6.49-0.09-5.2-4.85h-0.12c-3.33,3.07-7.31,5.3-11.56,5.3c-4.24,0-6.94-2.25-4.97-7.29
C68.91,126.87,69.45,125.79,70.03,124.76z"/>
<path fill="#0000BA" class="st0" d="M102.38,125.06h7.41l-0.56,0.91c-1.17,1.95,1.45,2.3,3.14,2.3c2.6,0,3.7-0.87,4.03-1.73
c1.29-3.31-11.13-1.95-7.88-10.31c2.44-6.28,9.84-8.77,16.13-8.77c4.55,0,9.54,1.69,6.87,6.33l-1.71,2.95h-7.41l0.54-1.03
c0.75-1.43-0.87-1.57-1.95-1.57c-2.13,0-3.33,0.56-3.73,1.57c-1.41,3.63,11.34,1.64,8.13,9.89c-2.27,5.86-9.31,9.33-16.81,9.33
c-4.5,0-11.04-1.69-7.81-7.24L102.38,125.06z"/>
<path fill="#0000BA" class="st0" d="M132.12,125.18l6.26-10.71h-3.56l3.7-6.38h12.4l-9.61,16.43c-0.3,0.52-0.66,1.17-0.87,1.69
c-0.45,1.17-0.16,1.83,1.27,1.83c0.4,0,0.98-0.05,0.98-0.05l-3.7,6.38c0,0-1.29,0.16-2.72,0.16c-4.03,0-8.09-0.35-5.86-6.07
C130.81,127.52,131.37,126.44,132.12,125.18z"/>
<path fill="#0000BA" class="st0" d="M155.07,114.47h-2.95l3.75-6.38h13.74l-3.75,6.38h-2.34l-2.51,9.49c-0.35,1.57-1.29,3.47-1.29,3.47h0.21
c0,0,1.24-1.9,2.72-3.47l8.53-9.49h-2.34l3.75-6.38h14.23l-3.75,6.38h-2.95l-18.92,19.9h-10.43L155.07,114.47z"/>
<path fill="#0000BA" class="st0" d="M201.32,107.46c7.45,0,9.59,4.24,7.22,10.31c-0.94,2.39-2.93,5.06-2.93,5.06h-16.53c0,0-0.14,0.26-0.26,0.52
c-1.03,2.65,0.35,4.34,3.47,4.34c3.82,0,8.84-2.65,8.84-2.65l-0.3,6.54c0,0-5.98,3.42-11.95,3.42c-8.98,0-11.34-5.3-8.95-11.49
C183.48,114.35,192.65,107.46,201.32,107.46z M199.8,117.98c0,0,0.38-0.7,0.49-1.03c0.63-1.64,0.09-2.86-1.69-2.86
c-2.55,0-4.92,1.78-6.56,3.87h7.76V117.98z"/>
</g>
<g>
<g>
<g>
<g>
<g>
<g>
<path fill="#0000BA" id="Path_532_3_" class="st0" d="M151.46,96.89h5.44l-3.21,5.27h-5.44L151.46,96.89z"/>
<path fill="#0000BA" id="Path_533_3_" class="st1" d="M158.59,96.89h5.44l-3.21,5.27h-5.44L158.59,96.89z"/>
<path fill="#0000BA" id="Path_534_3_" class="st2" d="M165.74,96.89h5.44l-3.21,5.27h-5.44L165.74,96.89z"/>
<path fill="#0000BA" id="Path_535_3_" class="st3" d="M172.86,96.89h5.44l-3.21,5.27h-5.44L172.86,96.89z"/>
<path fill="#0000BA" id="Path_536_3_" class="st4" d="M180.01,96.89h5.44l-3.21,5.27h-5.44L180.01,96.89z"/>
<path fill="#0000BA" id="Path_537_3_" class="st5" d="M187.16,96.89h5.44l-3.21,5.27h-5.44L187.16,96.89z"/>
<path fill="#0000BA" id="Path_538_3_" class="st6" d="M194.29,96.89h5.44l-3.21,5.27h-5.44L194.29,96.89z"/>
<path fill="#0000BA" id="Path_539_3_" class="st7" d="M201.44,96.89h5.44l-3.21,5.27h-5.44L201.44,96.89z"/>
<path fill="#0000BA" id="Path_540_3_" class="st8" d="M208.56,96.89H214l-3.21,5.27h-5.41L208.56,96.89z"/>
</g>
</g>
</g>
</g>
</g>
</g>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.2 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/IncidentEnrichmentPlaybook.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 28 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/IncidentResponse1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/IncidentResponse2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/SecretGenerated.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 115 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/Workspace.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 19 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/api-connection-setup.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 39 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/app_name.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/app_registration.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 64 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/azure-app-api-user-impersonation1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 127 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/azure-app-api-user-impersonation2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/azure-app-api-user-impersonation3.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 57 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/custom-deployment-basics-main-template.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 60 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/custom-deployment-is-complete.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 32 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/custom-deployment-review-create.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 56 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/deploy-custom-template-load-file.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 18 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/deploy-custom-template-page.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 38 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/deploy-custom-template-search.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/illusive-api-key-card.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 60 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/illusive-syslog-server-integration-card.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 32 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/logo.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 161 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/playbook-history-incident-response.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-alert-enrichment-alert-details.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 45 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-alert-enrichment-config.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 42 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-alert-enrichment-custom-details.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 35 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-alert-event-grouping.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 17 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-alert-grouping.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 35 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-alert-threshold.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.4 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-config.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 41 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-query-scheduling.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 14 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-reopen-closed-matching-incidents.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.8 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analysis-set-rule-logic-code.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 45 KiB

Двоичные данные
Solutions/Illusive Active Defense/Images/sentinel-analytics-create-scheduled-query-rule.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 13 KiB

Двоичные данные
Solutions/Illusive Active Defense/Package/1.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

97
Solutions/Illusive Active Defense/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,97 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://github.com/IllusiveNetworks-Labs/Azure-Sentinel/blob/Illusive/Solutions/Illusive%20Active%20Defense/Images/Illusive.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis Solution helps to isolate Process or Host based on the Illusive incidents raised and Also enriches the Sentinel Incidents with Illusive Information\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Parsers:** 2, **Analytic Rules:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Illusive Active Defense that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Illusive Incidents Analytic Rule",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Create a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

7114
Solutions/Illusive Active Defense/Package/mainTemplate.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/AnalyticRuleDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/AnalyticRuleLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/ConfigurationDark .png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 35 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/ConfigurationLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/DesignerOverviewDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 25 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/DesignerOverviewLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 28 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/IncidentTagsAndEntitiesDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 66 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/IncidentTagsAndEntitiesLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 67 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/SentinelIncidentCommentDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 65 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/SentinelIncidentCommentLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 65 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/api-connection-setup.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 50 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/custom-deployment-basics-incident-enrichment.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 37 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/custom-deployment-basics-incident-response.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 39 KiB

Двоичные данные
Solutions/Illusive Active Defense/Playbooks/Illusive-SentinelIncident-Enrichment/Images/custom-deployment-basics-incident-response.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 39 KiB

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше