Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/Eset Security Management Ce.../Package/mainTemplate.json

902 строки
50 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Eset",
"comments": "Solution template for Eset Security Management Center"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Eset Security Management Center Overview",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
},
"variables": {
"solutionId": "esetresearch1579795941720.Eset_Security_Management_Center_MSS",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "EsetSMC",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "EsetSMC",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-DataConnector-',variables('_dataConnectorContentId1'))]",
"dataConnectorVersion1": "1.0.0",
"workbookVersion1": "1.0.0",
"workbookContentId1": "EsetSMCWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'-Workbook-',variables('_workbookContentId1'))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"analyticRuleVersion1": "1.0.0",
"analyticRulecontentId1": "84ad2f8a-b64c-49bc-b669-bdb4fd3071e9",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId1'))]",
"analyticRuleVersion2": "1.0.0",
"analyticRulecontentId2": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-AnalyticsRule-',variables('_analyticRulecontentId2'))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Eset Security Management Center data connector with template",
"displayName": "Eset Security Management Center template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Eset Security Management Center data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Eset Security Management Center",
"publisher": "Eset",
"descriptionMarkdown": "Connector for [Eset SMC](https://help.eset.com/esmc_admin/72/en-US/) threat events, audit logs, firewall events and web sites filter.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "eset_CL",
"baseQuery": "eset_CL"
}
],
"sampleQueries": [
{
"description": "Query Eset firewall events",
"query": "eset_CL\r\n| where event_type_s == 'FirewallAggregated_Event'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset threat events",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset threat events from Real-time file system protection",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| where scanner_id_s == 'Real-time file system protection'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset threat events from On-demand scanner",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| where scanner_id_s == 'On-demand scanner'\r\n| sort by TimeGenerated desc"
},
{
"description": "Top hosts by number of threat events",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| summarize threat_events_count = count() by hostname_s\r\n| sort by threat_events_count desc"
},
{
"description": "Top threats",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| summarize threat_events_count = count() by threat_name_s\r\n| sort by threat_events_count desc"
},
{
"description": "Query Eset web sites filter",
"query": "eset_CL\r\n| where event_type_s == 'FilteredWebsites_Event'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset audit events",
"query": "eset_CL\r\n| where event_type_s == 'Audit_Event'\r\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "eset_CL",
"lastDataReceivedQuery": "eset_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"eset_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Access to Eset SMC console",
"description": "Permissions to configure log export"
}
]
},
"instructionSteps": [
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux"
},
{
"description": "Configure rsyslog to accept logs from your Eset SMC IP address.\n\n```\nsudo -i\r\n\r\n# Set ESET SMC source IP address\r\nexport ESETIP={Enter your IP address}\r\n\r\n# Create rsyslog configuration file\r\ncat > /etc/rsyslog.d/80-remote.conf << EOF\r\n\\$ModLoad imudp\r\n\\$UDPServerRun 514\r\n\\$ModLoad imtcp\r\n\\$InputTCPServerRun 514\r\n\\$AllowedSender TCP, 127.0.0.1, $ESETIP\r\n\\$AllowedSender UDP, 127.0.0.1, $ESETIP\r\nuser.=alert;user.=crit;user.=debug;user.=emerg;user.=err;user.=info;user.=notice;user.=warning @127.0.0.1:25224\r\nEOF\r\n\r\n# Restart rsyslog\r\nsystemctl restart rsyslog```",
"title": "2. Configure the logs to be collected"
},
{
"description": "In order to easily recognize Eset data we will push it to separate table and parse at agent so query in Azure Sentinel is easier and fast. To make it simple we will just modify ```match oms.**``` section to send data as API objects by changing type to out_oms_api. Modify file on /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.conf. Full ```match oms.**``` section looks like this:\r\n\r\n```\r\n<match oms.** docker.**>\r\n type out_oms_api\r\n log_level info\r\n num_threads 5\r\n run_in_background false\r\n\r\n omsadmin_conf_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsadmin.conf\r\n cert_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.crt\r\n key_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.key\r\n\r\n buffer_chunk_limit 15m\r\n buffer_type file\r\n buffer_path /var/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/state/out_oms_common*.buffer\r\n\r\n buffer_queue_limit 10\r\n buffer_queue_full_action drop_oldest_chunk\r\n flush_interval 20s\r\n retry_limit 10\r\n retry_wait 30s\r\n max_retry_wait 9m\r\n</match>\r\n```\r\n",
"title": "3. Configure OMS agent to pass Eset SMC data in API format"
},
{
"description": "Modify file /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.d/syslog.conf\n```\r\n<source>\r\n type syslog\r\n port 25224\r\n bind 127.0.0.1\r\n protocol_type udp\r\n tag oms.api.eset\r\n</source>\r\n\r\n<filter oms.api.**>\r\n @type parser\r\n key_name message\r\n format /(?<message>.*?{.*})/\r\n</filter>\r\n\r\n<filter oms.api.**>\r\n @type parser\r\n key_name message\r\n format json\r\n</filter>\r\n```",
"title": "4. Change OMS agent configuration to catch tag oms.api.eset and parse structured data"
},
{
"description": "```bash\r\n# Disable changes to configuration files from Portal\r\nsudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'\r\n\r\n# Restart agent\r\nsudo /opt/microsoft/omsagent/bin/service_control restart\r\n\r\n# Check agent logs\r\ntail -f /var/opt/microsoft/omsagent/log/omsagent.log\r\n```",
"title": "5. Disable automatic configuration and restart agent"
},
{
"description": "Configure Eset Logs using BSD style and JSON format.\r\n- Go to Syslog server configuration as described in [Eset documentation](https://help.eset.com/esmc_admin/72/en-US/admin_server_settings.html?admin_server_settings_syslog.html) and configure Host (your connector), Format BSD, Transport TCP\r\n- Go to Logging section as described in [Eset documentation](https://help.eset.com/esmc_admin/72/en-US/admin_server_settings.html?admin_server_settings_export_to_syslog.html) and enable JSON",
"title": "6. Configure Eset SMC to send logs to connector"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Eset Security Management Center",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Eset"
},
"support": {
"name": "Eset",
"tier": "partner",
"link": "https://support.eset.com/en"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Eset Security Management Center",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Eset"
},
"support": {
"name": "Eset",
"tier": "partner",
"link": "https://support.eset.com/en"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Eset Security Management Center",
"publisher": "Eset",
"descriptionMarkdown": "Connector for [Eset SMC](https://help.eset.com/esmc_admin/72/en-US/) threat events, audit logs, firewall events and web sites filter.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "eset_CL",
"baseQuery": "eset_CL"
}
],
"dataTypes": [
{
"name": "eset_CL",
"lastDataReceivedQuery": "eset_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"eset_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Query Eset firewall events",
"query": "eset_CL\r\n| where event_type_s == 'FirewallAggregated_Event'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset threat events",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset threat events from Real-time file system protection",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| where scanner_id_s == 'Real-time file system protection'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset threat events from On-demand scanner",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| where scanner_id_s == 'On-demand scanner'\r\n| sort by TimeGenerated desc"
},
{
"description": "Top hosts by number of threat events",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| summarize threat_events_count = count() by hostname_s\r\n| sort by threat_events_count desc"
},
{
"description": "Top threats",
"query": "eset_CL\r\n| where event_type_s == 'Threat_Event'\r\n| summarize threat_events_count = count() by threat_name_s\r\n| sort by threat_events_count desc"
},
{
"description": "Query Eset web sites filter",
"query": "eset_CL\r\n| where event_type_s == 'FilteredWebsites_Event'\r\n| sort by TimeGenerated desc"
},
{
"description": "Query Eset audit events",
"query": "eset_CL\r\n| where event_type_s == 'Audit_Event'\r\n| sort by TimeGenerated desc"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Access to Eset SMC console",
"description": "Permissions to configure log export"
}
]
},
"instructionSteps": [
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux"
},
{
"description": "Configure rsyslog to accept logs from your Eset SMC IP address.\n\n```\nsudo -i\r\n\r\n# Set ESET SMC source IP address\r\nexport ESETIP={Enter your IP address}\r\n\r\n# Create rsyslog configuration file\r\ncat > /etc/rsyslog.d/80-remote.conf << EOF\r\n\\$ModLoad imudp\r\n\\$UDPServerRun 514\r\n\\$ModLoad imtcp\r\n\\$InputTCPServerRun 514\r\n\\$AllowedSender TCP, 127.0.0.1, $ESETIP\r\n\\$AllowedSender UDP, 127.0.0.1, $ESETIP\r\nuser.=alert;user.=crit;user.=debug;user.=emerg;user.=err;user.=info;user.=notice;user.=warning @127.0.0.1:25224\r\nEOF\r\n\r\n# Restart rsyslog\r\nsystemctl restart rsyslog```",
"title": "2. Configure the logs to be collected"
