264 строки
18 KiB
JSON
264 строки
18 KiB
JSON
{
|
||
"version": "Notebook/1.0",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# Attack Surface Reduction Dashboard\n---\n\nVersion: 2022.1\n\nCreated by: Daniel Chronlund (https://danielchronlund.com)"
|
||
},
|
||
"name": "text - heading"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "let T = datatable(DisplayName:string, AdvancedHuntingAuditAction:string, AdvancedHuntingBlockAction:string, Description:string, DocsURL:string, GUID:string)\r\n[\r\n \"Block abuse of exploited vulnerable signed drivers\", \"Not yet available\", \"Not yet available\", \"This rule prevents an application from writing a vulnerable signed driver to disk.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-abuse-of-exploited-vulnerable-signed-drivers\", \"56a863a9-875e-4185-98a7-b882c64b5ce5\", \r\n \"Block Adobe Reader from creating child processes\", \"AsrAdobeReaderChildProcessAudited\", \"AsrAdobeReaderChildProcessBlocked\", \"This rule prevents attacks by blocking Adobe Reader from creating processes.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-adobe-reader-from-creating-child-processes\", \"7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c\", \r\n \"Block all Office applications from creating child processes\", \"AsrOfficeChildProcessAudited\", \"AsrOfficeChildProcessBlocked\", \"This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-all-office-applications-from-creating-child-processes\", \"d4f940ab-401b-4efc-aadc-ad5f3c50688a\", \r\n \"Block credential stealing from the Windows local security authority subsystem\", \"AsrLsassCredentialTheftAudited\", \"AsrLsassCredentialTheftBlocked\", \"This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem\", \"9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2\", \r\n \"Block executable content from email client and webmail\", \"AsrExecutableEmailContentAudited\", \"AsrExecutableEmailContentBlocked\", \"This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers: Executable files (such as .exe, .dll, or .scr) Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file).\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-content-from-email-client-and-webmail\", \"be9ba2d9-53ea-4cdc-84e5-9b1eeee46550\", \r\n \"Block executable files from running unless they meet a prevalence, age, or trusted list criterion\", \"AsrUntrustedExecutableAudited\", \"AsrUntrustedExecutableBlocked\", \"This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion\", \"01443614-cd74-433a-b99e-2ecdc07bfc25\", \r\n \"Block execution of potentially obfuscated scripts\", \"AsrObfuscatedScriptAudited\", \"AsrObfuscatedScriptBlocked\", \"This rule detects suspicious properties within an obfuscated script.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-execution-of-potentially-obfuscated-scripts\", \"5beb7efe-fd9a-4556-801d-275e5ffc04cc\", \r\n \"Block JavaScript or VBScript from launching downloaded executable content\", \"AsrScriptExecutableDownloadAudited\", \"AsrScriptExecutableDownloadBlocked\", \"This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content\", \"d3e037e1-3eb8-44c8-a917-57927947596d\", \r\n \"Block Office applications from creating executable content\", \"AsrExecutableOfficeContentAudited\", \"AsrExecutableOfficeContentBlocked\", \"This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-applications-from-creating-executable-content\", \"3b576869-a4ec-4529-8536-b80a7769e899\", \r\n \"Block Office applications from injecting code into other processes\", \"AsrOfficeProcessInjectionAudited\", \"AsrOfficeProcessInjectionBlocked\", \"This rule blocks code injection attempts from Office apps into other processes.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-applications-from-injecting-code-into-other-processes\", \"75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84\", \r\n \"Block Office communication application from creating child processes\", \"AsrOfficeCommAppChildProcessAudited\", \"AsrOfficeCommAppChildProcessBlocked\", \"This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-office-communication-application-from-creating-child-processes\", \"26190899-1602-49e8-8b27-eb1d0a1ce869\", \r\n \"Block persistence through WMI event subscription\", \"AsrPersistenceThroughWmiAudited\", \"AsrPersistenceThroughWmiBlocked\", \"This rule prevents malware from abusing WMI to attain persistence on a device.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-persistence-through-wmi-event-subscription\", \"e6db77e5-3df2-4cf1-b95a-636979351e5b\", \r\n \"Block process creations originating from PSExec and WMI commands\", \"AsrPsexecWmiChildProcessAudited\", \"AsrPsexecWmiChildProcessBlocked\", \"This rule blocks processes created through PsExec and WMI from running.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands\", \"d1e49aac-8f56-4280-b9ba-993a6d77406c\", \r\n \"Block untrusted and unsigned processes that run from USB\", \"AsrUntrustedUsbProcessAudited\", \"AsrUntrustedUsbProcessBlocked\", \"With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-untrusted-and-unsigned-processes-that-run-from-usb\", \"b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4\", \r\n \"Block Win32 API calls from Office macros\", \"AsrOfficeMacroWin32ApiCallsAudited\", \"AsrOfficeMacroWin32ApiCallsBlocked\", \"This rule prevents VBA macros from calling Win32 APIs.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-win32-api-calls-from-office-macros\", \"92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b\", \r\n \"Use advanced protection against ransomware\", \"AsrRansomwareAudited\", \"AsrRansomwareBlocked\", \"This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware.\", \"https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#use-advanced-protection-against-ransomware\", \"c1db55ab-c21a-4637-bb3f-a12568109d35\",\r\n];\r\nT",
|
||
"size": 1,
|
||
"title": "ASR Rules Reference (updated 2022-06-15)",
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"gridSettings": {
|
||
"sortBy": [
|
||
{
|
||
"itemKey": "DisplayName",
|
||
"sortOrder": 1
|
||
}
|
||
]
|
||
},
|
||
"sortBy": [
|
||
{
|
||
"itemKey": "DisplayName",
|
||
"sortOrder": 1
|
||
}
|
||
]
|
||
},
|
||
"name": "query - rulesreference"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "---\r\n\r\n### How to use this dashboard:\r\n\r\n1. Select the ASR mode you are interested in. Rules running in 'Audit' or 'Block' mode.\r\n2. Select the time range you are interested in.\r\n3. Optional: Select a specific ASR rule you are interested in (default is All rules).\r\n4. Optional: Select a specific Windows device you are interested in (default is All devices).\r\n5. Optional: Select a specific user account you are interested in (default is All users)."
|
||
},
|
||
"name": "text - instructions"
|
||
},
|
||
{
|
||
"type": 9,
|
||
"content": {
|
||
"version": "KqlParameterItem/1.0",
|
||
"parameters": [
|
||
{
|
||
"id": "5e86e57b-1c37-4f5c-86f4-5db8f0a026a7",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Mode",
|
||
"type": 2,
|
||
"isRequired": true,
|
||
"value": "Blocked",
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [],
|
||
"showDefault": false
|
||
},
|
||
"jsonData": "[\"Blocked\", \"Audited\"]"
|
||
},
|
||
{
|
||
"id": "e327ae2b-6659-4d53-98d7-7326e30a893a",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "TimeRange",
|
||
"type": 4,
|
||
"isRequired": true,
|
||
"typeSettings": {
|
||
"selectableValues": [
|
||
{
|
||
"durationMs": 86400000
|
||
},
|
||
{
|
||
"durationMs": 259200000
|
||
},
|
||
{
|
||
"durationMs": 604800000
|
||
},
|
||
{
|
||
"durationMs": 1209600000
|
||
},
|
||
{
|
||
"durationMs": 2592000000,
|
||
"isInitialTime": true
|
||
},
|
||
{
|
||
"durationMs": 7776000000
|
||
}
|
||
],
|
||
"allowCustom": true
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"value": {
|
||
"durationMs": 2592000000
|
||
}
|
||
},
|
||
{
|
||
"id": "16379874-5c33-49a0-a533-d8c696c51b35",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "ASRRule",
|
||
"type": 2,
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| summarize by ActionType\r\n| order by ActionType asc",
|
||
"value": null,
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [],
|
||
"showDefault": false
|
||
},
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
},
|
||
{
|
||
"id": "ed954184-3ae9-40e9-805c-d55ac7248a01",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "DeviceName",
|
||
"type": 2,
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| summarize by DeviceName\r\n| order by DeviceName asc",
|
||
"value": null,
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [],
|
||
"showDefault": false
|
||
},
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
},
|
||
{
|
||
"id": "ffda8294-0b36-4b35-935a-5611d4092950",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "User",
|
||
"type": 2,
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| summarize by AccountName\r\n| order by AccountName asc",
|
||
"value": null,
|
||
"typeSettings": {
|
||
"additionalResourceOptions": []
|
||
},
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
}
|
||
],
|
||
"style": "pills",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
},
|
||
"name": "parameters",
|
||
"styleSettings": {
|
||
"margin": "0",
|
||
"padding": "0"
|
||
}
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "// Agregate all Attack Surface Reduction rules events in Block mode, in 1h time chunks to display in time line chart.\r\nDeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| where ActionType endswith \"{Mode}\"\r\n| where ActionType startswith iff(isnull(\"{ASRRule}\"), \"\", \"{ASRRule}\")\r\n| where DeviceName startswith iff(isnull(\"{DeviceName}\"), \"\", \"{DeviceName}\")\r\n| where AccountName startswith iff(isnull(\"{User}\"), \"\", \"{User}\")\r\n| summarize count() by ActionType, bin(TimeGenerated, 1h)\r\n| render timechart",
|
||
"size": 0,
|
||
"title": "ASR Events Timeline",
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"visualization": "timechart",
|
||
"chartSettings": {
|
||
"seriesLabelSettings": [
|
||
{
|
||
"seriesName": "Update conditional access policy",
|
||
"color": "blue"
|
||
},
|
||
{
|
||
"seriesName": "Add conditional access policy",
|
||
"color": "green"
|
||
},
|
||
{
|
||
"seriesName": "Delete conditional access policy",
|
||
"color": "redBright"
|
||
}
|
||
]
|
||
}
|
||
},
|
||
"customWidth": "100",
|
||
"name": "query - asrtimeline",
|
||
"styleSettings": {
|
||
"showBorder": true
|
||
}
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| where ActionType endswith \"{Mode}\"\r\n| where ActionType startswith iff(isnull(\"{ASRRule}\"), \"\", \"{ASRRule}\")\r\n| where DeviceName startswith iff(isnull(\"{DeviceName}\"), \"\", \"{DeviceName}\")\r\n| where AccountName startswith iff(isnull(\"{User}\"), \"\", \"{User}\")\r\n| summarize count() by ActionType",
|
||
"size": 3,
|
||
"title": "ASR Events by Rule",
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"visualization": "piechart"
|
||
},
|
||
"customWidth": "33",
|
||
"name": "query - eventsbyrule",
|
||
"styleSettings": {
|
||
"showBorder": true
|
||
}
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| where ActionType endswith \"{Mode}\"\r\n| where ActionType startswith iff(isnull(\"{ASRRule}\"), \"\", \"{ASRRule}\")\r\n| where DeviceName startswith iff(isnull(\"{DeviceName}\"), \"\", \"{DeviceName}\")\r\n| where AccountName startswith iff(isnull(\"{User}\"), \"\", \"{User}\")\r\n| summarize count() by DeviceName",
|
||
"size": 3,
|
||
"title": "ASR Events by Device",
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"visualization": "piechart"
|
||
},
|
||
"customWidth": "33",
|
||
"name": "query - eventsbydevice",
|
||
"styleSettings": {
|
||
"showBorder": true
|
||
}
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| where ActionType endswith \"{Mode}\"\r\n| where ActionType startswith iff(isnull(\"{ASRRule}\"), \"\", \"{ASRRule}\")\r\n| where DeviceName startswith iff(isnull(\"{DeviceName}\"), \"\", \"{DeviceName}\")\r\n| where AccountName startswith iff(isnull(\"{User}\"), \"\", \"{User}\")\r\n| summarize count() by InitiatingProcessAccountUpn",
|
||
"size": 3,
|
||
"title": "ASR Events by User",
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"visualization": "piechart"
|
||
},
|
||
"customWidth": "33",
|
||
"name": "query - eventsbyuser",
|
||
"styleSettings": {
|
||
"showBorder": true
|
||
}
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "DeviceEvents\r\n| where ActionType startswith \"Asr\"\r\n| where ActionType endswith \"{Mode}\"\r\n| where ActionType startswith iff(isnull(\"{ASRRule}\"), \"\", \"{ASRRule}\")\r\n| where DeviceName startswith iff(isnull(\"{DeviceName}\"), \"\", \"{DeviceName}\")\r\n| where AccountName startswith iff(isnull(\"{User}\"), \"\", \"{User}\")\r\n| project TimeGenerated, ActionType, DeviceName, AccountName, InitiatingProcessAccountUpn, FileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath",
|
||
"size": 0,
|
||
"title": "ASR Event Log",
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"gridSettings": {
|
||
"rowLimit": 1000
|
||
}
|
||
},
|
||
"name": "query - eventlog",
|
||
"styleSettings": {
|
||
"showBorder": true
|
||
}
|
||
}
|
||
],
|
||
"fromTemplateId": "sentinel-AttackSurfaceReduction",
|
||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||
} |