788 строки
40 KiB
JSON
788 строки
40 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Log4j Post Compromise Hunting\n---\n\nThis hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021.<br>\nMore details can be found in the following reports:\n - https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
|
|
},
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "2d961dc0-1459-4406-8958-6260fec61361",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "FindTrace",
|
|
"subTarget": "FindTrace",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "fbc91177-748c-4880-946a-b5d014e32aa6",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "SecurityNestedRecommendation",
|
|
"subTarget": "SecurityNestedRecommendation",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "c2a98db3-8b74-459d-a4f5-c61ab64b7756",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "AzureDiagnostics",
|
|
"subTarget": "AzureDiagnostics",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "bafb8fbb-3d10-43d7-97ea-808d17742c52",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "MultipleDataSources",
|
|
"subTarget": "MultipleDataSources",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "e7ed0b51-0c07-4189-a0bf-d64f97e0a124",
|
|
"cellValue": "selectedTab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Syslog",
|
|
"subTarget": "Syslog",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "links - 6"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## FindTrace\r\n\r\n\r\nThis tab is useful to find out any occuranes of the collected IOC in the existing workspace.\r\nThis loads the list of curated IOCs listed in \r\n\r\nhttps://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\r\n\r\nBased on the selection of one it loads the tables having any occurance of the selected IOCs.\r\n\r\nBased on a table selected it loads the raw logs from the table."
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "064d84aa-3004-4950-af39-59e04c0c4c68",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "timeframe",
|
|
"label": "Hunting Time Frame",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Set the timeframe you wish to hunt in using the dropdown to the right.\r\nNote that using a large timeframe may cause queries to timeout depending on the size of your environment. If you have difficulties try reducing your timeframe.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let IPList = externaldata(IPAddress:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\r\nIPList",
|
|
"size": 2,
|
|
"title": "IOC List",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"exportFieldName": "IPAddress",
|
|
"exportParameterName": "selectedIP",
|
|
"exportDefaultValue": "0.0.0.0",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"rowLimit": 10000,
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "15",
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "search \"{selectedIP}\"\r\n| distinct $table\r\n| project-rename TableName = $table",
|
|
"size": 2,
|
|
"title": "Find Trace for {selectedIP}",
|
|
"noDataMessage": "No Trace found of this IP Address",
|
|
"noDataMessageStyle": 3,
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"exportFieldName": "TableName",
|
|
"exportParameterName": "selectedTable",
|
|
"exportDefaultValue": "None",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "25",
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedIP",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "0.0.0.0"
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "{selectedTable}\r\n| search \"{selectedIP}\"",
|
|
"size": 2,
|
|
"title": "Traces in {selectedTable}",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"rowLimit": 10000,
|
|
"filter": true
|
|
}
|
|
},
|
|
"customWidth": "60",
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "selectedTable",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "None"
|
|
},
|
|
{
|
|
"parameterName": "selectedIP",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "0.0.0.0"
|
|
}
|
|
],
|
|
"name": "query - 6"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "FindTrace"
|
|
},
|
|
"name": "group - 5 - Copy"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## SecurityNestedRecommendation\r\n------------------------\r\n\r\n This section uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \r\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\r\n \r\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\r\n\r\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\r\n \r\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'\r\n"
|
|
},
|
|
"name": "text - 6"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "ea3c6cdf-3199-4b98-845f-cfdba057542f",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "timeframe",
|
|
"label": "Hunting Timeframe",
|
|
"type": 4,
|
|
"description": "Used to set the scope of other queries",
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 0"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Set the timeframe you wish to hunt in using the dropdown to the right.\r\nNote that using a large timeframe may cause queries to timeout depending on the size of your environment. If you have difficulties try reducing your timeframe.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "text - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "SecurityNestedRecommendation\r\n | where RemediationDescription has 'CVE-2021-44228'\r\n | parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\r\n | summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId",
|
|
"size": 0,
|
|
"title": "Vulnerable Machines related to log4j CVE-2021-44228",
|
|
"noDataMessage": "No user signins in the timeframe set.",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "IPAddress",
|
|
"parameterName": "ip_addr",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "UserPrincipalName",
|
|
"parameterName": "upn",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "Vulnerable Machines related to log4j CVE-2021-44228"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "SecurityNestedRecommendation"
|
|
},
|
|
"name": "SecurityNestedRecommendation"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "AzureDiagnostics",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Azure Diagnostics\r\n------------------------\r\n"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "46282188-a54e-4ff0-a5eb-9d4ef712d9e9",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "timeframe",
|
|
"label": "Hunting Time Frame",
|
|
"type": 4,
|
|
"description": "Used to time scope the subsequent hunting queries",
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Set the timeframe you wish to hunt in using the dropdown to the right.\r\nNote that using a large timeframe may cause queries to timeout depending on the size of your environment. If you have difficulties try reducing your timeframe.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Azure WAF matching for Log4j vuln(CVE-2021-44228)\r\n\r\nThis query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\r\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/"
|
|
},
|
|
"name": "text - 13"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "AzureDiagnostics\r\n | where details_data_s has \"jndi:\"\r\n | parse details_data_s with * '${' MaliciousCommand '}' *\r\n | extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\r\n | extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\r\n | extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\r\n | extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\r\n | extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode\")\r\n | project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s\r\n",
|
|
"size": 0,
|
|
"title": "Applications or Service Principals with new Key Credentials Added.",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "AppId",
|
|
"parameterName": "app_id_1",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "InitiatingUser",
|
|
"parameterName": "init_user",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## WAF_log4j_vulnerability\r\n\r\nThis hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving log4j vulnerability.\r\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\r\n"
|
|
},
|
|
"name": "text - 16"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let log4jcmdstring = dynamic([\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\",\"${jndi:nds\"]);\r\n let log4jRegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\r\n AzureDiagnostics\r\n | where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\r\n //The regex and the string matching look for the most common attacks. This is not supposed to be comprehensive.\r\n | where originalRequestUriWithArgs_s has_any (log4jcmdstring) or originalRequestUriWithArgs_s matches regex log4jRegex or userAgent_s has_any (log4jcmdstring) or userAgent_s matches regex log4jRegex\r\n | extend CmdLine = iff(originalRequestUriWithArgs_s has 'Base64/', split(split(originalRequestUriWithArgs_s, \"Base64/\",1)[0], \"}\", 0)[0], split(split(userAgent_s, \"Base64/\",1)[0], \"}\", 0)[0])\r\n | extend CmdLine = base64_decode_tostring(tostring(CmdLine))\r\n | where CmdLine has_any (\"wget\",\"curl\")\r\n | summarize Total = count() by originalRequestUriWithArgs_s, userAgent_s, clientIP_s,clientPort_d, TimeGenerated, host_s, requestUri_s, httpStatus_d,listenerName_s, CmdLine, httpMethod_s, Category",
|
|
"size": 0,
|
|
"title": "Azure WAF Log4j CVE-2021-44228 hunting",
|
|
"noDataMessage": "No Service Principals Added to Groups in Timeframe",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "TargetUserId",
|
|
"parameterName": "target_id",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "GroupName",
|
|
"parameterName": "group",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 4"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "AzureDiagnostics"
|
|
},
|
|
"name": "group - 3"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## MultipleDataSources\r\n\r\nThis query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \r\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\r\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "9825da9b-9932-4b35-b6dc-26aa29a58913",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "timeframe",
|
|
"label": "Hunting Time Frame",
|
|
"type": 4,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 2"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Set the timeframe you wish to hunt in using the dropdown to the right.\r\nNote that using a large timeframe may cause queries to timeout depending on the size of your environment. If you have difficulties try reducing your timeframe.\r\n\r\n",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "text - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\r\n let UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\r\n (union isfuzzy=true\r\n (OfficeActivity\r\n | where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\r\n ),\r\n (AzureDiagnostics\r\n | where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\r\n | where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\r\n | extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\r\n ),\r\n (\r\n W3CIISLog\r\n | where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\r\n ),\r\n (\r\n AWSCloudTrail\r\n | where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\r\n ),\r\n (SigninLogs\r\n | where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\r\n ),\r\n (AADNonInteractiveUserSignInLogs \r\n | where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\r\n ),\r\n (imWebSessions\r\n | where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL\r\n ),\r\n (imNetworkSession\r\n | where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\r\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url\r\n | extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\r\n )\r\n )",
|
|
"size": 0,
|
|
"title": "User agent search for log4j exploitation attempt",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 1"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "MultipleDataSources"
|
|
},
|
|
"name": "group - 4"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"title": "Syslog",
|
|
"items": [
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "## Syslog\r\n"
|
|
},
|
|
"name": "text - 0"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "064d84aa-3004-4950-af39-59e04c0c4c68",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "timeframe",
|
|
"label": "Hunting Time Frame",
|
|
"type": 4,
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
],
|
|
"allowCustom": true
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "30",
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "Set the timeframe you wish to hunt in using the dropdown to the right.\r\nNote that using a large timeframe may cause queries to timeout depending on the size of your environment. If you have difficulties try reducing your timeframe.",
|
|
"style": "info"
|
|
},
|
|
"customWidth": "70",
|
|
"name": "text - 2"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n | where Facility == 'user'\r\n | where SyslogMessage has \"AUOMS_EXECVE\"\r\n | where SyslogMessage has 'jndi' and SyslogMessage has_any ('ldap', 'dns', 'rmi', 'corba', 'iiop', 'nis', 'nds')\r\n | parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\r\n | where EventType =~ \"AUOMS_EXECVE\"\r\n | project TimeGenerated, EventType, Computer, EventData\r\n | parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\r\n | where comm has_any (\"wget\",\"curl\")\r\n | where cmdline has_any (\"${jndi:ldap\",\"${jndi:dns\",\"${jndi:rmi\",\"${jndi:corba\",\"${jndi:iiop\",\"${jndi:nis\", \"${jndi:nds\")\r\n | project TimeGenerated, Computer, audit_user, user, cmdline\r\n | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\r\n | sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Possible exploitation of Apache log4j component detected",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 3"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n | where Facility == 'user'\r\n | where SyslogMessage has \"AUOMS_EXECVE\"\r\n | parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\r\n | where EventType =~ \"AUOMS_EXECVE\"\r\n | parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\r\n | where cmdline has_any (\"service apparmor stop\",\"service aliyun.service stop\",\"systemctl disable apparmor\",\"systemctl disable aliyun.service\")\r\n or (exe has \"pkill\" and cmdline has_any (\"omsagent\",\"auoms\",\"omiagent\",\"waagent\") and cmdline !has \"/omsagent/plugin/pi\"and cmdline !has \"/omsconfig/modules\")\r\n | project TimeGenerated, Computer, audit_user, user, cmdline\r\n | sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Linux security related process termination activity detected",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 4"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n | where Facility == 'user'\r\n | where SyslogMessage has \"AUOMS_EXECVE\"\r\n | parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\r\n | where EventType =~ \"AUOMS_EXECVE\"\r\n | project TimeGenerated, EventType, Computer, EventData\r\n | parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\r\n | where exe has_any (\"bash\",\"dash\")\r\n | where cmdline matches regex \"[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\"\r\n | where cmdline has \"curl\" and cmdline has \"wget\"\r\n | project TimeGenerated, Computer, audit_user, user, cmdline\r\n | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\r\n | sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Suspicious Shell script detected",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "query - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "Syslog\r\n | where Facility == 'user'\r\n | where SyslogMessage has \"AUOMS_EXECVE\"\r\n | parse SyslogMessage with \"type=\" EventType \" audit(\" * \"): \" EventData\r\n | project TimeGenerated, EventType, Computer, EventData\r\n | where EventType =~ \"AUOMS_EXECVE\"\r\n | parse EventData with * \"syscall=\" syscall \" syscall_r=\" * \" success=\" success \" exit=\" exit \" a0\" * \" ppid=\" ppid \" pid=\" pid \" audit_user=\" audit_user \" auid=\" auid \" user=\" user \" uid=\" uid \" group=\" group \" gid=\" gid \"effective_user=\" effective_user \" euid=\" euid \" set_user=\" set_user \" suid=\" suid \" filesystem_user=\" filesystem_user \" fsuid=\" fsuid \" effective_group=\" effective_group \" egid=\" egid \" set_group=\" set_group \" sgid=\" sgid \" filesystem_group=\" filesystem_group \" fsgid=\" fsgid \" tty=\" tty \" ses=\" ses \" comm=\\\"\" comm \"\\\" exe=\\\"\" exe \"\\\"\" * \"cwd=\\\"\" cwd \"\\\"\" * \"name=\\\"\" name \"\\\"\" * \"cmdline=\\\"\" cmdline \"\\\" containerid=\" containerid\r\n | where cmdline has \"/Basic/Command/Base64/\"\r\n | where exe has_any (\"curl\", \"wget\")\r\n | parse cmdline with * \"Base64/\" OriginalEncodedCommand:string\r\n | extend EncodedCommand = extract(\"((?:[A-Za-z0-9+/-]{4})*(?:[A-Za-z0-9+/-]{2}==|[A-Za-z0-9+/-]{3}=|[A-Za-z0-9+/-]{4}))\", 1, OriginalEncodedCommand) \r\n | extend DecodedCommand = base64_decode_tostring(EncodedCommand) \r\n | project TimeGenerated, Computer, audit_user, user, cmdline, DecodedCommand, EncodedCommand\r\n | extend AccountCustomEntity = user, HostCustomEntity = Computer, timestamp = TimeGenerated\r\n | sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Suspicious Base64 download activity detected",
|
|
"timeContext": {
|
|
"durationMs": 2592000000
|
|
},
|
|
"timeContextFromParameter": "timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"customWidth": "50",
|
|
"name": "query - 7"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "selectedTab",
|
|
"comparison": "isEqualTo",
|
|
"value": "Syslog"
|
|
},
|
|
"name": "group - 5"
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-Log4jWindsWorkbook",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|