},
{
"description": "In order to easily recognize Eset data we will push it to separate table and parse at agent so query in Azure Sentinel is easier and fast. To make it simple we will just modify ```match oms.**``` section to send data as API objects by changing type to out_oms_api. Modify file on /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.conf. Full ```match oms.**``` section looks like this:\r\n\r\n```\r\n<match oms.** docker.**>\r\n type out_oms_api\r\n log_level info\r\n num_threads 5\r\n run_in_background false\r\n\r\n omsadmin_conf_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsadmin.conf\r\n cert_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.crt\r\n key_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.key\r\n\r\n buffer_chunk_limit 15m\r\n buffer_type file\r\n buffer_path /var/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/state/out_oms_common*.buffer\r\n\r\n buffer_queue_limit 10\r\n buffer_queue_full_action drop_oldest_chunk\r\n flush_interval 20s\r\n retry_limit 10\r\n retry_wait 30s\r\n max_retry_wait 9m\r\n</match>\r\n```\r\n",
"title": "3. Configure OMS agent to pass Eset SMC data in API format"
},
{
"description": "Modify file /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.d/syslog.conf\n```\r\n<source>\r\n type syslog\r\n port 25224\r\n bind 127.0.0.1\r\n protocol_type udp\r\n tag oms.api.eset\r\n</source>\r\n\r\n<filter oms.api.**>\r\n @type parser\r\n key_name message\r\n format /(?<message>.*?{.*})/\r\n</filter>\r\n\r\n<filter oms.api.**>\r\n @type parser\r\n key_name message\r\n format json\r\n</filter>\r\n```",
"title": "4. Change OMS agent configuration to catch tag oms.api.eset and parse structured data"
},
{
"description": "```bash\r\n# Disable changes to configuration files from Portal\r\nsudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'\r\n\r\n# Restart agent\r\nsudo /opt/microsoft/omsagent/bin/service_control restart\r\n\r\n# Check agent logs\r\ntail -f /var/opt/microsoft/omsagent/log/omsagent.log\r\n```",
"title": "5. Disable automatic configuration and restart agent"
},
{
"description": "Configure Eset Logs using BSD style and JSON format.\r\n- Go to Syslog server configuration as described in [Eset documentation](https://help.eset.com/esmc_admin/72/en-US/admin_server_settings.html?admin_server_settings_syslog.html) and configure Host (your connector), Format BSD, Transport TCP\r\n- Go to Logging section as described in [Eset documentation](https://help.eset.com/esmc_admin/72/en-US/admin_server_settings.html?admin_server_settings_export_to_syslog.html) and enable JSON",
"title": "6. Configure Eset SMC to send logs to connector"
}
],
"id": "[variables('_uiConfigId1')]"
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Workbook"
},
"properties": {
"description": "Eset Security Management Center Workbook with template",
"displayName": "Eset Security Management Center workbook template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Workbook"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
"description": "esetSMCWorkbookWorkbook Workbook with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/workbooks",
"name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Visualize events and threats from Eset Security Management Center."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Eset Security Management Center\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c84a31aa-79fc-45f8-8991-8b56e0545a8c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":259200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| summarize events_count = count() by event_type_s, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"allEventsOverTIme\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == \\\"Threat_Event\\\"\\r\\n| summarize events_count = count() by threat_name_s, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Threats\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"queryThreatsOverTime\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == 'Threat_Event'\\r\\n| summarize events_count = count() by threat_name_s\",\"size\":3,\"title\":\"Top threats\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"threat_name_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"events_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"queryTopThreats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == 'Threat_Event'\\r\\n| summarize events_count = count() by threat_type_s\",\"size\":3,\"title\":\"Top threats by type\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"queryTopThreatsByType\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == 'Threat_Event'\\r\\n| summarize events_count = count() by hostname_s\",\"size\":3,\"title\":\"Most attacked hosts\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"queryMostAttackedHosts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == 'Threat_Event'\\r\\n| summarize events_count = count() by username_s\",\"size\":3,\"title\":\"Most attacked users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"queryMostAttackedUsers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == \\\"FirewallAggregated_Event\\\"\\r\\n| summarize count() by source_address_s\",\"size\":3,\"title\":\"Top remote attackers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"queryTopRemoteAttackers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == \\\"FilteredWebsites_Event\\\"\\r\\n| where action_taken_s == \\\"blocked\\\"\\r\\n| summarize count() by object_uri_s\",\"size\":3,\"title\":\"Most blocked sites\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"queryMostBlockedSites\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"eset_CL\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where event_type_s == \\\"Threat_Event\\\"\\r\\n| project TimeGenerated, hostname_s, username_s, threat_type_s, threat_name_s, processname_s, action_taken_s\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Latest threats\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":1000,\"filter\":true}},\"name\":\"queryLatestThreats\"}],\"fallbackResourceIds\":[\"/subscriptions/a0f4a733-4fce-4d49-b8a8-d30541fc1b45/resourcegroups/eset/providers/microsoft.operationalinsights/workspaces/sentineleset\"],\"fromTemplateId\":\"sentinel-EsetSMC\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
"description": "@{workbookKey=EsetSMCWorkbook; logoFileName=eset-logo.svg; description=Visualize events and threats from Eset Security Management Center.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Eset Security Management Center Overview; templateRelativePath=esetSMCWorkbook.json; subtitle=; provider=Community}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
"version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Eset Security Management Center",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Eset"
},
"support": {
"name": "Eset",
"tier": "partner",
"link": "https://support.eset.com/en"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"contentId": "eset_CL",
"kind": "DataType"
},
{
"contentId": "EsetSMC",
"kind": "DataConnector"
}
]
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
"description": "Eset Security Management Center Analytics Rule 1 with template",
"displayName": "Eset Security Management Center Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "eset-sites-blocked_AnalyticalRules Analytics Rule with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('AnalyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Create alert on web sites blocked by Eset.",
"displayName": "Web sites blocked by Eset",
"enabled": false,
"query": "eset_CL\n| where event_type_s == 'FilteredWebsites_Event'\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"eset_CL"
],
"connectorId": "EsetSMC"
}
],
"tactics": [
"Exfiltration",
"CommandAndControl",
"InitialAccess"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
"properties": {
"description": "Eset Security Management Center Analytics Rule 1",
"parentId": "[variables('analyticRuleId1')]",
"contentId": "[variables('_analyticRulecontentId1')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion1')]",
"source": {
"kind": "Solution",
"name": "Eset Security Management Center",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Eset"
},
"support": {
"name": "Eset",
"tier": "partner",
"link": "https://support.eset.com/en"
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
"description": "Eset Security Management Center Analytics Rule 2 with template",
"displayName": "Eset Security Management Center Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "eset-threats_AnalyticalRules Analytics Rule with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('AnalyticRulecontentId2')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Escalates threats detected by Eset.",
"displayName": "Threats detected by Eset",
"enabled": false,
"query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"eset_CL"
],
"connectorId": "EsetSMC"
}
],
"tactics": [
"Execution",
"CredentialAccess",
"PrivilegeEscalation"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
"properties": {
"description": "Eset Security Management Center Analytics Rule 2",
"parentId": "[variables('analyticRuleId2')]",
"contentId": "[variables('_analyticRulecontentId2')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion2')]",
"source": {
"kind": "Solution",
"name": "Eset Security Management Center",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Eset"
},
"support": {
"name": "Eset",
"tier": "partner",
"link": "https://support.eset.com/en"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Eset Security Management Center",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Eset"
},
"support": {
"name": "Eset",
"tier": "partner",
"link": "https://support.eset.com/en"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId1')]",
"version": "[variables('analyticRuleVersion1')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId2')]",
"version": "[variables('analyticRuleVersion2')]"
}
]
},
"firstPublishDate": "2022-05-11",
"providers": [
"Eset"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку