Azure-Sentinel/Solutions/ContentHubSolutionsCatalog.md

885 KiB

Microsoft Sentinel Content Hub Solutions' Catalog

This file is a catalog of all solutions and standalone content templates that exist in the Microsoft Sentinel Content Hub along with a mapping of the content that exists in each solution package. The catalog in the xlsx format is available here.

Last Modified: 25-07-2023

Solution/Standalone Template Name Description Template Display Name Content Kind Template Description Package Type
42Crunch Microsoft Sentinel Connector APIs are increasingly the number one attack vector for adversaries due to their growing abundance and ease of attack via automated scripts and tools. Most public APIs are under constant attack by skilled human adversaries and growing legions of bots.Well-designed, secure APIs are critical to mitigating the risk of attack, but it is essential to also actively monitor and defend your APIs - the frontline of your perimeter - via direct integration into SIEM and SOCs. Using the 42Crunch Sentinel connector, you can quickly set up Sentinel to start ingesting logs from the 42Crunch micro-API Firewall directly into Log Analytics workspaces. With this integration you can:Create alerts on common API error conditionsEnrich API logs with threat intelligence data (i.e. known bad IPs)Detect attack patterns for common adversarial tools (i.e. Kiterunner)Understand common bot behaviors and evasion techniquesIdentify key trends and patterns across all exposed APIs API - BOLA AnalyticsRule 42Crunch API protection against BOLA Solution
API - Account Takeover AnalyticsRule 42Crunch API protection against account takeover Solution
API - Invalid host access AnalyticsRule 42Crunch API protection against invalid host access Solution
API - Anomaly Detection AnalyticsRule 42Crunch API protection anomaly detection Solution
API - Kiterunner detection AnalyticsRule 42Crunch API protection against Kiterunner enumeration Solution
API - Suspicious Login AnalyticsRule 42Crunch API protection against suspicious login Solution
API - Rate limiting AnalyticsRule 42Crunch API protection against rate limiting Solution
API - JWT validation AnalyticsRule 42Crunch API protection against JWT validation Solution
API - Rate limiting AnalyticsRule 42Crunch API protection against first-time access Solution
API - API Scraping AnalyticsRule 42Crunch API protection against API scraping Solution
API - Password Cracking AnalyticsRule 42Crunch API protection against password cracking Solution
API Protection DataConnector Connects the 42Crunch API protection to Azure Log Analytics via the REST API interface Solution
42Crunch API Protection Workbook Workbook Monitor and protect APIs using the 42Crunch API microfirewall Solution
Abnormal Security Events The Abnormal Security data connector provides the capability to ingest threat and case logs into Azure Sentinel using the Abnormal Security Rest API AbnormalSecurity (using Azure Function) DataConnector The Abnormal Security data connector provides the capability to ingest threat and case logs into Microsoft Sentinel using the Abnormal Security Rest API. Solution
ARGOS Cloud Security ARGOS easily integrates into Microsoft Sentinel allowing for ingestion of security events into Sentinel.All potential cloud security issues (misconfigurations, publicly exposed assets, overly permissive identities, etc) will be sent into your Sentinel workspace for quick and easy triaging and correlation to other events.Completely agentless deployment allows for fast and simple onboarding of your cloud environment, on average less than 20 minutes. Configuration of this Sentinel integration is done in just a few clicks. For more information read the integrations FAQ. ARGOS Cloud Security - Exploitable Cloud Resources AnalyticsRule Exploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment. Solution
ARGOS Cloud Security DataConnector The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place. This enables you to easily create dashboards, alerts, and correlate events across multiple systems. Overall this will improve your organization's security posture and security incident response. Solution
ARGOS Cloud Security Workbook The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place. Solution
Arista NDR The Arista NDR and Microsoft Sentinel integration sends detection model matches from the Arista NDR Platform to Microsoft Sentinel.Through this integration threats can be remediated faster using the power of network detection and response. Investigation time and effort are reduced with increased visibility, especially into unmanaged users, devices and applications on your network.The solution offers network security-focused custom alerts, incidents and workbooks that align with Microsoft Sentinel workflows.Data Connectors: 1, Workbooks: 1, Analytic Rules: 3 Awake Security - High Match Counts By Device AnalyticsRule This query searches for devices with unexpectedly large number of activity match. Solution
Awake Security - High Severity Matches By Device AnalyticsRule This query searches for devices with high severity event(s). Solution
Awake Security - Model With Multiple Destinations AnalyticsRule This query searches for devices with multiple possibly malicious destinations. Solution
Awake Security DataConnector The Awake Security CEF connector allows users to send detection model matches from the Awake Security Platform to Microsoft Sentinel. Remediate threats quickly with the power of network detection and response and speed up investigations with deep visibility especially into unmanaged entities including users, devices and applications on your network. The connector also enables the creation of network security-focused custom alerts, incidents, workbooks and notebooks that align with your existing security operations workflows. Solution
Arista Awake Workbook Sets the time name for analysis Solution
Armorblox Armorblox is an API-based cloud office security platform that helps your organization communicate more securely over email and other productivity applications. Powered by Natural Language Understanding (NLU), Armorblox protects Office 365 and Exchange customers from targeted phishing attacks and sensitive data loss over email. Armorblox capabilities:Protect against targeted email scams such as spear phishing, business email compromise (BEC), payroll fraud, impersonation, vendor invoice fraud, and other payloadless attacks. Protect against email account compromise (EAC). Armorblox detects 0-day credential phishing attempts and a host of anomalous signals that portend EAC - unusual mail forwarding rules, impossible travel, mail deletion rules, etc. User accounts that have potentially been compromised can be locked remotely to contain risk.Stop zero-day credential phishing attacks (e.g. fake Office 365 login pages). Armorblox detects fake login pages using computer vision techniques, scans email bodies and attachments for suspicious URLs, and decodes URLs rewritten by other security solutions to follow them to their final destination.  Automate phishing mailbox remediation to reduce response times for user-reported email threats by over 90%. Armorblox analyzes every email reported to a customer’s phishing mailbox, automatically remediates emails across user mailboxes, and learns from security team actions to get better with time.Measure data loss exposure by detecting sensitive PII (like SSNs, tax numbers), PCI (like bank account, routing numbers) and unencrypted passwords shared over email.Leverage out-of-the-box policies that automatically classify attacks and data loss violations, eliminating the need for custom policy creation and maintenance. Armorblox Needs Review Alert AnalyticsRule This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review". Solution
Armorblox (using Azure Function) DataConnector The Armorblox data connector provides the capability to ingest incidents from your Armorblox instance into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, and more. Solution
Needs-Review-Incident-Email-Notification Playbook This playbook will send an email notification when a new incident is created in Microsoft Sentinel. Solution
Armorblox Workbook INCIDENTS FROM SELECTED TIME RANGE Solution
Proofpoint TAP The Proofpoint TAP solution for Microsoft Sentinel enables you to ingest Proofpoint TAP logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 Malware attachment delivered AnalyticsRule This query identifies a message containing a malware attachment that was delivered. Solution
Malware Link Clicked AnalyticsRule This query identifies a user clicking on an email link whose threat category is classified as a malware Solution
Proofpoint TAP (using Azure Function) DataConnector The Proofpoint Targeted Attack Protection (TAP) connector provides the capability to ingest Proofpoint TAP logs and events into Microsoft Sentinel. The connector provides visibility into Message and Click events in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Solution
LogicAppsCustomConnector Solution
ProofpointTAPEvent Parser Solution
Get-ProofpointTapEvents Playbook This playbook ingests events from ProofPoint TAP to Log Analytics/MicroSoft Sentinel. Solution
ProofpointTAP-AddForensicsInfoToIncident Playbook Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Forensics by the campaignId, provided in the alert custom entities. 2. Enriches the incident with Forensics info. Solution
ProofpointTAP-CheckAccountInVAP Playbook Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Very Attacked People for the latest 14 days. 2. Enriches the incident with information whether incident's users are in VAP list and changes incident severity. Solution
Proofpoint TAP Workbook Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events. This workbook provides visibility into message and click events that were permitted, delivered, or blocked Solution
Proofpoint On demand (POD) Email Security The Proofpoint on Demand Email Security solution for Microsoft Sentinel enables you to ingest Proofpoint on Demand Email Protection data and activity logs for monitoring email activity, events and threats in your organization.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1,Workbooks: 1, Analytic Rules: 8, Hunting Queries: 10 ProofpointPOD - Email sender in TI list AnalyticsRule Email sender in TI list. Solution
ProofpointPOD - Weak ciphers AnalyticsRule Detects when weak TLS ciphers are used. Solution
ProofpointPOD - Email sender IP in TI list AnalyticsRule Email sender IP in TI list. Solution
ProofpointPOD - Possible data exfiltration to private email AnalyticsRule Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username. Solution
ProofpointPOD - Multiple archived attachments to the same recipient AnalyticsRule Detects when multiple emails where sent to the same recipient with large archived attachments. Solution
ProofpointPOD - High risk message not discarded AnalyticsRule Detects when email with high risk score was not rejected or discarded by filters. Solution
ProofpointPOD - Multiple large emails to the same recipient AnalyticsRule Detects when multiple emails with large size where sent to the same recipient. Solution
ProofpointPOD - Binary file in attachment AnalyticsRule Detects when email received with binary file as attachment. Solution
ProofpointPOD - Suspicious attachment AnalyticsRule Detects when email contains suspicious attachment (file type). Solution
ProofpointPOD - Multiple protected emails to unknown recipient AnalyticsRule Detects when multiple protected messages where sent to early not seen recipient. Solution
Proofpoint On Demand Email Security (using Azure Functions) DataConnector Proofpoint On Demand Email Security data connector provides the capability to get Proofpoint on Demand Email Protection data, allows users to check message traceability, monitoring into email activity, threats,and data exfiltration by attackers and malicious insiders. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity. Solution
ProofpointPOD - Emails with high score of 'adult' filter classifier value HuntingQuery Solution
ProofpointPOD - Suspicious file types in attachments HuntingQuery Solution
ProofpointPOD - Emails with high score of 'phish' filter classifier value HuntingQuery Solution
ProofpointPOD - Senders with large number of corrupted messages HuntingQuery Solution
ProofpointPOD - Emails with high score of 'suspect' filter classifier value HuntingQuery Solution
ProofpointPOD - Recipients with large number of corrupted emails HuntingQuery Solution
ProofpointPOD - Emails with high score of 'spam' filter classifier value HuntingQuery Solution
ProofpointPOD - Recipients with high number of discarded or rejected emails HuntingQuery Solution
ProofpointPOD - Large size outbound emails HuntingQuery Solution
ProofpointPOD - Emails with high score of 'malware' filter classifier value HuntingQuery Solution
ProofpointPOD Data Parser Parser Solution
Proofpoint On-Demand Email Security Workbook Gain insights into your Proofpoint on Demand Email Security activities, including maillog and messages data. The Workbook provides users with an executive dashboard showing the reporting capabilities, message traceability and monitoring. Solution
Qualys VM The Qualys Vulnerability Management solution for Microsoft Sentinel enables you to ingest host vulnerability detection data into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 4 High Number of Urgent Vulnerabilities Detected AnalyticsRule This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected. Solution
New High Severity Vulnerability Detected Across Multiple Hosts AnalyticsRule This creates an incident when a new high severity vulnerability is detected across multilple hosts Solution
Qualys Vulnerability Management (using Azure Functions) DataConnector The Qualys Vulnerability Management (VM) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, and improve investigation Solution
LogicAppsCustomConnector Solution
QualysVM-GetAssetDetails Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get IP Addresses from incident. 2. Get Asset Details for all IP Addresses. 3. Add asset details as a comment to the incident. Solution
QualysVM-GetAssets-ByCVEID Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get CVE IDs from incident. 2. Create a Dynamic Search List with CVE IDs as filter criteria. 3. Generate the Vulnerability Report based on Dynamic Search List. 4. Download the report and store it to a blob storage. This report has details about assets which are vulnerable to CVE. 5. Add the link of report as a comment to the incident. Solution
QualysVM-GetAssets-ByOpenPort Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Port from incident. (Only one port) 2. Search the Qualys platform and get the asset count with open port. 3. Search the Qualys platform and get the asset details as well. (Asset details limited to 50 assets, since incident comment has limitaion of 30000 characters.) 4. Combine both the results. 5. Add the info as comment to the incident. Solution
QualysVM-LaunchVMScan-GenerateReport Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get IP Addresses from incident. 2. Scan IP Addresses with Qualys Scanner. 3. Generate the Scan Report. 4. Download the report and store it to a blob storage. 5. Add the link of report as a comment to the incident. Solution
Qualys Vulnerability Management Workbook Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data. This workbook provides visibility into vulnerabilities detected from vulnerability scans Solution
AbuseIPDB The AbuseIPDB solution for Microsoft Sentinel allows you to check the reputation of IP addresses in log data and perform automated actions like enriching a Microsoft Sentinel incident by IP reputation information, add blacklisted IP addresses to ThreatIntelligenceIndicator table and reporting IPs to Abuse IPDB based on a user response in Teams.Custom Azure Logic Apps Connectors: 1, Playbooks: 3 LogicAppsCustomConnector Solution
AbuseIPDB Blacklist Ip To Threat Intelligence Playbook By every day reccurence, this playbook gets triggered and performs the following actions: 1. Gets list of the most reported IP addresses form the Blacklist Endpoint. Solution
AbuseIPDB Enrich Incident By IP Info Playbook Once a new sentinal incident is created, this playbook gets triggered and performs the following actions: 1. Gets Information from AbuseIPDB by IP`s, provided in the alert custom entities. 2. Enriches the incident with the obtained info. Solution
AbuseIPDB Report a IPs To AbuselPDB After Checking By User In MSTeams Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. Solution
Akamai Security The Akamai Security Solution for Microsoft Sentinel enables ingestion of Akamai Security Solutions events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Common Event Format (CEF) formatted logs in Microsoft SentinelData Connectors: 1, Parsers: 1" Akamai Security Events DataConnector Akamai Solution for Sentinel provides the capability to ingest Akamai Security Events into Microsoft Sentinel. Refer to Akamai SIEM Integration documentation for more information.
AkamaiSIEMEvent Parser Solution
Alibaba Cloud The Alibaba Cloud solution provides the capability to retrieve logs from cloud applications using the Cloud API and store events into Microsoft Sentinel through the REST API.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 AliCloud (using Azure Functions) DataConnector The AliCloud data connector provides the capability to retrieve logs from cloud applications using the Cloud API and store events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
AliCloud Parser Solution
Amazon Web Services The Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch.Data Connectors: 2, Workbooks: 2, Analytic Rules: 54, Hunting Queries: 36 S3 object publicly exposed AnalyticsRule Detected S3 bucket that's publicly exposed, which could lead to sensitive information leakage to the public. Verify the S3 object configurations. Solution
Successful API executed from a Tor exit node AnalyticsRule A successful API execution was detected from an IP address categorized as a TOR exit node by Threat Intelligence. Solution
NRT Login to AWS Management Console without MFA AnalyticsRule Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful. Solution
Privilege escalation with AdministratorAccess managed policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on AdministratorAccess managed policy. Attackers could use these events for privilege escalation. Verify these actions with the user. Solution
Automatic image scanning disabled for ECR AnalyticsRule Image Scanning for ECR was disabled, which could lead to missing vulnerable container images in your environment. Attackers could disable the Image Scanning for defense evasion purposes. Solution
Suspicious command sent to EC2 AnalyticsRule An attacker with the necessary permissions could be executing code remotely on a machine and saving the output to his own S3 bucket. Verify this action with the user identity. Solution
Creation of CRUD Lambda policy and then privilege escalation AnalyticsRule Detected creation of new CRUD Lambda policy and usage of the attach policy events (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Successful brute force attack on S3 Bucket. AnalyticsRule A successful brute force attack on an S3 bucket was detected. Verify these actions, and if needed, remediate the compromise. Solution
Monitor AWS Credential abuse or hijacking AnalyticsRule Looking for GetCallerIdentity Events where the UserID Type is AssumedRole An attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using. A legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using. More Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws AWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html Solution
Privilege escalation via Glue policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Glue policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
S3 bucket exposed via policy AnalyticsRule Detected S3 bucket publicly exposed via policy, this could lead for sensitive information leakage to the public. Verify the S3 object configurations. Solution
Creating keys with encrypt policy without MFA AnalyticsRule Detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an idicator that your account is compromised and the attacker uses the encryption key to compromise another company. Solution
Created CRUD S3 policy and then privilege escalation AnalyticsRule Detected creation of new CRUD S3 policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Privilege escalation via DataPipeline policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Datapipeline policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Privilege escalation with admin managed policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on admin managed policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Changes to AWS Security Group ingress and egress settings AnalyticsRule A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. Solution
Creation of Glue policy and then privilege escalation AnalyticsRule Detected creation of new Glue policy and usage one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Creation of DataPipeline policy and then privilege escalation. AnalyticsRule Detected creation of new Datapipeline policy and usage of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Suspicious overly permessive KMS key policy created AnalyticsRule An overly permissive key policy was created, resulting in KMS keys where the kms:Encrypt action is accessible to everyone (even outside of the organization). This could mean that your account is compromised and that the attacker is using the encryption key to compromise other organizations. Solution
Changes made to AWS CloudTrail logs AnalyticsRule Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs. More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html AWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html AWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html Solution
Changes made to AWS CloudTrail logs AnalyticsRule Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs. More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html AWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html AWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html Solution
Changes to Amazon VPC settings AnalyticsRule Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 and AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html Solution
S3 bucket exposed via ACL AnalyticsRule Detected S3 bucket publicly exposed via ACL, which could lead for sensitive information leakage to the public. Verify the S3 object configurations. Solution
Creation of CRUD DynamoDB policy and then privilege escalation. AnalyticsRule Detected creation of new CRUD DynamoDB policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Privilege escalation via CloudFormation policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on CloudFormation policy. Attackers could use these events for privilege escalation. Verify these actions with the user. Solution
SSM document is publicly exposed AnalyticsRule Detected a SSM document that is publicly exposed, which could lead to sensitive information leakage to the public. Verify the object configurations. Solution
Creation of Lambda policy and then privilege escalation AnalyticsRule Detected creation of new Lambda policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Full Admin policy created and then attached to Roles, Users or Groups AnalyticsRule Identity and Access Management (IAM) securely manages access to AWS services and resources. Identifies when a policy is created with Full Administrators Access (Allow-Action:,Resource:). This policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level. AWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html and AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html Solution
Policy version set to default AnalyticsRule An attacker with SetDefaultPolicyVersion permissions could escalate privileges through existing policy versions that are not currently in use. More about this API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html Solution
Creation of new CRUD IAM policy and then privilege escalation. AnalyticsRule Detected creation of new CRUD IAM policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Changes to internet facing AWS RDS Database instances AnalyticsRule Amazon Relational Database Service (RDS) is scalable relational database in the cloud. If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) Once alerts triggered, validate if changes observed are authorized and adhere to change control policy. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 and RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html Solution
Privilege escalation via Lambda policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Lambda policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Creation of CRUD KMS policy and then privilege escalation AnalyticsRule Detected creation of new CRUD KMS policy and usage of one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
RDS instance publicly exposed AnalyticsRule Detected publicly exposed RDS instance, which could lead to a leakage of sensitive data. Solution
GuardDuty detector disabled or suspended AnalyticsRule GuardDuty Detector was disabled or suspended, possibly by an attacker trying to avoid detection of its malicious activities. Verify with the user identity that this activity is legitimate. Solution
Privilege escalation via EC2 policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on EC2 policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Creation of EC2 policy and then privilege escalation AnalyticsRule Detected creation of new EC2 policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Creation of SSM policy and then privilege escalation AnalyticsRule Detected creation of new SSM policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
Privilege escalation with FullAccess managed policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on FullAccess managed policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
S3 bucket suspicious ransomware activity AnalyticsRule Suspicious S3 bucket activity indicating ransomware was detected. An attacker might download all the objects in a compromised S3 bucket, encrypt them with his own key, then upload them back to the same bucket, overwriting the existing ones. Solution
S3 bucket access point publicly exposed AnalyticsRule Detected S3 bucket publicly exposed via access point, which could lead to sensitive information leakage to the public. Verify the S3 object configurations. Solution
Privilege escalation via CRUD DynamoDB policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD DynamoDB Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
SAML update identity provider AnalyticsRule Attackers could update the SAML provider in order to create unauthorized but valid tokens and represent them to services that trust SAML tokens from the environment. These tokens can then be used to access resources. More about this API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html Solution
AWS Guard Duty Alert AnalyticsRule Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding. Solution
Privilege escalation via SSM policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on SSM Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Changes to AWS Elastic Load Balancer security groups AnalyticsRule Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 and https://aws.amazon.com/elasticloadbalancing/. Solution
Privilege escalation via CRUD Lambda policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD Lambda policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Login to AWS Management Console without MFA AnalyticsRule Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful. Solution
Privilege escalation via CRUD KMS policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD KMS policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Privilege escalation via CRUD IAM policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD IAM policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
CloudFormation policy created then used for privilege escalation AnalyticsRule Detected creation of new Cloudformation policy and usage of one of the attach policy events (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use. Solution
ECR image scan findings high or critical AnalyticsRule AWS ECR Image scan detected critical or high-severity vulnerabilities in your container image. Solution
Network ACL with all the open ports to a specified CIDR AnalyticsRule Detected network ACL with all the ports open to a specified CIDR. This could lead to potential lateral movements or initial access attacks. Make sure to mitigate this risk. Solution
Privilege escalation via CRUD S3 policy AnalyticsRule Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy by CRUD S3 Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user. Solution
Amazon Web Services DataConnector Follow these instructions to connect to AWS and stream your CloudTrail logs into Microsoft Sentinel. Solution
Amazon Web Services S3 DataConnector This connector allows you to ingest AWS service logs, collected in AWS S3 buckets, to Microsoft Sentinel. The currently supported data types are: * AWS CloudTrail * VPC Flow Logs * AWS GuardDuty Solution
Modification of subnet attributes HuntingQuery Solution
Suspicious activity of STS token related to Glue HuntingQuery Solution
Privileged role attached to Instance HuntingQuery Solution
Failed brute force on S3 bucket HuntingQuery Solution
IAM assume role policy brute force HuntingQuery Solution
Lambda UpdateFunctionCode HuntingQuery Solution
S3 bucket has been deleted HuntingQuery Solution
Modification of route-table attributes HuntingQuery Solution
New AccessKey created for Root user HuntingQuery Solution
Suspicious activity of STS Token related to Kubernetes worker node HuntingQuery Solution
Bucket versioning suspended HuntingQuery Solution
Network ACL deleted HuntingQuery Solution
CreateLoginProfile detected HuntingQuery Solution
ECR image scan findings medium HuntingQuery Solution
Suspicious credential token access of valid IAM Roles HuntingQuery Solution
Suspicious activity of STS token related to ECS HuntingQuery Solution
S3 bucket encryption modified HuntingQuery Solution
Suspicious activity of STS token related to Lambda HuntingQuery Solution
Risky role name created HuntingQuery Solution
Lambda layer imported from external account HuntingQuery Solution
IAM AccessDenied discovery events HuntingQuery Solution
Suspicious EC2 launched without a key pair HuntingQuery Solution
Suspicious activity of STS token related to EC2 HuntingQuery Solution
Login profile updated HuntingQuery Solution
New access key created to user HuntingQuery Solution
Modification of vpc attributes HuntingQuery Solution
ECR image scan findings low HuntingQuery Solution
RDS instance master password changed HuntingQuery Solution
Multiple failed login attempts to an existing user without MFA HuntingQuery Solution
Excessive execution of discovery events HuntingQuery Solution
Changes made to AWS IAM objects HuntingQuery Solution
Lambda function throttled HuntingQuery Solution
Changes made to AWS IAM policy HuntingQuery Solution
Unused or Unsupported Cloud Regions HuntingQuery Solution
IAM Privilege Escalation by Instance Profile attachment HuntingQuery Solution
CreatePolicyVersion with excessive permissions HuntingQuery Solution
AWS Network Activities Workbook Gain insights into AWS network related resource activities, including the creation, update, and deletions of security groups, network ACLs and routes, gateways, elastic load balancers, VPCs, subnets, and network interfaces. Solution
AWS User Activities Workbook Gain insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potential malicious user activities with assumed roles. Solution
AWS IAM The Amazon Web Services (AWS) Identity and Access Management (IAM) Solution for Microsoft Sentinel allows you to manage resources in AWS via playbooks thats use the AWS IAM API. The Playbboks included in the solution allow Enriching Incident with user information add tag to a user in AWS and delete access keys for users.Playbooks: 3 AWS IAM - Add tag to user Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Adds tag to users in AWS (tag key and value are defined during the playbook deployment). 3. Adds information about added tags as a comment to the incident. Solution
AWS IAM - Delete access keys Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Get list of access keys from these users. 3. Delete selected access keys. 4. Adds information about deleted user's access keys as a comment to the incident. Solution
AWS IAM - Enrich incident with user info Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Obtains information about users in AWS IAM. 3. Adds obtained information as a comment to the incident. Solution
Apache Http Server The Apache HTTP Server data connector provides the capability to ingest Apache HTTP Server events into Microsoft Sentinel. Refer to Apache Logs documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Apache - Requests to rare files AnalyticsRule Shows requests to rare files Solution
Apache - Multiple client errors from single IP AnalyticsRule Detects multiple client errors from one source in short timeframe Solution
Apache - Multiple server errors from single IP AnalyticsRule Detects multiple server errors from one source in short timeframe Solution
Apache - Command in URI AnalyticsRule Detects command in URI Solution
Apache - Apache 2.4.49 flaw CVE-2021-41773 AnalyticsRule Detects using Apache 2.4.49 flaw CVE-2021-41773 Solution
Apache - Request from private IP AnalyticsRule Detects requests from private IP Solution
Apache - Put suspicious file AnalyticsRule Detects PUT or POST of suspicious file Solution
Apache - Request to sensitive files AnalyticsRule Detects request to sensitive files. Solution
Apache - Private IP in URL AnalyticsRule Detects requests to unusual URL Solution
Apache - Known malicious user agent AnalyticsRule Detects known malicious user agents Solution
Apache HTTP Server DataConnector The Apache HTTP Server data connector provides the capability to ingest Apache HTTP Server events into Microsoft Sentinel. Refer to Apache Logs documentation for more information. Solution
Apache - Requests to unexisting files HuntingQuery Solution
Apache - Top URLs with client errors HuntingQuery Solution
Apache - Top Top files requested HuntingQuery Solution
Apache - Rare URLs requested HuntingQuery Solution
Apache - Rare user agents with client errors HuntingQuery Solution
Apache - Rare files requested HuntingQuery Solution
Apache - Top files requested with errors HuntingQuery Solution
Apache - Unexpected Post Requests HuntingQuery Solution
Apache - Top URLs with server errors HuntingQuery Solution
Apache - Rare user agents HuntingQuery Solution
ApacheHTTPServer Parser Solution
Apache HTTP Server Workbook Sets the time name for analysis Solution
Log4j Vulnerability Detection Microsoft's security research teams have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as ΓÇ£Log4ShellΓÇ¥. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.Workbooks: 2, Analytic Rules: 4, Hunting Queries: 10, Watchlists: 1, Playbooks: 2 User agent search for log4j exploitation attempt AnalyticsRule This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation. Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Solution
Azure WAF matching for Log4j vuln(CVE-2021-44228) AnalyticsRule This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis. Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ Solution
Vulnerable Machines related to log4j CVE-2021-44228 AnalyticsRule This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below). Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271 Solution
Log4j vulnerability exploit aka Log4Shell IP IOC AnalyticsRule Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 Solution
Linux security related process termination activity detected HuntingQuery Solution
Possible Linux attack toolkit detected via Syslog data HuntingQuery Solution
Malicious Connection to LDAP port for CVE-2021-44228 vulnerability HuntingQuery Solution
Azure WAF Log4j CVE-2021-44228 hunting HuntingQuery Solution
Possible exploitation of Apache log4j component detected HuntingQuery Solution
Suspicious Shell script detected HuntingQuery Solution
Possible Container Miner related artifacts detected HuntingQuery Solution
Suspicious Base64 download activity detected HuntingQuery Solution
Network Connection to New External LDAP Server HuntingQuery Solution
Suspicious manipulation of firewall detected via Syslog data HuntingQuery Solution
BatchImportToSentinel Playbook These playbooks automate the ingest of threat indicators into the ThreatIntelligenceIndicator table of an Microsoft Sentinel workspace. Sample data for Log4j IOC can be found at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv. Solution
Log4jIndicatorProcessor Playbook These playbooks automate the ingest of threat indicators into the ThreatIntelligenceIndicator table of an Microsoft Sentinel workspace. Sample data for Log4j IOC can be found at https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv. Solution
Log4j Impact Assessment Workbook This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021. Solution
Log4j Post Compromise Hunting Workbook This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021. Solution
Apache Tomcat The Apache Tomcat Solution provides the capability to ingest Apache Tomcat events into Microsoft Sentinel. Refer to Apache Tomcat documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 11 Tomcat - Request to sensitive files AnalyticsRule Detects request to sensitive files. Solution
Tomcat - Put file and get file from same IP address AnalyticsRule Detects put or get files from one source in short timeframe Solution
Tomcat - Multiple client errors from single IP address AnalyticsRule Detects multiple client errors from one source in short timeframe Solution
Tomcat - Known malicious user agent AnalyticsRule Detects known malicious user agents Solution
Tomcat - Multiple empty requests from same IP AnalyticsRule Detects multiple empty requests from same IP Solution
Tomcat - Server errors after multiple requests from same IP AnalyticsRule Detects server errors after multiple requests from same IP address. Solution
Tomcat - Commands in URI AnalyticsRule Detects commands in URI Solution
Tomcat - Request from localhost IP address AnalyticsRule Detects request from localhost IP address. Solution
Tomcat - Sql injection patterns AnalyticsRule Detects possible sql injection patterns Solution
Tomcat - Multiple server errors from single IP address AnalyticsRule Detects multiple server errors from one source in short timeframe Solution
Apache Tomcat DataConnector The Apache Tomcat solution provides the capability to ingest Apache Tomcat events into Microsoft Sentinel. Refer to Apache Tomcat documentation for more information. Solution
Tomcat - Rare user agents with client errors HuntingQuery Solution
Tomcat - Top files with error requests HuntingQuery Solution
Tomcat - Rare user agents with server errors HuntingQuery Solution
Tomcat - Top URLs client errors HuntingQuery Solution
Tomcat - Request to forbidden file HuntingQuery Solution
Tomcat - Catalina errors HuntingQuery Solution
Tomcat - Top URLs server errors HuntingQuery Solution
Tomcat - Rare files requested HuntingQuery Solution
Tomcat - Uncommon user agent strings HuntingQuery Solution
Tomcat - Abnormal request size HuntingQuery Solution
Tomcat - Rare URLs requested HuntingQuery Solution
ApacheTomcat Data Parser Parser Solution
ApacheTomcat Workbook Sets the time name for analysis Solution
Aruba ClearPass The Aruba ClearPass solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Agent-based log collection (CEF)Data Connectors: 1, Parsers: 1 Aruba ClearPass DataConnector The Aruba ClearPass connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs network and improves your security operation capabilities. Solution
ArubaClearPass Parser Solution
Atlassian Confluence Audit The Atlassian Confluence Audit solution provides the capability to ingest Confluence Audit Records into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 Atlassian Confluence Audit (using Azure Functions) DataConnector The Atlassian Confluence Audit data connector provides the capability to ingest Confluence Audit Records for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
ConfluenceAudit Parser Solution
Atlassian Jira Audit The Atlassian Jira Audit solution provides the capability to ingest Jira Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs.a. Azure Monitor HTTP Data Collector APIb.Azure FunctionsData Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Playbooks: 7,Function App: 1 Jira - Workflow scheme copied AnalyticsRule Detects when workflow scheme was copied. Solution
Jira - Global permission added AnalyticsRule Detects when global permission added. Solution
Jira - User removed from project AnalyticsRule Detects when a user was removed from project. Solution
Jira - New site admin user AnalyticsRule Detects new site admin user. Solution
Jira - Permission scheme updated AnalyticsRule Detects when permission scheme was updated. Solution
Jira - New user created AnalyticsRule Detects when new user was created. Solution
Jira - User's password changed multiple times AnalyticsRule Detects when user's password was changed multiple times from different IP addresses. Solution
Jira - New site admin user AnalyticsRule Detects new site admin user. Solution
Jira - User removed from group AnalyticsRule Detects when a user was removed from group. Solution
Jira - Project roles changed AnalyticsRule Detects when project roles were changed. Solution
jira-sync AzureFunction Solution
Atlassian Jira Audit (using Azure Functions) DataConnector The Atlassian Jira Audit data connector provides the capability to ingest Jira Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Jira - Project versions released HuntingQuery Solution
Jira - Users' IP addresses HuntingQuery Solution
Jira - Workflow schemes added to projects HuntingQuery Solution
Jira - Updated workflow schemes HuntingQuery Solution
Jira - Blocked tasks HuntingQuery Solution
Jira - New users HuntingQuery Solution
Jira - Updated users HuntingQuery Solution
Jira - Updated workflows HuntingQuery Solution
Jira - Project versions HuntingQuery Solution
Jira - Updated projects HuntingQuery Solution
Sync Jira to Sentinel - public comments Playbook This Playbook will sync the public comments from JIRA to Microsoft Sentinel. Solution
Create Jira Issue alert-trigger Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
Create Jira Issue incident-trigger Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
Create And Update Jira Issue Playbook This playbook will create or update incident in Jira. When incident is created, playbook will run and create issue in Jira. When incident is updated, playbook will run and add update to comment section. Solution
Sync Jira to Sentinel - Assigned User Playbook This Playbook will sync the assigned user from JIRA to Microsoft Sentinel. Solution
Sync Jira from Sentinel - Create incident Playbook This Playbook will create JIRA incidents for every Microsoft Sentinel which is created. It includes additional information such as tactics, affected user etc. Solution
Sync Jira to Sentinel - Status Playbook This Playbook will sync the status from JIRA to Microsoft Sentinel. Solution
AtlassianJiraAudit Workbook Sets the time name for analysis Solution
Attacker Tools Threat Protection Essentials The Attacker Tools Threat Protection Essentials solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.Pre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.Windows Security EventsWindows Server DNSWindows Forwarded EventsAzure Active DirectoryKeywords: attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell EmpireAnalytic Rules: 4, Hunting Queries: 2 Credential Dumping Tools - File Artifacts AnalyticsRule This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/ Solution
Credential Dumping Tools - Service Installation AnalyticsRule This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz. Solution
Probable AdFind Recon Tool Usage AnalyticsRule This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase. Solution
Powershell Empire Cmdlets Executed in Command Line AnalyticsRule This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool. Solution
Potential Impacket Execution HuntingQuery Solution
Cobalt Strike DNS Beaconing HuntingQuery Solution
Australian Cyber Security Centre This solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information, please contact community@ctis-au.org or visit the ACSC Partner Portal.Playbooks: 1 AusCtisExportTaggedIndicators Playbook This playbook gets triggered every hour and perform the following actions: 1. Get all the threat intelligence indicators from Sentinel Workspace with given tag. 2. Filter all the indicators whose export in not completed. 3. Export the indicators to provided TAXII server. Solution
Auth0 The Auth0 Access Management solution for Microsoft Sentinel provides the capability to ingest Auth0 log events into your Microsoft Sentinel workspace.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 Auth0 Access Management(using Azure Functions) DataConnector The Auth0 Access Management data connector provides the capability to ingest Auth0 log events into Microsoft Sentinel Solution
Auth0 Parser Solution
Automated Logic WebCTRL The Automated Logic WebCTRL solution allows you to easily stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Microsoft Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application.Underlying Microsoft Technologies used: This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1 Automated Logic WebCTRL DataConnector You can stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Microsoft Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application. Solution
AWS Athena Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure FunctionsPlaybooks: 1, AzureFunction CustomConnector:1 awsathena AzureFunction Solution
AWS Athena - Execute Query and Get Results Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. It executes the query specified during playbook setup on given database. 2. Downloads the query result and adds as a comment to the incident. Solution
Azure Active Directory The Azure Active Directory solution for Microsoft Sentinel enables you to ingest Azure Active Directory Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.Data Connectors: 1, Workbooks: 2, Analytic Rules: 59, Playbooks: 11 Cross-tenant Access Settings Organization Outbound Direct Settings Changed AnalyticsRule Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for "Users & Groups" and for "Applications". Solution
Successful logon from IP and failure from a different IP AnalyticsRule Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account. Solution
User Assigned Privileged Role AnalyticsRule Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1 Solution
NRT Privileged Role Assigned Outside PIM AnalyticsRule Identifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1 Solution
Azure AD Role Management Permission Grant AnalyticsRule Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http Solution
Bulk Changes to Privileged Account Permissions AnalyticsRule Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management Solution
Failed login attempts to Azure Portal AnalyticsRule Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 0 - successful logon 50125 - Sign-in was interrupted due to a password reset or password registration entry. 50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in. Solution
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed AnalyticsRule Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for "Users & Groups" and for "Applications". Solution
Mail.Read Permissions Granted to Application AnalyticsRule This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes. Solution
Privileged Role Assigned Outside PIM AnalyticsRule Identifies a privileged role being assigned to a user outside of PIM Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1 Solution
Cross-tenant Access Settings Organization Inbound Direct Settings Changed AnalyticsRule Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for "Users & Groups" and for "Applications". Solution
Brute force attack against Azure Portal AnalyticsRule Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window. Default Failure count is 10 and default Time Window is 20 minutes. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes. Solution
NRT Authentication Methods Changed for VIP Users AnalyticsRule Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Solution
First access credential added to Application or Service Principal where no credential was present AnalyticsRule This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Privileged Accounts - Sign in Failure Spikes AnalyticsRule Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor Solution
Suspicious application consent for offline access AnalyticsRule This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
NRT MFA Rejected by User AnalyticsRule Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins Solution
Suspicious application consent similar to PwnAuth AnalyticsRule This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth). The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Suspicious AAD Joined Device Update AnalyticsRule This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance. This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf Solution
User Accounts - Sign in Failure due to CA Spikes AnalyticsRule Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins Solution
Attempt to bypass conditional access rule in Azure AD AnalyticsRule Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). References: https://docs.microsoft.com/azure/active-directory/conditional-access/overview https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes ConditionalAccessStatus == 0 // Success ConditionalAccessStatus == 1 // Failure ConditionalAccessStatus == 2 // Not Applied ConditionalAccessStatus == 3 // unknown Solution
Brute force attack against a Cloud PC AnalyticsRule Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window. Solution
Password spray attack against Azure AD application AnalyticsRule Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. This can be an indicator that an attack was successful. The default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days Note: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes. Solution
User added to Azure Active Directory Privileged Groups AnalyticsRule This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Solution
Sign-ins from IPs that attempt sign-ins to disabled accounts AnalyticsRule Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened. This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50057 - User account is disabled. The account has been disabled by an administrator. Solution
Azure Active Directory PowerShell accessing non-AAD resources AnalyticsRule This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins. Solution
full_access_as_app Granted To Application AnalyticsRule This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent. This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function. Ref: https://learn.microsoft.com/graph/auth-limit-mailbox-access Solution
Password spray attack against ADFSSignInLogs AnalyticsRule Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference Solution
NRT PIM Elevation Request Rejected AnalyticsRule Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management Solution
Suspicious Service Principal creation activity AnalyticsRule This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes) Solution
Authentication Methods Changed for Privileged Account AnalyticsRule Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1 Solution
Guest accounts added in AAD Groups other than the ones specified AnalyticsRule Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data. Solution
Account created or deleted by non-approved user AnalyticsRule Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts Solution
Credential added after admin consented to Application AnalyticsRule This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities Solution
NRT User added to Azure Active Directory Privileged Groups AnalyticsRule This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Solution
Cross-tenant Access Settings Organization Added AnalyticsRule Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings. Solution
Attempts to sign in to disabled accounts AnalyticsRule Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications. Default threshold for Azure Applications attempted to sign in to is 3. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50057 - User account is disabled. The account has been disabled by an administrator. Solution
New access credential added to Application or Service Principal AnalyticsRule This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Anomalous sign-in location by user account and authenticating application AnalyticsRule This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application Solution
PIM Elevation Request Rejected AnalyticsRule Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management Solution
Rare application consent AnalyticsRule This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
NRT Modified domain federation trust settings AnalyticsRule This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior. To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365. For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Azure Portal sign in from another Azure Tenant AnalyticsRule This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner. Solution
Modified domain federation trust settings AnalyticsRule This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated. For example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior. To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365. For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Brute Force Attack against GitHub Account AnalyticsRule Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users. Solution
Explicit MFA Deny AnalyticsRule User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised. Solution
External guest invitation followed by Azure AD PowerShell signin AnalyticsRule By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/ Solution
NRT First access credential added to Application or Service Principal where no credential was present AnalyticsRule This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Account Created and Deleted in Short Timeframe AnalyticsRule Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account Solution
Distributed Password cracking attempts in AzureAD AnalyticsRule Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password. 50055 Invalid password, entered expired password. 50056 Invalid or null password - Password does not exist in store for this user. 50126 Invalid username or password, or invalid on-premises username or password. Solution
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed AnalyticsRule Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for "Users & Groups" and for "Applications". Solution
Multiple admin membership removals from newly created admin. AnalyticsRule This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly. Solution
GitHub Signin Burst from Multiple Locations AnalyticsRule This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO). This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. Solution
MFA Rejected by User AnalyticsRule Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins Solution
NRT New access credential added to Application or Service Principal AnalyticsRule This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app. If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential. Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Cross-tenant Access Settings Organization Deleted AnalyticsRule Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings. Solution
Admin promotion after Role Management Application Permission Grant AnalyticsRule This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http Solution
Suspicious application consent similar to O365 Attack Toolkit AnalyticsRule This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all. Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. Solution
Password spray attack against Azure AD Seamless SSO AnalyticsRule This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. Azure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts. Solution
Azure Active Directory DataConnector Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the Microsoft Sentinel documentation. Solution
Block AAD user - Alert Playbook For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user! Solution
Block AAD user - Entity trigger Playbook This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user! Solution
Block AAD user - Incident Playbook For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user! Solution
Prompt User - Alert Playbook This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident. Solution
Prompt User - Incident Playbook This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident. Solution
Reset Azure AD User Password - Alert Trigger Playbook This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login. Solution
Reset Azure AD User Password - Entity trigger Playbook This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login. Solution
Reset Azure AD User Password - Incident Trigger Playbook This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login. Solution
Revoke-AADSignInSessions alert trigger Playbook This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager. Solution
Revoke AAD Sign-in session using entity trigger Playbook This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time. Solution
Revoke AAD SignIn Sessions - incident trigger Playbook This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager. Solution
Azure AD Audit logs Workbook Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. You can learn about user operations, including password and group management, device activities, and top active users and apps. Solution
Azure AD Sign-in logs Workbook Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. You can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures. Solution
Azure Active Directory Identity Protection The Azure Active Directory Identity Protection solution for Microsoft Sentinel allows you to ingest Security alerts reported in AAD Identity Protection for risky users and events in Azure Active Directory.Data Connectors: 1, Analytic Rules: 1, Playbooks: 5 Correlate Unfamiliar sign-in properties & atypical travel alerts AnalyticsRule The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident. Solution
Azure Active Directory Identity Protection DataConnector Azure Active Directory Identity Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on MicrosoftΓÇÖs experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Azure Active Directory Identity Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. For more information, see the Microsoft Sentinel documentation . Get Azure Active Directory Premium P1/P2 Solution
Confirm AAD Risky User - Alert Triggered Playbook This playbook will set the Risky User property in AAD using Graph API. Solution
Confirm AAD Risky User - Incident Triggered Playbook For each account entity included in the incident, this playbook will set the Risky User property in AAD using Graph API using a Beta API. Solution
Dismiss AAD Risky User - Alert Triggered Playbook This playbook will dismiss the Risky User property in AAD using AAD Connectors. Solution
Dismiss AAD Risky User ΓÇô Incident Triggered Playbook This playbook will dismiss the Risky User property in AAD using AAD Connectors. Solution
Identity Protection response from Teams Playbook Run this playbook on incidents which contains suspiciouse AAD identities. For each account, this playbook posts an adaptive card in the SOC Microsoft Teams channel, including the potential risky user information given by Azure AD Identity Protection. The card offers to confirm the user as compromised or dismiss the compromised user in AADIP. It also allows to configure the Microsoft Sentinel incident. A summary comment will be posted to document the action taken and user information. Learn more about Azure AD Identity Protection Solution
Azure Activity The Azure Activity solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health logs using Diagnostic Settings into Microsoft Sentinel.Data Connectors: 1, Workbooks: 1, Analytic Rules: 12, Hunting Queries: 14 Rare subscription-level operations in Azure AnalyticsRule This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name 'Create or Update Snapshot', which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk. Solution
Suspicious number of resource creation or deployment activities AnalyticsRule Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary. Solution
NRT Creation of expensive computes in Azure AnalyticsRule Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Solution
New CloudShell User AnalyticsRule Identifies when a user creates an Azure CloudShell for the first time. Monitor this activity to ensure only the expected users are using CloudShell. Solution
Azure Active Directory Hybrid Health AD FS Service Delete AnalyticsRule This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid Health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure. More information is available in this blog https://o365blog.com/post/hybridhealthagent/ Solution
Azure Active Directory Hybrid Health AD FS New Server AnalyticsRule This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid Health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server. This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/ Solution
Creation of expensive computes in Azure AnalyticsRule Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Solution
Suspicious Resource deployment AnalyticsRule Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller. Solution
Suspicious granting of permissions to an account AnalyticsRule Identifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used. Solution
Azure Active Directory Hybrid Health AD FS Suspicious Application AnalyticsRule This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Azure AD Hybrid Health AD FS service or deleting the AD FS service instance. Usually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations. Solution
NRT Azure Active Directory Hybrid Health AD FS New Server AnalyticsRule This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid Health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server. This can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/ Solution
Mass Cloud resource deletions Time Series Anomaly AnalyticsRule This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary. Solution
Azure Activity DataConnector Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. For more information, see the Microsoft Sentinel documentation . Solution
Common deployed resources HuntingQuery Solution
Microsoft Sentinel Connectors Administrative Operations HuntingQuery Solution
AzureActivity Administration From VPS Providers HuntingQuery Solution
Anomalous Azure Operation Hunting Model HuntingQuery Solution
Azure Virtual Network Subnets Administrative Operations HuntingQuery Solution
Microsoft Sentinel Workbooks Administrative Operations HuntingQuery Solution
Azure storage key enumeration HuntingQuery Solution
Rare Custom Script Extension HuntingQuery Solution
Granting permissions to account HuntingQuery Solution
Port opened for an Azure Resource HuntingQuery Solution
Creation of an anomalous number of resources HuntingQuery Solution
Azure Network Security Group NSG Administrative Operations HuntingQuery Solution
Microsoft Sentinel Analytics Rules Administrative Operations HuntingQuery Solution
Azure VM Run Command executed from Azure IP address HuntingQuery Solution
Azure Activity Workbook Gain extensive insight into your organization's Azure Activity by analyzing, and correlating all user operations and events. You can learn about all user operations, trends, and anomalous changes over time. This workbook gives you the ability to drill down into caller activities and summarize detected failure and warning events. Solution
Azure Cognitive Search The Azure Cognitive Search solution for Microsoft Sentinel enables you to ingest Azure Cognitive Search diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Cognitive Search DataConnector Azure Cognitive Search is a cloud search service that gives developers infrastructure, APIs, and tools for building a rich search experience over private, heterogeneous content in web, mobile, and enterprise applications. This connector lets you stream your Azure Cognitive Search diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Solution
Azure DDoS Protection The Azure DDoS Protection Solution for Microsoft Sentinel enables you to easily ingest Azure DDoS Protection Standard logs to Microsoft Sentinel. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.To enable automated response to threats detected, consider deploying the Remediation-IP Playbook.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1, Workbooks: 1, Analytic Rules: 2 DDoS Attack IP Addresses - Percent Threshold AnalyticsRule Identifies IP addresses that generate over 5% of traffic during DDoS attack mitigation Solution
DDoS Attack IP Addresses - PPS Threshold AnalyticsRule Identifies IP addresses that generates maximal traffic rate over 10k PPS during DDoS attack mitigation Solution
Azure DDoS Protection DataConnector Connect to Azure DDoS Protection Standard logs via Public IP Address Diagnostic Logs. In addition to the core DDoS protection in the platform, Azure DDoS Protection Standard provides advanced DDoS mitigation capabilities against network attacks. It's automatically tuned to protect your specific Azure resources. Protection is simple to enable during the creation of new virtual networks. It can also be done after creation and requires no application or resource changes. For more information, see the Microsoft Sentinel documentation. Solution
Azure DDoS Protection Workbook Workbook This workbook visualizes security-relevant Azure DDoS events across several filterable panels. Offering a summary tab, metrics and a investigate tabs across multiple workspaces. Solution
Azure DevOps Auditing The Azure DevOps Auditing solution for Microsoft Sentinel allows monitoring Azure DevOps audit events to enable detection of malicious and/or unauthorized access and modification in the repository or pipelines. The streaming of Azure DevOps Audit logs to Azure Monitor must be configured to start ingesting audit events.Analytic Rules: 18, Hunting Queries: 17 Azure DevOps Pipeline modified by a new user. AnalyticsRule There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) in order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them. Solution
Azure DevOps Pipeline Created and Deleted on the Same Day AnalyticsRule An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. An attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases. Solution
New PA, PCA, or PCAS added to Azure DevOps AnalyticsRule In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these should also be conducted. Solution
Azure DevOps Build Variable Modified by New User. AnalyticsRule Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before. Solution
Azure DevOps Variable Secret Not Secured AnalyticsRule Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault. Solution
New Agent Added to Pool by New User or Added to a New OS Type. AnalyticsRule As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic. Solution
Azure DevOps Pull Request Policy Bypassing - Historic allow list AnalyticsRule This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list. Solution
Azure DevOps Audit Stream Disabled AnalyticsRule Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate. Solution
Azure DevOps Service Connection Addition/Abuse - Historic allow list AnalyticsRule This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections. Solution
Azure DevOps PAT used with Browser. AnalyticsRule Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. This can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. This should not be normal activity and could be an indicator of an attacker using a stolen PAT. Solution
Azure DevOps Retention Reduced AnalyticsRule AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs. This query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half. Solution
NRT Azure DevOps Audit Stream Disabled AnalyticsRule Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate. Solution
Azure DevOps Administrator Group Monitoring AnalyticsRule This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization. Solution
Azure DevOps Personal Access Token (PAT) misuse AnalyticsRule This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining. Reference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page Use this query for baselining: AzureDevOpsAuditing " distinct OperationName
Azure DevOps Agent Pool Created Then Deleted AnalyticsRule As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution. Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity. Solution
External Upstream Source Added to Azure DevOps Feed AnalyticsRule The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. An attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline. Solution
Azure DevOps New Extension Added AnalyticsRule Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. This query looks for new extensions that are not from a configurable list of approved publishers. Solution
Azure DevOps Service Connection Abuse AnalyticsRule Flags builds/releases that use a large number of service connections if they aren't manually in the allow list. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections. Solution
Azure DevOps - New Release Approver HuntingQuery Solution
Azure DevOps - Variable Created and Deleted HuntingQuery Solution
Azure DevOps - Internal Upstream Package Feed Added. HuntingQuery Solution
Azure DevOps- Guest users access enabled HuntingQuery Solution
Azure DevOps - New Release Pipeline Created HuntingQuery Solution
Azure DevOps- Public project created HuntingQuery Solution
Azure DevOps - New Package Feed Created HuntingQuery Solution
Azure DevOps- Project visibility changed to public HuntingQuery Solution
Azure DevOps - Build Deleted After Pipeline Modification HuntingQuery Solution
Azure DevOps - New PAT Operation HuntingQuery Solution
Azure DevOps - New Agent Pool Created HuntingQuery Solution
Azure DevOps- Addtional Org Admin added HuntingQuery Solution
Azure DevOps- Public project enabled by admin HuntingQuery Solution
Azure DevOps - Build Check Deleted. HuntingQuery Solution
Azure DevOps- AAD Conditional Access Disabled HuntingQuery Solution
Azure DevOps Display Name Changes HuntingQuery Solution
Azure DevOps Pull Request Policy Bypassing HuntingQuery Solution
Azure Key Vault Azure Key Vault Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.Data Connectors: 1, Workbooks: 1, Analytic Rules: 4 Azure Key Vault access TimeSeries anomaly AnalyticsRule Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations. TimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052 Solution
Mass secret retrieval from Azure Key Vault AnalyticsRule Identifies mass secret retrieval from Azure Key Vault observed by a single user. Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. You can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise Solution
NRT Sensitive Azure Key Vault operations AnalyticsRule Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. Any Backup operations should match with expected scheduled backup activity. Solution
Sensitive Azure Key Vault operations AnalyticsRule Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. Any Backup operations should match with expected scheduled backup activity. Solution
Azure Key Vault DataConnector Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation. Solution
Azure Key Vault Security Workbook See insights about the security of your Azure key vaults. The workbook helps to identify sensitive operations in the key vaults and get insights based on Azure Defender alerts. Solution
Azure Kubernetes Service (AKS) The Azure Kubernetes Services (AKS) solution allows you to ingest AKS activity logs using Diagnostic Setting into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1, Workbooks: 1, Hunting Queries: 2 Azure Kubernetes Service (AKS) DataConnector Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation. Solution
Azure RBAC AKS created role details HuntingQuery Solution
Determine users with cluster admin role HuntingQuery Solution
Azure Kubernetes Service (AKS) Security Workbook See insights about the security of your AKS clusters. The workbook helps to identify sensitive operations in the clusters and get insights based on Azure Defender alerts. Solution
Microsoft Purview The Microsoft Purview Solution enables data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Microsoft Purview scans are ingested and visualized through workbooks, analytical rules, and more.Data Connectors: 1, Workbooks: 1, Analytic Rules: 2 Sensitive Data Discovered in the Last 24 Hours - Customized AnalyticsRule Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications Solution
Sensitive Data Discovered in the Last 24 Hours AnalyticsRule Identifies all classifications that have been detected on assets during a scan by Microsoft Purview within the last 24 hours. Solution
Microsoft Purview (Preview) DataConnector Connect to Microsoft Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Microsoft Purview scans can be ingested and visualized through workbooks, analytical rules, and more. For more information, see the Microsoft Sentinel documentation. Solution
Microsoft Purview Workbook Sets the time name for analysis Solution
Azure Security Benchmark The Azure Security Benchmark v3 Solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening. Benchmark recommendations provide a starting point for selecting specific security configuration settings and facilitate risk reduction. The Azure Security Benchmark includes a collection of high-impact security recommendations for improving posture. This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation.Workbooks: 1, Analytic Rules: 1, Playbooks: 3 Azure Security Benchmark Posture Changed AnalyticsRule This alert is designed to monitor Azure policies aligned with the Azure Security Benchmark Regulatory Compliance initiative. The alert triggers when policy compliance falls below 70% within a 1 week time-frame. Solution
Notify-GovernanceComplianceTeam Playbook This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the governance compliance team of respective details via Teams chat and exchange email. This automation reduces requirements to manually monitor the workbook or analytics rules while increasing response times. Solution
Create-AzureDevOpsTask Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
Create Jira Issue Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
Azure Security Benchmark Workbook Azure Security Benchmark v3 Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to ASB controls across Microsoft security offerings, Azure, Microsoft 365, 3rd Party, On-Premises, and Multi-cloud workloads. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective ASB requirements and practices. Solution
Azure Storage The Azure Storage account Solution for Microsoft Sentinel enables you to stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Storage Account DataConnector Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization. For more information, see the Microsoft Sentinel documentation. Solution
Azure Web Application Firewall The Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.Data Connectors: 1, Workbooks: 4, Analytic Rules: 3 Front Door Premium WAF - SQLi Detection AnalyticsRule Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/Top10/A03_2021-Injection/ Solution
A potentially malicious web request was executed against a web server AnalyticsRule Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode variable defines what the detection thinks is a successful status code and should be altered to fit the environment. Solution
Front Door Premium WAF - XSS Detection AnalyticsRule Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS) Solution
Azure Web Application Firewall (WAF) DataConnector Connect to the Azure Web Application Firewall (WAF) for Application Gateway, Front Door, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Follow these instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel. For more information, see the Microsoft Sentinel documentation. Solution
Microsoft Web Application Firewall (WAF) - firewall events Workbook Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway firewall. You can view anomalies and trends across all firewall event triggers, attack events, blocked URL addresses and more. Solution
Microsoft Web Application Firewall (WAF) - gateway access events Workbook Gain insights into your organization's Azure web application firewall (WAF). You will get visibility in to your application gateway access events. You can view anomalies and trends across received and sent data, client IP addresses, URL addresses and more, and drill down into details. Solution
Microsoft Web Application Firewall (WAF) - overview Workbook Gain insights into your organization's Azure web application firewall (WAF). You will get a general overview of your application gateway firewall and application gateway access events. Solution
Microsoft Web Application Firewall (WAF) - Azure WAF Workbook Gain insights into your organization's Azure web application firewall (WAF) across various services such as Azure Front Door Service and Application Gateway. You can view event triggers, full messages, attacks over time, among other data. Several aspects of the workbook are interactable to allow users to further understand their data Solution
Azure Batch Account The Azure Batch Account solution for Microsoft Sentinel enables you to ingest Azure Batch Account diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Batch Account DataConnector Azure Batch Account is a uniquely identified entity within the Batch service. Most Batch solutions use Azure Storage for storing resource files and output files, so each Batch account is usually associated with a corresponding storage account. This connector lets you stream your Azure Batch account diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. For more information, see the Microsoft Sentinel documentation. Solution
Bitglass The Bitglass solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Bitglass - Multiple files shared with external entity AnalyticsRule Detects when multiple files shared with external entity. Solution
Bitglass - User login from new geo location AnalyticsRule Detects user login from new geo location. Solution
Bitglass - The SmartEdge endpoint agent was uninstalled AnalyticsRule Detects when SmartEdge endpoint agent was uninstalled. Solution
Bitglass - Suspicious file uploads AnalyticsRule Detects suspicious file upload activity. Solution
Bitglass - User Agent string has changed for user AnalyticsRule Detects when User Agent string has changed for user. Solution
Bitglass - Multiple failed logins AnalyticsRule Detects multiple failed logins. Solution
Bitglass - New admin user AnalyticsRule Detects new admin user. Solution
Bitglass - New risky user AnalyticsRule Detects new risky user. Solution
Bitglass - Login from new device AnalyticsRule Detects when a user logins from new device. Solution
Bitglass - Impossible travel distance AnalyticsRule Detects logins from different geo locations. Solution
Bitglass (using Azure Functions) DataConnector The Bitglass data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Bitglass - New users HuntingQuery Solution
Bitglass - Privileged login failures HuntingQuery Solution
Bitglass - Uncategorized resources HuntingQuery Solution
Bitglass - Risky users HuntingQuery Solution
Bitglass - Insecure web protocol HuntingQuery Solution
Bitglass - Login failures HuntingQuery Solution
Bitglass - Applications used HuntingQuery Solution
Bitglass - User devices HuntingQuery Solution
Bitglass - Risky users HuntingQuery Solution
Bitglass - New applications HuntingQuery Solution
Bitglass Data Parser Parser Solution
Bitglass Workbook Sets the time name for analysis Solution
Blackberry CylancePROTECT The Blackberry CylancePROTECT solution allows you to easily connect your CylancePROTECT logs with Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Blackberry CylancePROTECT DataConnector The Blackberry CylancePROTECT connector allows you to easily connect your CylancePROTECT logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
CylancePROTECT Parser Solution
Box The Box solution connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST APIUnderlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Box - Abmormal user activity AnalyticsRule Detects spikes (deviations from avarage) in user activity. Solution
Box - User role changed to owner AnalyticsRule Detects when user collaboration role is changed to owner. Solution
Box - Many items deleted by user AnalyticsRule Detects when a user deletes many items in short period of time. Solution
Box - File containing sensitive data AnalyticsRule Detects files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys. Solution
Box - Item shared to external entity AnalyticsRule Detects when an item was shared to external entity. Solution
Box - Forbidden file type downloaded AnalyticsRule Detects when new user downloads forbidden file types. Solution
Box - User logged in as admin AnalyticsRule Detects when user logged in as admin. Solution
Box - Executable file in folder AnalyticsRule Detects executable files in folders. Solution
Box - Inactive user login AnalyticsRule Detects user login after long inactivity period. Solution
Box - New external user AnalyticsRule Detects when new user created with SourceLogin containing non-corporate domain. Solution
Box (using Azure Function) DataConnector The Box data connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API. Refer to Box documentation for more information. Solution
Box - Users with owner permissions HuntingQuery Solution
Box - Downloaded data volume per user HuntingQuery Solution
Box - Uploaded data volume per user HuntingQuery Solution
Box - Deleted users HuntingQuery Solution
Box - New users HuntingQuery Solution
Box - Suspicious or sensitive files HuntingQuery Solution
Box - IP list for admin users HuntingQuery Solution
Box - Inactive users HuntingQuery Solution
Box - New users HuntingQuery Solution
Box - Inactive admin users HuntingQuery Solution
Box Data Parser Parser Solution
Box Workbook Sets the time name for analysis Solution
Broadcom SymantecDLP The Broadcom Symantec Data Loss Prevention (DLP) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF)Data Connectors: 1, Parsers: 1 Braodcom Symantec DLP DataConnector The Broadcom Symantec Data Loss Prevention (DLP) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs information, where it travels, and improves your security operation capabilities. Solution
SymantecDLP Parser Solution
CheckPhish by Bolster The BolsterΓÇÖs phishing and scam protection service provides accurate detection and takedown of phishing and scam sites. This sentinel solution contains playbooks which help to identify phishing sites which helps analysts faster investigation by enriching sentinel incident.Custom Azure Logic Apps Connectors: 1, Playbooks: 1 CheckPhishbyBolsterCustomConnector LogicAppsCustomConnector Solution
CheckPhish - Get URL reputation Playbook This playbooks will be used to submit URL to CheckPhish and gets the repution of URL (Scan result) Solution
Cisco ACI The Cisco Application Centric Infrastructure (ACI) solution provides the capability to ingest Cisco ACI logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1 Cisco Application Centric Infrastructure DataConnector Cisco Application Centric Infrastructure (ACI) data connector provides the capability to ingest Cisco ACI logs into Microsoft Sentinel. Solution
CiscoACI Data Parser Parser Solution
Cisco ASA The Cisco ASA solution for Microsoft Sentinel enables you to ingest Cisco ASA logs into Microsoft Sentinel. This solution includes two (2) data connectors to help ingest the logs.Cisco ASA/FTD via AMA - This data connector helps in ingesting Cisco ASA logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data ConnectorCisco ASA via Legacy Agent - This data connector helps in ingesting Cisco ASA logs into your Log Analytics Workspace using the legacy Log Analytics agent.NOTE: Microsoft recommends Installation of Cisco ASA/FTD via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31,2024 and thus should only be installed where AMA is not supported.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 2, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 Cisco ASA - threat detection message fired AnalyticsRule Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105 Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html Solution
Cisco ASA - average attack detection rate increase AnalyticsRule This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html Solution
Cisco ASA DataConnector The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
Cisco ASA/FTD via AMA (Preview) DataConnector The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
CiscoASAConnector LogicAppsCustomConnector Solution
Block IP - Cisco ASA Playbook This playbook allows blocking/allowing of IPs in Cisco ASA, using a Network Object Group. The Network Object Group itself should be part of an Access Control Entry. Solution
Cisco ASA - Create or remove access rules on an interface for IP Addresses Playbook This playbook allows blocking/unblocking of IPs in Cisco ASA, using Access Control Entries which will be created in an access control list. Solution
Cisco ASA - Create or Inbound Access Rule On Interface Playbook This playbook allows blocking/unblocking of IPs in Cisco ASA, using Access Rules which will be created on an interface. Solution
Cisco - ASA Workbook Gain insights into your Cisco ASA firewalls by analyzing traffic, events, and firewall operations. This workbook analyzes Cisco ASA threat events and identifies suspicious ports, users, protocols and IP addresses. You can learn about trends across user and data traffic directions, and drill down into the Cisco filter results. Easily detect attacks on your organization by monitoring management operations, such as configuration and logins. Solution
Cisco Duo Security The Cisco Duo Security solution allows you to ingest authentication logs, administrator logs, telephony logs, offline enrolment logs and Trust Monitor events into Microsoft Sentinel using the Cisco Duo Admin API. Refer to API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Cisco Duo - Authentication device new location AnalyticsRule Detects new location of authentication device. Solution
Cisco Duo - Multiple user login failures AnalyticsRule Detects when multiple user login failures occurs. Solution
Cisco Duo - Admin user created AnalyticsRule Detects when new admin user is created. Solution
Cisco Duo - Unexpected authentication factor AnalyticsRule Detects when unexpected authentication factor used. Solution
Cisco Duo - AD sync failed AnalyticsRule Detects when AD syncronization failed. Solution
Cisco Duo - Admin password reset AnalyticsRule Detects when admin's password was reset. Solution
Cisco Duo - Admin user deleted AnalyticsRule Detects when admin user is deleted. Solution
Cisco Duo - Multiple users deleted AnalyticsRule Detects when multiple users were deleted. Solution
Cisco Duo - Multiple admin 2FA failures AnalyticsRule Detects when multiple admin 2FA failures occurs. Solution
Cisco Duo - New access device AnalyticsRule Detects new access device. Solution
Cisco Duo Security (using Azure Functions) DataConnector The Cisco Duo Security data connector provides the capability to ingest authentication logs, administrator logs, telephony logs, offline enrollment logs and Trust Monitor events into Microsoft Sentinel using the Cisco Duo Admin API. Refer to API documentation for more information. Solution
Cisco Duo - Admin failure authentications HuntingQuery Solution
Cisco Duo - Admin failure authentications HuntingQuery Solution
Cisco Duo - Authentication error reasons HuntingQuery Solution
Cisco Duo - Deleted users HuntingQuery Solution
Cisco Duo - New users HuntingQuery Solution
Cisco Duo - Devices with vulnerable OS HuntingQuery Solution
Cisco Duo - Authentication errors HuntingQuery Solution
Cisco Duo - Fraud authentications HuntingQuery Solution
Cisco Duo - Devices with unsecure settings HuntingQuery Solution
Cisco Duo - Delete actions HuntingQuery Solution
CiscoDuoSecurity Data Parser Parser Solution
CiscoDuoSecurity Workbook Sets the time name for analysis Solution
Cisco ISE The Cisco ISE solution for Microsoft Sentinel enables you to ingest Cisco ISEΓÇÖs NAC logs into Microsoft Sentinel, providing insight into network threats and vulnerabilities.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 CiscoISE - Device changed IP in last 24 hours AnalyticsRule Detects when device changes IP address in last 24 hours. Solution
CiscoISE - Command executed with the highest privileges from new IP AnalyticsRule Detects command execution with PrivilegeLevel - 15 from new source. Solution
CiscoISE - Log files deleted AnalyticsRule Detects log file deleting activity. Solution
CiscoISE - Backup failed AnalyticsRule Detects when backup activity failed. Solution
CiscoISE - Device PostureStatus changed to non-compliant AnalyticsRule Detects when device changes PostureStatus from "Compliant". Solution
CiscoISE - Certificate has expired AnalyticsRule Detects certificate expiration. Solution
CiscoISE - Attempt to delete local store logs AnalyticsRule Detects when attempt to delete local store logs failed. Solution
CiscoISE - Log collector was suspended AnalyticsRule Detects when log collector was suspended. Solution
CiscoISE - ISE administrator password has been reset AnalyticsRule Detects when the ISE administrator password has been reset. Solution
CiscoISE - Command executed with the highest privileges by new user AnalyticsRule Detects command execution with PrivilegeLevel - 15 by user for wich there was no such activity detected earlier. Solution
Cisco Identity Services Engine DataConnector The Cisco Identity Services Engine (ISE) data connector provides the capability to ingest Cisco ISE events into Microsoft Sentinel. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. Refer to Cisco ISE logging mechanism documentation for more information. Solution
CiscoISE - Rare or new useragent HuntingQuery Solution
CiscoISE - Guest authentication succeeded HuntingQuery Solution
CiscoISE - Guest authentication failed HuntingQuery Solution
CiscoISE - Sources with high number of 'Failed Authentication' events HuntingQuery Solution
CiscoISE - Failed login attempts via SSH CLI (users) HuntingQuery Solution
CiscoISE - Authentication attempts to suspended user account HuntingQuery Solution
CiscoISE - Dynamic authorization failed HuntingQuery Solution
CiscoISE - Failed authentication events HuntingQuery Solution
CiscoISE - Attempts to suspend the log collector HuntingQuery Solution
CiscoISE - Expired certificate in the client certificates chain HuntingQuery Solution
LogicAppsCustomConnector Solution
CiscoISEEvent Parser Solution
CiscoISE-False Positives Clear Policies Playbook This playbook gets triggered when a new sentinel incident is created 1.For each MAC address (MACAddress provided in the alert custom entities) in the incident checks if it is was rejected in Cisco ISE. 2.If MAC address was rejected, checks if it is in the safe list (safe list is a custom Watchlist that contains safe MAC addresses). If it is in safe list, releases endpoint with this MAC address in Cisco ISE. 3.Adds comment to the incident with information about the released endpoints. Solution
CiscoISE-SuspendGuestUser Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. For each Account in the incident suspends user in Cisco ISE by its name. 2. Adds comment to the incident with information about suspended users. Solution
CiscoISE-TakeEndpointActionFromTeams Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. 2. Assigns a policy (policy name is provided during the deployment stage) to an endpoint (MACAddress of the endpoint is provided in the alert custom entities) depending on the action chosen in the adaptive card. 3. Changes incident status and severity depending on the action chosen in the adaptive card. 4. Adds comment to the incident with information about the actions taken. Solution
Cisco ISE Workbook Sets the time name for analysis Solution
Cisco Meraki The Cisco Meraki solution allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Parsers: 1, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 5 Cisco Meraki DataConnector The Cisco Meraki connector allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
MerakiConnector LogicAppsCustomConnector Solution
Cisco Meraki Data Parser Parser Solution
Block-Device-Client-Meraki Playbook This playbook checks if malicious device client is blocked by Cisco Meraki network. Solution
Block-IP-Address-Meraki Playbook This playbook checks if malicious IP address is blocked or unblocked by Cisco Meraki MX network. Solution
Block-URL-Meraki Playbook This playbook checks if malicious URL is blocked in Cisco Meraki network. Solution
IP-Enrichment-Meraki Playbook This playbook checks if malicious IP address is blocked or unblocked by Cisco Meraki MX network. Solution
URL-Enrichment-Meraki Playbook This playbook checks if malicious URL is blocked or unblocked by Cisco Meraki network. Solution
CiscoMerakiWorkbook Workbook Gain insights into the Events from Cisco Meraki Solution and analyzing all the different types of Security Events. This workbook also helps in identifying the Events from affected devices, IPs and the nodes where malware was successfully detected. IP data received in Events is correlated with Threat Intelligence to identify if the reported IP address is known bad based on threat intelligence data. Solution
Cisco Secure Endpoint The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 Cisco SE - Connection to known C2 server AnalyticsRule This rule is triggered when connection to known C2 is detected from host. Solution
Cisco SE - Malware outbreak AnalyticsRule Detects possible malware outbreak. Solution
Cisco SE High Events Last Hour AnalyticsRule Find events from Cisco Secure Endpoint that are of High severity in the last hour. Solution
Cisco SE - Policy update failure AnalyticsRule Detects policy updates failures. Solution
Cisco SE - Malware execusion on host AnalyticsRule Detects malware execution on host. Solution
Cisco SE - Multiple malware on host AnalyticsRule This rule triggers when multiple malware where detected on host. Solution
Cisco SE - Dropper activity on host AnalyticsRule Detects possible dropper activity on host. Solution
Cisco SE - Generic IOC AnalyticsRule This rule is triggered when generic IOC is observed on host. Solution
Cisco SE - Ransomware Activity AnalyticsRule This rule is triggered when possible ransomware activity is detected on host. Solution
Cisco SE - Possible webshell AnalyticsRule Detects possible webshell on host. Solution
Cisco SE - Unexpected binary file AnalyticsRule Detects binary files in uncommon locations. Solution
Cisco Secure Endpoint (AMP) (using Azure Functions) DataConnector The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel. Solution
Cisco SE - Modified agents on hosts HuntingQuery Solution
Cisco SE - Scanned files HuntingQuery Solution
Cisco SE - Infected hosts HuntingQuery Solution
Cisco SE - Suspicious powershel downloads HuntingQuery Solution
Cisco SE - Vulnerable applications HuntingQuery Solution
Cisco SE - User Logins HuntingQuery Solution
Cisco SE - Malicious files HuntingQuery Solution
Cisco SE - Uncommon application behavior HuntingQuery Solution
Cisco SE - Infected users HuntingQuery Solution
Cisco SE - Rare scanned files HuntingQuery Solution
CiscoSecureEndpoint Data Parser Parser Solution
Cisco Secure Endpoint Workbook Sets the time name for analysis Solution
Cisco SEG The Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 Cisco SEG - Multiple large emails sent to external recipient AnalyticsRule Detects possible data exfiltration. Solution
Cisco SEG - Malicious attachment not blocked AnalyticsRule Detects mails with malicious attachments which were not blocked. Solution
Cisco SEG - Potential phishing link AnalyticsRule Detects mails with suspicious links. Solution
Cisco SEG - Suspicious link AnalyticsRule Detects mails with suspicious links. Solution
Cisco SEG - Possible outbreak AnalyticsRule Detects possible outbreak activity. Solution
Cisco SEG - Unexpected link AnalyticsRule Detects mails with suspicious links. Solution
Cisco SEG - Unscannable attacment AnalyticsRule Detects unscannable attachments in mails. Solution
Cisco SEG - DLP policy violation AnalyticsRule Detects DLP policy violation. Solution
Cisco SEG - Multiple suspiciuos attachments received AnalyticsRule Detects possibly phishing emails. Solution
Cisco SEG - Suspicious sender domain AnalyticsRule Detects suspicious sender domain age. Solution
Cisco SEG - Unexpected attachment AnalyticsRule Detects possibly malicious attachments. Solution
Cisco Secure Email Gateway DataConnector The Cisco Secure Email Gateway (SEG) data connector provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel. Solution
Cisco SEG - Top users receiving spam mails HuntingQuery Solution
Cisco SEG - SPF failures HuntingQuery Solution
Cisco SEG - Insecure protocol HuntingQuery Solution
Cisco SEG - Failed incoming TLS connections HuntingQuery Solution
Cisco SEG - Sources of spam mails HuntingQuery Solution
Cisco SEG - Dropped outgoing mails HuntingQuery Solution
Cisco SEG - DMARK failures HuntingQuery Solution
Cisco SEG - Failed outgoing TLS connections HuntingQuery Solution
Cisco SEG - DKIM failures HuntingQuery Solution
Cisco SEG - Dropped incoming mails HuntingQuery Solution
Cisco SEG Data Parser Parser Solution
Cisco Secure Email Gateway Workbook Sets the time name for analysis Solution
Cisco Stealthwatch The Cisco Stealthwatch solution provides the capability to ingest Cisco Stealthwatch events into Microsoft Sentinel. Refer to Cisco Stealthwatch documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Cisco Stealthwatch DataConnector The Cisco Stealthwatch data connector provides the capability to ingest Cisco Stealthwatch events into Microsoft Sentinel. Refer to Cisco Stealthwatch documentation for more information. Solution
CiscoStealthwatch Data Parser Parser Solution
Cisco UCS The Cisco UCS solution for Microsoft Sentinel enables you to ingest Cisco UCS faults, events, and audit logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Cisco UCS DataConnector The Cisco Unified Computing System (UCS) connector allows you to easily connect your Cisco UCS logs with Microsoft Sentinel This gives you more insight into your organization's network and improves your security operation capabilities. Solution
CiscoUCS Parser Solution
Cisco Umbrella The Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 4, Playbooks: 4 Cisco Umbrella - Empty User Agent Detected AnalyticsRule Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser. Solution
Cisco Umbrella - Connection to Unpopular Website Detected AnalyticsRule Detects first connection to an unpopular website (possible malicious payload delivery). Solution
Cisco Umbrella - Rare User Agent Detected AnalyticsRule Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser. Solution
Cisco Umbrella - Hack Tool User-Agent Detected AnalyticsRule Detects suspicious user agent strings used by known hack tools Solution
Cisco Umbrella - Windows PowerShell User-Agent Detected AnalyticsRule Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser. Solution
Cisco Umbrella - Crypto Miner User-Agent Detected AnalyticsRule Detects suspicious user agent strings used by crypto miners in proxy logs. Solution
Cisco Umbrella - Connection to non-corporate private network AnalyticsRule IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer. Solution
Cisco Umbrella - Request Allowed to harmful/malicious URI category AnalyticsRule It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content.. Solution
Cisco Umbrella - Request to blocklisted file type AnalyticsRule Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.). Solution
Cisco Umbrella - URI contains IP address AnalyticsRule Malware can use IP address to communicate with C2. Solution
Cisco Umbrella (using Azure Function) DataConnector The Cisco Umbrella data connector provides the capability to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Refer to Cisco Umbrella log management documentation for more information. Solution
Cisco Umbrella - 'Blocked' User-Agents. HuntingQuery Solution
Cisco Umbrella - DNS Errors. HuntingQuery Solution
Cisco Umbrella - Possible data exfiltration HuntingQuery Solution
Cisco Umbrella - Higher values of count of the Same BytesIn size HuntingQuery Solution
Cisco Umbrella - Possible connection to C2. HuntingQuery Solution
Cisco Umbrella - High values of Uploaded Data HuntingQuery Solution
Cisco Umbrella - DNS requests to unreliable categories. HuntingQuery Solution
Cisco Umbrella - Anomalous FQDNs for domain HuntingQuery Solution
Cisco Umbrella - Proxy 'Allowed' to unreliable categories. HuntingQuery Solution
Cisco Umbrella - Requests to uncategorized resources HuntingQuery Solution
LogicAppsCustomConnector Solution
LogicAppsCustomConnector Solution
LogicAppsCustomConnector Solution
LogicAppsCustomConnector Solution
CiscoUmbrella Data Parser Parser Solution
CiscoUmbrella-AddIpToDestinationList Playbook This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident. Solution
CiscoUmbrella-AssignPolicyToIdentity Playbook This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident. Solution
CiscoUmbrella-BlockDomain Playbook This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident. Solution
CiscoUmbrella-GetDomainInfo Playbook This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident. Solution
Cisco Umbrella Workbook Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs. Solution
Cisco WSA The Cisco Web Security Appliance (WSA) solution provides the capability to ingest Cisco WSA Access Logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 Cisco WSA - Unexpected URL AnalyticsRule Detects unexpected URL. Solution
Cisco WSA - Multiple errors to URL AnalyticsRule Detects multiple connection errors to URL. Solution
Cisco WSA - Unexpected uploads AnalyticsRule Detects unexpected file uploads. Solution
Cisco WSA - Access to unwanted site AnalyticsRule Detects when users attempting to access sites from high risk category. Solution
Cisco WSA - Internet access from public IP AnalyticsRule Detects internet access from public IP. Solution
Cisco WSA - Multiple attempts to download unwanted file AnalyticsRule Detects when multiple attempts to download unwanted file occur. Solution
Cisco WSA - Suspected protocol abuse AnalyticsRule Detects possible protocol abuse. Solution
Cisco WSA - Unexpected file type AnalyticsRule Detects unexpected file type. Solution
Cisco WSA - Multiple infected files AnalyticsRule Detects multiple infected files on same source. Solution
Cisco WSA - Unscannable file or scan error AnalyticsRule Detects unscanned downloaded file. Solution
Cisco WSA - Multiple errors to resource from risky category AnalyticsRule Detects multiple connection errors to resource from risky category. Solution
Cisco Web Security Appliance DataConnector Cisco Web Security Appliance (WSA) data connector provides the capability to ingest Cisco WSA Access Logs into Microsoft Sentinel. Solution
Cisco WSA - URL shorteners HuntingQuery Solution
Cisco WSA - Rare aplications HuntingQuery Solution
Cisco WSA - Top aplications HuntingQuery Solution
Cisco WSA - User errors HuntingQuery Solution
Cisco WSA - Rare URL with error HuntingQuery Solution
Cisco WSA - Potentially risky resources HuntingQuery Solution
Cisco WSA - Uploaded files HuntingQuery Solution
Cisco WSA - Top URLs HuntingQuery Solution
Cisco WSA - Uncategorized URLs HuntingQuery Solution
Cisco WSA - Blocked files HuntingQuery Solution
CiscoWSA Data Parser Parser Solution
CiscoWSA Workbook Sets the time name for analysis Solution
Citrix ADC Note: Please refer to the following before installing the solution:Review the solution Release Notes.There may be known issues pertaining to this Solution.The Citrix ADC (formerly NetScaler) enables you to ingest Citrix ADC logs into Microsoft Sentinel. Refer the Citrix ADC log collection guide for more details.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Citrix ADC (former NetScaler) DataConnector The Citrix ADC (former NetScaler) data connector provides the capability to ingest Citrix ADC logs into Microsoft Sentinel. If you want to ingest Citrix WAF logs into Microsoft Sentinel, refer this documentation Solution
CitrixADCEvent Parser Solution
Claroty The Claroty solution for Microsoft Sentinel enables ingestion ofΓÇ» Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Claroty - Multiple failed logins to same destinations AnalyticsRule Detects multiple failed logins to same destinations. Solution
Claroty - Policy violation AnalyticsRule Detects policy violations. Solution
Claroty - Multiple failed logins by user AnalyticsRule Detects multiple failed logins by same user. Solution
Claroty - Suspicious file transfer AnalyticsRule Detects suspicious file transfer activity. Solution
Claroty - New Asset AnalyticsRule Triggers when a new asset has been added into the environment. Solution
Claroty - Treat detected AnalyticsRule Detects Collection of known malware commands and control servers. Solution
Claroty - Suspicious activity AnalyticsRule Detects suspicious behavior that is generally indicative of malware. Solution
Claroty - Critical baseline deviation AnalyticsRule Detects when critical deviation from baseline occurs. Solution
Claroty - Login to uncommon location AnalyticsRule Detects user login to uncommon location. Solution
Claroty - Asset Down AnalyticsRule Triggers asset is down. Solution
Claroty DataConnector The Claroty data connector provides the capability to ingest Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel. Solution
Claroty - PLC logins HuntingQuery Solution
Claroty - Write and Execute operations HuntingQuery Solution
Claroty - Baseline deviation HuntingQuery Solution
Claroty - Network scan sources HuntingQuery Solution
Claroty - Conflict assets HuntingQuery Solution
Claroty - Network scan targets HuntingQuery Solution
Claroty - User failed logins HuntingQuery Solution
Claroty - Critical Events HuntingQuery Solution
Claroty - Unapproved access HuntingQuery Solution
Claroty - Unresolved alerts HuntingQuery Solution
Claroty Data Parser Parser Solution
Claroty Workbook Sets the time name for analysis Solution
Cloudflare Cloudflare secures and ensures the reliability of your external-facing resources such as websites, APIs, and applications. It protects your internal resources such as behind-the-firewall applications, teams, and devices. And it is your platform for developing globally-scalable applications. Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Cloudflare - Client request from country in blocklist AnalyticsRule Detects requests from countries which are in blocklist. Solution
Cloudflare - XSS probing pattern in request AnalyticsRule Detects XSS probing patterns. Solution
Cloudflare - Empty user agent AnalyticsRule Detects requests where user agent is empty. Solution
Cloudflare - Unexpected POST requests AnalyticsRule Detects post requests to unusual extensions. Solution
Cloudflare - Bad client IP AnalyticsRule Detects requests from IP with bad reputation index. Solution
Cloudflare - Unexpected URI AnalyticsRule Detects client requests to unusual URI. Solution
Cloudflare - Multiple error requests from single source AnalyticsRule Detects multiple failure requests from single source in short timeframe. Solution
Cloudflare - Unexpected client request AnalyticsRule Detects client requests to unusual client request. Solution
Cloudflare - WAF Allowed threat AnalyticsRule Detects WAF "Allowed" action on threat events. Solution
Cloudflare - Multiple user agents for single source AnalyticsRule Detects requests with different user agents from one source in short timeframe. Solution
Cloudflare (Preview) (using Azure Functions) DataConnector The Cloudflare data connector provides the capability to ingest Cloudflare logs into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to Cloudflare documentation for more information. Solution
Cloudflare - Unexpected edge response HuntingQuery Solution
Cloudflare - Client TLS errors HuntingQuery Solution
Cloudflare - Client errors HuntingQuery Solution
Cloudflare - Server errors HuntingQuery Solution
Cloudflare - Top WAF rules HuntingQuery Solution
Cloudflare - Unexpected countries HuntingQuery Solution
Cloudflare - Rare user agents HuntingQuery Solution
Cloudflare - Files requested HuntingQuery Solution
Cloudflare - Server TLS errors HuntingQuery Solution
Cloudflare - Top Network rules HuntingQuery Solution
Cloudflare Parser Solution
Cloudflare Workbook Sets the time name for analysis Solution
Cloud Service Threat Protection Essentials As cloud services increase in popularity, the volume of attacks against them is also increasing. Broad visibility, context and timely detection of these attacks are important for organization as they move more workloads to the cloud. The Cloud Service Threat Protection Essentials contains security content that is relevant for detection of attacks against various cloud services like key vault, storage, compute etc.Pre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.Microsoft 365Azure ActivityAzure Key VaultKeywords: Storage, Key Vault, Compute, Office, Mail tampering, Azure, resourcesHunting Queries: 2 Azure Resources Assigned Public IP Addresses HuntingQuery Solution
Azure Key Vault Access Policy Manipulation HuntingQuery Solution
Multi-Factor Authentication Disabled for a User AnalyticsRule Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to deactivate MFA for a user. Solution
New External User Granted Admin Role AnalyticsRule This query will detect instances where a newly invited external user is granted an administrative role. By default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable. Solution
Detect Disabled Account Sign-in Attempts by IP Address HuntingQuery Solution
User Granted Access and Grants Access to Other Users HuntingQuery Solution
Interactive STS refresh token modifications HuntingQuery Solution
Sign-ins From VPS Providers HuntingQuery Solution
Suspicious Sign-ins to Privileged Account HuntingQuery Solution
Detect Disabled Account Sign-in Attempts by Account Name HuntingQuery Solution
Application Granted EWS Permissions HuntingQuery Solution
Sign-ins from Nord VPN Providers HuntingQuery Solution
Cybersecurity Maturity Model Certification (CMMC) 2.0 Important: This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.The Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 solution provides a mechanism for viewing log queries aligned to CMMC 2.0 requirements across the Microsoft portfolio. This solution enables governance and compliance teams to design, build, monitor, and respond to CMMC 2.0 requirements across 25+ Microsoft products. The solution includes the new CMMC 2.0 Workbook, (2) Analytics Rules, and (1) Playbook. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings. This solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.Required data types:ΓÇó AuditLogsΓÇó AzureActivityΓÇó AzureDiagnosticsΓÇó BehaviorAnalyticsΓÇó EventΓÇó InformationProtectionLogs_CLΓÇó OfficeActivityΓÇó SecurityAlertΓÇó SecurityBaselineΓÇó SecurityIncidentΓÇó SecurityRecommendationΓÇó SigninLogsΓÇó UsageMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.Workbooks: 1, Analytic Rules: 2, Playbooks: 3 CMMC 2.0 Level 2 (Advanced) Readiness Posture AnalyticsRule CMMC 2.0 Level 2 (Advanced) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days. Solution
CMMC 2.0 Level 1 (Foundational) Readiness Posture AnalyticsRule CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days. Solution
Create-AzureDevOpsTask Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
Create Jira Issue Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
Notify_GovernanceComplianceTeam Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
CybersecurityMaturityModelCertification(CMMC)2.0 Workbook Sets the time name for analysis. Solution
Common Event Format The Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the Common Event Format (CEF) over Syslog messages.Installing this solution will deploy two data connectors,Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data ConnectorCommon Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.NOTE: Microsoft recommends Installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 2 Common Event Format (CEF) DataConnector Common Event Format (CEF) is an industry standard format on top of Syslog messages, used by many security vendors to allow event interoperability among different platforms. By connecting your CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. For more information, see the Microsoft Sentinel documentation. Solution
Common Event Format (CEF) via AMA DataConnector Common Event Format (CEF) is an industry standard format on top of Syslog messages, used by many security vendors to allow event interoperability among different platforms. By connecting your CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. For more information, see the Microsoft Sentinel documentation. Solution
Continuous Diagnostics& Mitigation This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. This solution includes (1) Workbook for build/design/reporting, (1) Analytics rule for monitoring and (1) Hunting query for assessment.The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to help them improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries. For more information, see Continuous Diagnostics and Mitigation (CDM). CDM_ContinuousDiagnostics&Mitigation_PostureChanged AnalyticsRule This alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe. Solution
CDM_ContinuousDiagnostics&Mitigation_Posture HuntingQuery Solution
ContinuousDiagnostics&Mitigation Workbook Select the time range for this Overview. Solution
CrowdStrike Falcon Endpoint Protection The CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 2, Parsers: 2, Workbooks: 1, Analytic Rules: 2, Playbooks: 3 Critical or High Severity Detections by User AnalyticsRule Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user Solution
Critical Severity Detection AnalyticsRule Creates an incident when a CrowdStrike Falcon sensor detection is triggered with a Critical Severity Solution
CrowdStrike Falcon Endpoint Protection DataConnector The CrowdStrike Falcon Endpoint Protection connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. Solution
Crowdstrike Falcon Data Replicator (using Azure Functions) DataConnector The Crowdstrike Falcon Data Replicator connector provides the capability to ingest raw event data from the Falcon Platform events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
CrowdStrikeFalconEventStream Parser Solution
CrowdstrikeReplicator Parser Solution
Crowdstrike API authentication Playbook This is Crowdstrike base template which is used to generate access token and this is used in actual crowdstrike templates. This playbook gets triggered when a new Http request is created and this is being called from other Crowdstrike playbooks. Solution
Isolate endpoint - Crowdstrike Playbook When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions: Solution
Endpoint enrichment - Crowdstrike Playbook When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions: Solution
CrowdStrike Falcon Endpoint Protection Workbook Sets the time name for analysis Solution
Azure Data Lake Storage Gen1 The Azure Data Lake Storage Gen1 solution for Microsoft Sentinel enables you to ingest Azure Data Lake Storage Gen1 diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Data Lake Storage Gen1 DataConnector Azure Data Lake Storage Gen1 is an enterprise-wide hyper-scale repository for big data analytic workloads. Azure Data Lake enables you to capture data of any size, type, and ingestion speed in one single place for operational and exploratory analytics. This connector lets you stream your Azure Data Lake Storage Gen1 diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. For more information, see the Microsoft Sentinel documentation. Solution
Dev 0270 Detection and Hunting Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. For more technical and mitigation information, please read the Microsoft Security blog. As Microsoft continues to track DEV-0270ΓÇÖs tactics and techniques, we are also sharing guidance, detections and hunting queries to help our customers better defend against this threat through our security products.Analytic Rules: 4 Dev-0270 Registry IOC - September 2022 AnalyticsRule The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes Solution
Dev-0270 Malicious Powershell usage AnalyticsRule DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query. Solution
Dev-0270 WMIC Discovery AnalyticsRule The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment. Solution
DEV-0270 New User Creation AnalyticsRule The following query tries to detect creation of a new user using a known DEV-0270 username/password schema Solution
Digital Guardian Data Loss Prevention The Digital Guardian Data Loss Prevention (DLP) solution provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Digital Guardian - Incident with not blocked action AnalyticsRule Detects when incident has not block action. Solution
Digital Guardian - Exfiltration using DNS protocol AnalyticsRule Detects exfiltration using DNS protocol. Solution
Digital Guardian - Bulk exfiltration to external domain AnalyticsRule Detects bulk exfiltration to external domain. Solution
Digital Guardian - Unexpected protocol AnalyticsRule Detects RDP protocol usage for data transfer which is not common. Solution
Digital Guardian - Exfiltration to external domain AnalyticsRule Detects exfiltration to external domain. Solution
Digital Guardian - Possible SMTP protocol abuse AnalyticsRule Detects possible SMTP protocol abuse. Solution
Digital Guardian - Sensitive data transfer over insecure channel AnalyticsRule Detects sensitive data transfer over insecure channel. Solution
Digital Guardian - Multiple incidents from user AnalyticsRule Detects multiple incidents from user. Solution
Digital Guardian - Exfiltration to private email AnalyticsRule Detects exfiltration to private email. Solution
Digital Guardian - Exfiltration to online fileshare AnalyticsRule Detects exfiltration to online fileshare. Solution
Digital Guardian Data Loss Prevention DataConnector Digital Guardian Data Loss Prevention (DLP) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel. Solution
Digital Guardian - Insecure file transfer sources HuntingQuery Solution
Digital Guardian - Urls used HuntingQuery Solution
Digital Guardian - Incident domains HuntingQuery Solution
Digital Guardian - Files sent by users HuntingQuery Solution
Digital Guardian - Rare destination ports HuntingQuery Solution
Digital Guardian - Users' incidents HuntingQuery Solution
Digital Guardian - Rare network protocols HuntingQuery Solution
Digital Guardian - New incidents HuntingQuery Solution
Digital Guardian - Rare Urls HuntingQuery Solution
Digital Guardian - Inspected files HuntingQuery Solution
DigitalGuardianDLP Data Parser Parser Solution
DigitalGuardianDLP Workbook Sets the time name for analysis Solution
Windows Server DNS The DNS solution for Microsoft Sentinel allows you to ingest DNS analytic and audit logs into Microsoft Sentinel. The DNS logs are collected only from Windows agents.Installing this solution will deploy two data connectors,DNS via AMA - This data connector helps in ingesting Windows DNS logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.DNS via Legacy Agent - This data connector helps in ingesting Windows DNS logs into your Log Analytics Workspace using the legacy Log Analytics agent.NOTE: Microsoft recommends Installation of DNS via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported.Data Connectors: 2, Workbooks: 1, Analytic Rules: 5, Hunting Queries: 9 DNS events related to mining pools AnalyticsRule Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. Solution
Rare client observed with high reverse DNS lookup count AnalyticsRule Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity. Alerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period. Solution
Potential DGA detected AnalyticsRule Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period). Solution
DNS events related to ToR proxies AnalyticsRule Identifies IP addresses performing DNS lookups associated with common ToR proxies. Solution
NRT DNS events related to mining pools AnalyticsRule Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. Solution
Windows DNS Events via AMA (Preview) DataConnector The Windows DNS log connector allows you to easily filter and stream all analytics logs from your Windows DNS servers to your Microsoft Sentinel workspace using the Azure Monitoring agent (AMA). Having this data in Microsoft Sentinel helps you identify issues and security threats such as: - Trying to resolve malicious domain names. - Stale resource records. - Frequently queried domain names and talkative DNS clients. - Attacks performed on DNS server. You can get the following insights into your Windows DNS servers from Microsoft Sentinel: - All logs centralized in a single place. - Request load on DNS servers. - Dynamic DNS registration failures. Windows DNS events are supported by Advanced SIEM Information Model (ASIM) and stream data into the ASimDnsActivityLogs table. Learn more. For more information, see the Microsoft Sentinel documentation. Solution
DNS DataConnector The DNS log connector allows you to easily connect your DNS analytic and audit logs with Microsoft Sentinel, and other related data, to improve investigation. When you enable DNS log collection you can: - Identify clients that try to resolve malicious domain names. - Identify stale resource records. - Identify frequently queried domain names and talkative DNS clients. - View request load on DNS servers. - View dynamic DNS registration failures. For more information, see the Microsoft Sentinel documentation. Solution
Solorigate DNS Pattern HuntingQuery Solution
DNS - domain anomalous lookup increase HuntingQuery Solution
Solorigate Encoded Domain in URL HuntingQuery Solution
Potential DGA detected HuntingQuery Solution
DNS Full Name anomalous lookup increase HuntingQuery Solution
DNS lookups for commonly abused TLDs HuntingQuery Solution
Abnormally long DNS URI queries HuntingQuery Solution
DNS Domains linked to WannaCry ransomware campaign HuntingQuery Solution
High reverse DNS count by host HuntingQuery Solution
DNS Workbook Gain extensive insight into your organization's DNS by analyzing, collecting and correlating all DNS events. This workbook exposes a variety of information about suspicious queries, malicious IP addresses and domain operations. Solution
DNS Essentials This is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.Prerequisite :-Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.Windows Server DNSAzure FirewallCisco UmbrellaCorelight ZeekGoogle Cloud Platform DNSInfoblox NIOSISC BindVectra AIZscaler Internet AccessUnderlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Product solutions as described aboveLogic app for data summarizationRecommendation :-It is highly recommended to use the Summarize Data for DNS Essentials Solution logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.Workbooks: 1, Analytic Rules: 8, Hunting Queries: 10, Playbooks: 1 Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) AnalyticsRule This rule makes use of the series decompose anomaly method to detect clients with a high NXDomain response count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when new IP address DNS activity is identified as an outlier when compared to the baseline, indicating a recurring pattern. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) AnalyticsRule This rule makes use of the series decompose anomaly method to generate an alert when client requests excessive amount of DNS queries to non-existent domains. This helps in identifying possible C2 communications. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) AnalyticsRule This rule makes use of the series decompose anomaly method to identify clients with high reverse DNS counts. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) AnalyticsRule This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) AnalyticsRule This rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) AnalyticsRule This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) AnalyticsRule This rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) AnalyticsRule This rule makes use of the series decompose anomaly method to generate an alert when multiple clients report errors for the same DNS query. This rule monitors DNS traffic over a period of 14 days to detect possible similar C2 communication originating from different clients. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema. Solution
CVE-2020-1350 (SIGRED) exploitation pattern (ASIM DNS Solution) HuntingQuery Solution
Top 25 DNS queries with most failures in last 24 hours (ASIM DNS Solution) HuntingQuery Solution
Unexpected top level domains (ASIM DNS Solution) HuntingQuery Solution
[Anomaly] Anomalous Increase in DNS activity by clients (ASIM DNS Solution) HuntingQuery Solution
Top 25 Domains with large number of Subdomains (ASIM DNS Solution) HuntingQuery Solution
Possible DNS Tunneling or Data Exfiltration Activity (ASIM DNS Solution) HuntingQuery Solution
Connection to Unpopular Website Detected (ASIM DNS Solution) HuntingQuery Solution
Increase in DNS Requests by client than the daily average count (ASIM DNS Solution) HuntingQuery Solution
Top 25 Sources(Clients) with high number of errors in last 24hours (ASIM DNS Solution) HuntingQuery Solution
Potential beaconing activity (ASIM DNS Solution) HuntingQuery Solution
SummarizeDNSData_DNSEssentials Playbook This playbook summarizes data for DNS Essentials Solution and ingests into custom tables. Solution
DNS Solution Workbook Workbook This workbook is included as part of the DNS Essentials solution and gives a summary of analyzed DNS traffic. It also helps with threat analysis and investigating suspicious Domains, IPs and DNS traffic. DNS Essentials Solution also includes a playbook to periodically summarize the logs, thus enhancing the user experience and improving data search. For effective usage of workbook, we highly recommend enabling the summarization playbook that is provided with this solution. Solution
Eaton Foreseer Eaton Foreseer Solution for Sentinel provides security content to create Analytic Rules for monitoring unauthorized login attempts based on a given authorized user list and a Workbook to gain insights into login and security activity. Eaton Foreseer login related events can be sent to Microsoft Sentinel using MMA or AMA by enabling forwarding of Windows events 4624 and 4625 which are associated with all logins.Workbooks: 1, Analytic Rules: 1 EatonForeseer - Unauthorized Logins AnalyticsRule Detects Unauthorized Logins into Eaton Foreseer Solution
EatonForeseerHealthAndAccess Workbook This workbook gives an insight into the health of all the Windows VMs in this subscription running Eaton Foreseer and the unauthorized access into the Eaton Foreseer application running on these VMs. Solution
EclecticIQ EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. This solution includes SOAR Connector and Playbooks which leverage EclecticIQ Observables data to not only enrich Microsoft Sentinel incidents but also add indicators to EclecticIQ.Custom Azure Logic Apps Connectors: 1, Playbooks: 2 EclecticIQCustomConnector LogicAppsCustomConnector Solution
Create Observable - EclecticIQ Playbook This playbook adds new observable in EclecticIQ based on the entities info present in Sentinel incident. If same type and value exists already, then it will update the observable and comment will be added to Sentinel's incident Solution
Enrich Incident - EclecticIQ Playbook This playbook perform look up into EclecticIQ for the entities (Account, Host, IP, FileHash, URL) present result to Microsoft Sentinel incident Solution
Elastic Agent The Elastic Agent solution provides the capability to ingest Elastic Agent logs, metrics, and security data into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1 Elastic Agent (Standalone) DataConnector The Elastic Agent data connector provides the capability to ingest Elastic Agent logs, metrics, and security data into Microsoft Sentinel. Solution
ElasticAgent Data Parser Parser Solution
Endpoint Threat Protection Essentials The Endpoint Threat Protection Essentials solution provides content to monitor, detect and investigate threats related to windows machines. The solution looks for things like suspicious commandlines, PowerShell based attacks, LOLBins, registry manipulation, scheduled tasks etc. which are some of the most commonly used techniques by attackers when targeting endpoints.Pre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.Windows Security EventsMicrosoft 365 DefenderWindows Forwarded EventsKeywords: LOLBins, PowerShell, Registry, Lsass, Commandline, scheduled tasks, Malware.Analytic Rules: 13, Hunting Queries: 10 Windows Binaries Executed from Non-Default Directory AnalyticsRule The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/ Solution
Lateral Movement via DCOM AnalyticsRule This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html Solution
Malware in the recycle bin AnalyticsRule The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin. The list of these binaries is sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/. Solution
Security Event log cleared AnalyticsRule Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance. Solution
Registry Persistence via AppInit DLLs Modification AnalyticsRule Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Ref: https://attack.mitre.org/techniques/T1546/010/ Solution
Dumping LSASS Process Into a File AnalyticsRule Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/ Solution
Registry Persistence via AppCert DLL Modification AnalyticsRule Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Ref: https://attack.mitre.org/techniques/T1546/009/ Solution
Base64 encoded Windows process command-lines AnalyticsRule Identifies instances of a base64-encoded PE file header seen in the process command line parameter. Solution
Windows Binaries Lolbins Renamed AnalyticsRule This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html Solution
Potential Remote Desktop Tunneling AnalyticsRule This query detects remote desktop authentication attempts with a localhost source address, which can indicate a tunneled login. Ref: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling Solution
Process executed from binary hidden in Base64 encoded file AnalyticsRule Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64. Solution
Detecting Macro Invoking ShellBrowserWindow COM Objects AnalyticsRule This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules. Ref: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html Solution
WDigest downgrade attack AnalyticsRule When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753 Solution
Scheduled Task Creation or Update from User Writable Directory HuntingQuery Solution
Detect Certutil (LOLBins and LOLScripts) Usage HuntingQuery Solution
Execution of File with One Character in the Name HuntingQuery Solution
Backup Deletion HuntingQuery Solution
Remote Scheduled Task Creation or Update using ATSVC Named Pipe HuntingQuery Solution
Remote Login Performed with WMI HuntingQuery Solution
Unicode Obfuscation in Command Line HuntingQuery Solution
Rundll32 (LOLBins and LOLScripts) HuntingQuery Solution
Potential Microsoft Security Services Tampering HuntingQuery Solution
Persisting via IFEO Registry Key HuntingQuery Solution
Entrust identity as Service Entrust offers Cloud-based identity and access management (IAM) solution with multi-factor authentication (MFA), credential-based password less access, and single sign-on (SSO). Integrating it with Microsoft Sentinel will give the ability to enrich incidents and manage user entity access as part of incident remediation process.Playbooks: 5 Entrust-BlockUser Playbook This playbook Block the risky user and update the status in comments section of triggered incident so that SOC analysts get aware of the action taken by playbook Solution
Entrust-EnrichIncidentWithIPDetails Playbook This playbook provides the IP details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity Solution
Entrust-EnrichIncidentWithUserDetails Playbook This playbook provides the user essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity Solution
Entrust-EnrichIP-EntityTrigger Playbook This playbook provides the IP details of user authentication and management activity in comments section of incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity Solution
Entrust-EnrichUser-EntityTrigger Playbook This playbook provides the user essential details in comments section of incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity Solution
Azure Event Hubs The Azure Event Hubs solution for Microsoft Sentinel enables you to ingest Azure Event Hubs diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Event Hub DataConnector Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. This connector lets you stream your Azure Event Hub diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Solution
Exabeam Advanced Analytics The Exabeam Advanced Analytics data connector provides the capability to ingest Exabeam Advanced Analytics events into Microsoft Sentinel. Refer to Exabeam Advanced Analytics documentation for more information. Underlying Microsoft Technologies used: This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Exabeam Advanced Analytics DataConnector The Exabeam Advanced Analytics data connector provides the capability to ingest Exabeam Advanced Analytics events into Microsoft Sentinel. Refer to Exabeam Advanced Analytics documentation for more information. Solution
ExabeamEvent Parser Solution
FireEye Network Security The FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1 FireEye Network Security (NX) DataConnector The FireEye Network Security (NX) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel. Solution
FireEyeNXEvent Parser Solution
Forescout The Forescout solution provides the capability to ingest Forescout events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Forescout DataConnector The Forescout data connector provides the capability to ingest Forescout events into Microsoft Sentinel. Refer to Forescout documentation for more information. Solution
Forescout Data Parser Parser Solution
Fortinet FortiGate Note: Please refer to the following before installing the solutionReview the solution Release Notes.There may be known issues pertaining to this Solution, please refer to them before installing.The Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel allows you to easily connect your FortiGate logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.This solution also contains playbooks to help in automated remediation.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 4 FortinetFortigateFunctionApp AzureFunction Solution
Fortinet DataConnector The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
FortinetCustomConnector LogicAppsCustomConnector Solution
Fortinet-FortiGate-IPEnrichment Playbook This playbook enriches the incident with address object and address group. Solution
Fortinet-FortiGate-ResponseOnBlockIP Playbook This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes IPs, by adding/removing the IPs to the Microsoft Sentinel IP blocked group. Solution
Fortinet-FortiGate-ResponseOnBlockURL Playbook This playbook allows the SOC users to automatically response to Microsoft Sentinel incidents which includes URL's, by adding the URLs to the Microsoft Sentinel URL blocked group. Solution
FortiGate Workbook Gain insights into Fortigate firewalls by analyzing traffic and activities. This workbook finds correlations in Fortigate threat events and identifies suspicious ports, users, protocols and IP addresses. You can learn about trends across user and data traffic, and drill down into the Fortigate filter results. Easily detect attacks on your organization by monitoring management operations such as configuration and logins. Solution
Fortinet FortiWeb Cloud WAF-as-a-Service connector The Fortinet FortiWeb Cloud WAF-as-a-Service connector solution for Microsoft Sentinel provides an automated approach for SecOps analysts to remediate attacks at application level by blocking suspicious IP and URL and also empowers to gather threat intelligence data for malicious IP activity. By leveraging the FortiWeb API, the connector can automate these security operations, tasks using Sentinel Playbooks which can dramatically reduce the window that attackers can take advantage of.For questions about FortiWeb Cloud, please contact Fortinet at azuresales@fortinet.com.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 1, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 2 Fortiweb - WAF Allowed threat AnalyticsRule Detects WAF "Allowed" action on threat events. Solution
Fortinet FortiWeb Web Application Firewall DataConnector The fortiweb data connector provides the capability to ingest Threat Analytics and events into Microsoft Sentinel. Solution
Fortiweb - identify owasp10 vulnerabilities HuntingQuery Solution
Fortiweb - Unexpected countries HuntingQuery Solution
FortiWebCustomConnector LogicAppsCustomConnector Solution
Fortiweb Parser Solution
FortiWeb-BlockIP-URL Playbook This Playbook Provides the automation on blocking the suspicious/malicious IP and URL on fortiweb cloud waf Solution
FortiWeb-enrichment Playbook This playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack Solution
Fortiweb-workbook Workbook This workbook depends on a parser based on a Kusto Function to work as expected Fortiweb which is deployed with the Microsoft Sentinel Solution. Solution
Google Cloud Platform BigQuery Google Cloud Platform BigQuery is a completely serverless and cost-effective enterprise data warehouse that works across clouds and scales with your data, with BI, machine learning and AI built in. Integrating it with Microrsoft sentinel will give the ability to enrich incident, create watch list for close monitoring and fetch big query results as part of incident remediation process.Custom Azure Logic Apps Connectors: 1, Playbooks: 3 GCPBigQueryCustomConnector LogicAppsCustomConnector Solution
GCPBigQuery-CreateWatchlist-From-BigQueryTable Playbook This playbook can be run from incident context manually or from automation rule to create a watchlist from GCP BigQuery table data. Solution
GCPBigQuery-EnrichEntity-With-BigQueryTableData Playbook This playbook can be run from incident context manually or from automation rule to query the GCP BigQuery table and enrich the incident with query results. Query result is filtered based on provided entities. Solution
GCPBigQuery-GetQueryResults Playbook This playbook can be run from incident context manually or from automation rule to query the GCP BigQuery table and enrich the incident with results. Solution
Google Cloud Platform DNS The Google Cloud Platform DNS solution provides the capability to ingest Cloud DNS query logs and Cloud DNS audit logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 Google DNS - Request to dynamic DNS service AnalyticsRule Detects requests to ip lookup resources. Solution
Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern AnalyticsRule Detects exploitation pattern of CVE-2020-1350 (SIGRED) vulnerability. Solution
Google DNS - UNC2452 (Nobelium) APT Group activity AnalyticsRule Detects UNC2452 (Nobelium) APT Group activity. Solution
Google DNS - IP check activity AnalyticsRule Detects requests to ip lookup resources. Solution
Google DNS - Exchange online autodiscover abuse AnalyticsRule Detects possible Exchange online autodiscover abuse. Solution
Google DNS - CVE-2021-40444 exploitation AnalyticsRule Detects CVE-2021-40444 exploitation. Solution
Google DNS - Possible data exfiltration AnalyticsRule Detects possible data exfiltration. Solution
Google DNS - Malicous Python packages AnalyticsRule Detects requests to resources with malicious Python packages. Solution
Google DNS - Multiple errors for source AnalyticsRule Detects multiple errors for the same source IP address. Solution
Google DNS - Multiple errors to same domain AnalyticsRule Detects multiple errors to same domain. Solution
Google DNS - CVE-2021-34527 (PrintNightmare) external exploit AnalyticsRule Detects CVE-2021-34527 (PrintNightmare) external exploit Solution
Google Cloud Platform DNS (using Azure Functions) DataConnector The Google Cloud Platform DNS data connector provides the capability to ingest Cloud DNS query logs and Cloud DNS audit logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information. Solution
Google DNS - Unexpected top level domains HuntingQuery Solution
Google DNS - Unusual top level domains HuntingQuery Solution
Google DNS - Server latency HuntingQuery Solution
Google DNS - Rare domains HuntingQuery Solution
Google DNS - Requests to TOR resources HuntingQuery Solution
Google DNS - Errors HuntingQuery Solution
Google DNS - Requests to IP lookup resources HuntingQuery Solution
Google DNS - Domains with rare errors HuntingQuery Solution
Google DNS - Sources with high number of errors HuntingQuery Solution
Google DNS - Requests to online shares HuntingQuery Solution
GCPCloudDNS Parser Solution
Google Cloud Platform DNS Workbook Sets the time name for analysis Solution
Google Cloud Platform IAM The Google Cloud Platform Identity and Access Management (IAM) solution provides the capability to ingest GCP IAM logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 GCP IAM - Disable Data Access Logging AnalyticsRule Detects when Data Access Logging is disabled. Solution
GCP IAM - Publicly exposed storage bucket AnalyticsRule Detects possible misconfiguration for bucket policy making it publicly available. Solution
GCP IAM - Service Account Enumeration AnalyticsRule Detects possible service account enumeration. Solution
GCP IAM - Privileges Enumeration AnalyticsRule Detects possible privileges enumeration. Solution
GCP IAM - Service Account Keys Enumeration AnalyticsRule Detects possible service account keys enumeration. Solution
GCP IAM - New Authentication Token for Service Account AnalyticsRule Detects when new authentication token is created for service account. Solution
GCP IAM - High privileged role added to service account AnalyticsRule Detects when high privileged role was added to service account. Solution
GCP IAM - Empty user agent AnalyticsRule Detects requests where user agent is empty. Solution
GCP IAM - New Service Account AnalyticsRule Detects new service account creation. Solution
GCP IAM - New Service Account Key AnalyticsRule Detects new service account key creation. Solution
Google Cloud Platform IAM (using Azure Functions) DataConnector The Google Cloud Platform Identity and Access Management (IAM) data connector provides the capability to ingest GCP IAM logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information. Solution
GCP IAM - Changed roles HuntingQuery Solution
GCP IAM - Top service accounts by failed actions HuntingQuery Solution
GCP IAM - Top source IP addresses with failed actions HuntingQuery Solution
GCP IAM - New service account keys HuntingQuery Solution
GCP IAM - New service accounts HuntingQuery Solution
GCP IAM - Rare IAM actions HuntingQuery Solution
GCP IAM - Deleted service accounts HuntingQuery Solution
GCP IAM - New custom roles HuntingQuery Solution
GCP IAM - Rare user agent HuntingQuery Solution
GCP IAM - Disabled service accounts HuntingQuery Solution
LogicAppsCustomConnector Solution
GoogleCloudPlatformIAM Data Parser Parser Solution
GCP-DisableServiceAccountFromTeams Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. 2. Disables Service Account depending on the action chosen in the adaptive card. 3. Changes incident status and severity depending on the action chosen in the adaptive card. 4. Adds comment to the incident with information about the actions taken. Solution
GCP-DisableServiceAccountKey Playbook Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Disables Service Account Key by the gcp_project_id, gcp_service_account and gcp_service_acc_key, provided in the alert custom entities. 2. Adds comment to the incident. Solution
GCP-EnrichServiseAccountInfo Playbook Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets service Account Information by the gcp_project_id and gcp_service_account, provided in the alert custom entities. 2. Enriches the incident with the obtained info. Solution
Google Cloud Platform IAM Workbook Sets the time name for analysis Solution
Google Cloud Platform Cloud Monitoring The Google Cloud Platform Cloud Monitoring data connector provides the capability to ingest GCP Monitoring metrics into Microsoft Sentinel using the GCP Monitoring API. Refer to GCP Monitoring API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 Google Cloud Platform Cloud Monitoring (using Azure Functions) DataConnector The Google Cloud Platform Cloud Monitoring data connector provides the capability to ingest GCP Monitoring metrics into Microsoft Sentinel using the GCP Monitoring API. Refer to GCP Monitoring API documentation for more information. Solution
Google Cloud Platform Cloud Monitoring Data Parser Parser Solution
Gitlab The GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines. .Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 3, Analytic Rules: 9 GitLab - User Impersonation AnalyticsRule This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation. Solution
GitLab - Brute-force Attempts AnalyticsRule This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time. Solution
GitLab - Abnormal number of repositories deleted AnalyticsRule This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data. Solution
GitLab - Personal Access Tokens creation over time AnalyticsRule This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. This hunting queries allows you to track the personal access tokens creation for each of your repositories. The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions. Solution
GitLab - SSO - Sign-Ins Burst AnalyticsRule This query relies on Azure Active Directory sign-in activity when Azure AD is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time. Solution
GitLab - TI - Connection from Malicious IP AnalyticsRule This query correlates Threat Intelligence data from Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs. Solution
GitLab - Repository visibility to Public AnalyticsRule This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public. Solution
GitLab - External User Added to GitLab AnalyticsRule This queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users. Solution
GitLab - Local Auth - No MFA AnalyticsRule This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users. Solution
GitLab DataConnector The GitLab connector allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines. Solution
GitLabAccess Parser Solution
GitLabApp Parser Solution
GitLabAudit Parser Solution
Google ApigeeX The Google ApigeeX solution provides the capability to ingest ApigeeX audit logs into Azure Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 Google ApigeeX (using Azure Functions) DataConnector The Google ApigeeX data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information. Solution
ApigeeX Parser Solution
Google Workspace Reports The Google Workspace solution for Microsoft Sentinel enables you to ingest Google Workspace Activity events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 12 GWorkspace - Admin permissions granted AnalyticsRule Triggers on admin permissions granted. Solution
GWorkspace - Multiple user agents for single source AnalyticsRule Detects requests with different user agents from one source in short timeframe. Solution
GWorkspace - Possible brute force attack AnalyticsRule Detects possible brute force attack. Solution
GWorkspace - User access has been changed AnalyticsRule Detects user access change. Solution
GWorkspace - Unexpected OS update AnalyticsRule Detects unexpected OS update. Solution
GWorkspace - API Access Granted AnalyticsRule Triggers when API Access has been granted to a new client. Solution
GWorkspace - Two-step authentification disabled for a user AnalyticsRule Triggers on two-step authentification disabled for a user. Solution
GWorkspace - Possible maldoc file name in Google drive AnalyticsRule Detects possible maldoc file name in Google drive. Solution
GWorkspace - Alert events AnalyticsRule Detects alert events. Solution
GWorkspace - An Outbound Relay has been added to a G Suite Domain AnalyticsRule Detects outbound relays may be added to collect email. Solution
Google Workspace (G Suite) (using Azure Functions) DataConnector The Google Workspace data connector provides the capability to ingest Google Workspace Activity events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems, track who signs in and when, analyze administrator activity, understand how users create and share content, and more review events in your org. Solution
GWorkspace - Document shared externally HuntingQuery Solution
GWorkspace - Unknown login type HuntingQuery Solution
GWorkspace - Rare document types by users HuntingQuery Solution
GWorkspace - Users with several devices HuntingQuery Solution
GWorkspace - User reported calendar invite as spam HuntingQuery Solution
GWorkspace - Uncommon user agent strings HuntingQuery Solution
GWorkspace - Suspended users HuntingQuery Solution
GWorkspace - Possible SCAM/SPAM or Phishing via Calendar HuntingQuery Solution
GWorkspace - Shared private document HuntingQuery Solution
GWorkspace - Multi IP addresses by user HuntingQuery Solution
GWorkspace - Document shared publicy with link HuntingQuery Solution
GWorkspace - Document shared publicy in web HuntingQuery Solution
GWorkspaceActivityReports Parser Solution
GoogleWorkspaceReports Workbook Sets the time name for analysis Solution
Illumio Core The Illumio Core solution allows you to ingest Illumio Core logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1 Illumio Core DataConnector The Illumio Core data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel. Solution
IllumioCoreEvent Parser Solution
Imperva WAF Cloud Imperva Cloud WAF offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Imperva - Request to unexpected destination port AnalyticsRule Detects request attempts to unexpected destination ports. Solution
Imperva - Malicious Client AnalyticsRule Detects connections from known malicious clients. Solution
Imperva - Abnormal protocol usage AnalyticsRule Detects abnormal protocol usage. Solution
Imperva - Request from unexpected IP address to admin panel AnalyticsRule Detects requests from unexpected IP addresses to admin panel. Solution
Imperva - Critical severity event not blocked AnalyticsRule Detects when critical severity event was not blocked. Solution
Imperva - Multiple user agents from same source AnalyticsRule 'Detects suspicious number of user agents from the same IP address. Solution
Imperva - Request from unexpected countries AnalyticsRule Detects request attempts from unexpected countries. Solution
Imperva - Possible command injection AnalyticsRule Detects requests with commands in URI. Solution
Imperva - Forbidden HTTP request method in request AnalyticsRule Detects connections with unexpected HTTP request method. Solution
Imperva - Malicious user agent AnalyticsRule Detects requests containing known malicious user agent strings. Solution
Imperva Cloud WAF (using Azure Functions) DataConnector The Imperva Cloud WAF data connector provides the capability to integrate and ingest Web Application Firewall events into Microsoft Sentinel through the REST API. Refer to Log integration documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Imperva - Non HTTP/HTTPs applications HuntingQuery Solution
Imperva - Rare applications HuntingQuery Solution
Imperva - Rare client applications HuntingQuery Solution
Imperva - request from known bots HuntingQuery Solution
Imperva - Applications with insecure web protocol version HuntingQuery Solution
Imperva - Top applications with error requests HuntingQuery Solution
Imperva - Top sources with error requests HuntingQuery Solution
Imperva - Top destinations with blocked requests HuntingQuery Solution
Imperva - Rare destination ports HuntingQuery Solution
Imperva - Top sources with blocked requests HuntingQuery Solution
ImpervaCloudWAF Data Parser Parser Solution
Imperva WAF Cloud Overview Workbook Sets the time name for analysis. Solution
Infoblox NIOS The Infoblox Network Identity Operating System (NIOS) solution for Microsoft Sentinel enables you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 22, Workbooks: 1, Analytic Rules: 2, Watchlists: 1 Potential DHCP Starvation Attack AnalyticsRule This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack. Solution
Excessive NXDOMAIN DNS Queries AnalyticsRule This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. Solution
Infoblox NIOS DataConnector The Infoblox Network Identity Operating System (NIOS) connector allows you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
Infoblox Parser Solution
Infoblox_allotherdhcpdTypes Parser Solution
Infoblox_allotherdnsTypes Parser Solution
Infoblox_allotherlogTypes Parser Solution
Infoblox_dhcpack Parser Solution
Infoblox_dhcpadded Parser Solution
Infoblox_dhcpbindupdate Parser Solution
Infoblox_dhcpdiscover Parser Solution
Infoblox_dhcpexpire Parser Solution
Infoblox_dhcpinform Parser Solution
Infoblox_dhcpoffer Parser Solution
Infoblox_dhcpoption Parser Solution
Infoblox_dhcpother Parser Solution
Infoblox_dhcprelease Parser Solution
Infoblox_dhcpremoved Parser Solution
Infoblox_dhcprequest Parser Solution
Infoblox_dhcpsession Parser Solution
Infoblox_dhcp_consolidated Parser Solution
Infoblox_dnsclient Parser Solution
Infoblox_dnsgss Parser Solution
Infoblox_dnszone Parser Solution
Infoblox_dns_consolidated Parser Solution
Infoblox NIOS Workbook Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data. This workbook provides visibility into DHCP and DNS traffic Solution
Microsoft Purview Insider Risk Management This solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries,(1) Data Connector, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:Microsoft Purview Insider Risk ManagementMicrosoft Purview Communications ComplianceMicrosoft Purview Advanced eDiscoveryMicrosoft Purview DefenderMicrosoft Information ProtectionAzure Active DirectoryMicrosoft Defender for CloudMicrosoft Sentinel Notebooks (Bring Your Own Machine Learning)Microsoft Defender for EndpointMicrosoft Defender for IdentityMicrosoft Defender for Cloud AppsMicrosoft Defender for Office 365Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.Data Connectors: 1, Workbooks: 1, Analytic Rules: 5, Hunting Queries: 5, Playbooks: 1 Insider Risk_Risky User Access By Application AnalyticsRule This alert evaluates Azure Active Directory Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes Solution
Insider Risk_High User Security Incidents Correlation AnalyticsRule This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products with Microsoft Incident Generating Products (Microsoft Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization's requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Investigate incidents with Microsoft Sentinel. Solution
Insider Risk_Microsoft Purview Insider Risk Management Alert Observed AnalyticsRule This alert is triggered when a Microsoft Purview Insider Risk Management alert is recieved in Microsoft Sentinel via the Microsoft Purview Insider Risk Management Connector. The alert extracts usernames from security alerts to provide UserPrincipalName, Alert Name, Reporting Product Name, Status, Alert Link, Previous Alerts Links, Time Generated. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Learn about insider risk management Solution
Insider Risk_High User Security Alert Correlations AnalyticsRule This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Microsoft Sentinel and Microsoft 365 Defender. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold. This query evaluates UserPrincipalName for patterns in SecurityAlerts and Reporting Security Tools. This query can be further tuned/configured for higher confidence percentages, security products, or alert severities pending the needs of the organization. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information on the basket plugin, see basket plugin Solution
Insider Risk_Sensitive Data Access Outside Organizational Geo-location AnalyticsRule This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geo-locations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review. For more information see Sign-in logs in Azure Active Directory: Location Filtering Solution
Microsoft 365 Insider Risk Management DataConnector Microsoft 365 Insider Risk Management is a compliance solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risk policies allow you to: - define the types of risks you want to identify and detect in your organization. - decide on what actions to take in response, including escalating cases to Microsoft Advanced eDiscovery if needed. This solution produces alerts that can be seen by Office customers in the Insider Risk Management solution in Microsoft 365 Compliance Center. Learn More about Insider Risk Management. These alerts can be imported into Microsoft Sentinel with this connector, allowing you to see, investigate, and respond to them in a broader organizational threat context. For more information, see the Microsoft Sentinel documentation. Solution
Insider Risk_ISP Anomaly to Exfil HuntingQuery Solution
Insider Risk_Possible Sabotage HuntingQuery Solution
Insider Risk_Multiple Entity-Based Anomalies HuntingQuery Solution
Insider Risk_Sign In Risk Followed By Sensitive Data Access HuntingQuery Solution
Insider Risk_Entity Anomaly Followed by IRM Alert HuntingQuery Solution
Notify-InsiderRiskTeam Playbook This playbook should be configured as an automation action with the Insider Risk Management Analytics Rules. Upon triggering an Analytic Rule, this playbook captures respective details and both emails and posts a message in a Teams chat to the Insider Risk Management team. Solution
Insider Risk Management Workbook The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide ΓÇ£Go to AlertΓÇ¥ links to provide deeper integration between products and a simplified user experience for exploring alerts. Solution
Legacy IOC based Threat Protection Microsoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.Pre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.1. Squid Proxy2. Microsoft Windows DNS3. Cisco ASA4. Palo Alto Networks5. Microsoft 365 Defender6. Azure Firewall7. ZScaler Internet Access8. Infoblox NIOS9. Google Cloud Platform DNS10. NXLog DNS11. Cisco Umbrella12. Corelight13. Amazon Web Services14. Windows Forwarded Events15. Sysmon for Linux16. Microsoft 36517. Windows Security Events18. Azure Active Directory19. Azure Activity20. F5 Advanced WAF21. Fortinet FortiGate22. Check Point23. Common Event Format24. Windows FirewallAnalytic Rules: 35, Hunting Queries: 10 Known Diamond Sleet Comebacker and Klackring malware hashes AnalyticsRule Diamond Sleet attacks against security researcher campaign malware hashes. Solution
Known Phosphorus group domains/IP AnalyticsRule Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/. Solution
Known Granite Typhoon domains and hashes AnalyticsRule Granite Typhoon command and control domains and hash values for tools and malware used by Granite Typhoon. Matches domain name IOCs related to the Granite Typhoon activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ Solution
Known Diamond Sleet related maldoc hash AnalyticsRule Document hash used by Diamond Sleet in highly targeted spear phishing campaign. Solution
DEV-0322 Serv-U related IOCs - July 2021 AnalyticsRule Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software. Solution
Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021 AnalyticsRule Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity. Solution
Midnight Blizzard - Domain, Hash and IP IOCs - May 2021 AnalyticsRule Identifies a match across various data feeds for domains, hashes and IP IOCs related to Midnight Blizzard. Ref: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ Solution
Possible Forest Blizzard attempted credential harvesting - Oct 2020 AnalyticsRule Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events. Solution
Known Barium IP AnalyticsRule Identifies a match across various data feeds for IP IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer Solution
Emerald Sleet domains included in DCU takedown AnalyticsRule Emerald Sleet spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. Matches domain name IOCs related to the Emerald Sleet activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ Solution
Known Barium domains AnalyticsRule Identifies a match across various data feeds for domains IOCs related to the Barium activity group. References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer Solution
Known Mint Sandstorm group domains/IP - October 2020 AnalyticsRule Matches IOCs related to Mint Sandstorm group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes. References: Solution
Silk Typhoon UM Service writing suspicious file AnalyticsRule This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ Solution
Known Seashell Blizzard IP AnalyticsRule Seashell Blizzard command and control IP. Identifies a match across various data feeds for IP IOCs related to the Seashell Blizzard activity group. Solution
Aqua Blizzard Actor IOCs - Feb 2022 AnalyticsRule Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Aqua Blizzard. Solution
Known Nylon Typhoon domains and hashes AnalyticsRule IOC domains and hash values for tools and malware used by Nylon Typhoon. Matches domain name, hash IOCs and M365 Defender sigs related to the Nylon Typhoon activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes. Solution
Caramel Tsunami Actor IOC - July 2021 AnalyticsRule Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami Solution
Known Plaid Rain IP AnalyticsRule Identifies a match across various data feeds for IP IOCs related to the Plaid Rain activity group. References: BLOGURL Solution
Cadet Blizzard Actor IOC - January 2022 AnalyticsRule Identifies a match across IOC's related to an actor tracked by Microsoft as Cadet Blizzard Reference: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ Solution
MSHTML vulnerability CVE-2021-40444 attack AnalyticsRule This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : ".cpl:../../msword.inf" Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/ Solution
Denim Tsunami AV Detection AnalyticsRule This query looks for Microsoft Defender AV detections related to the Denim Tsunami threat actor and the Corelump and Jumplump malware. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ Solution
Known Manganese IP and UserAgent activity AnalyticsRule Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity. References: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ https://fortiguard.com/psirt/FG-IR-18-384 Solution
Dev-0530 IOC - July 2022 AnalyticsRule Identifies a IOC match related to Dev-0530 actor across various data sources. Solution
Denim Tsunami File Hashes July 2022 AnalyticsRule This query looks for references to known Denim Tsunami file hashes in various logs. This query was published July 2022. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ Solution
Solorigate Domains Found in VM Insights AnalyticsRule Identifies connections to Solorigate-related DNS records based on VM insights data Solution
Hive Ransomware IOC - July 2022 AnalyticsRule Identifies a hash match related to Hive Ransomware across various data sources. Solution
Midnight Blizzard - Domain and IP IOCs - March 2021 AnalyticsRule Identifies a match across various data feeds for domains and IP IOCs related to Midnight Blizzard. References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ Solution
SUNSPOT log file creation AnalyticsRule This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807 Solution
Midnight Blizzard IOCs related to FoggyWeb backdoor AnalyticsRule Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor Midnight Blizzard. FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server. Reference: https://aka.ms/nobelium-foggy-web Solution
Known Ruby Sleet domains and hashes AnalyticsRule Ruby Sleet malicious webserver and hash values for maldocs and malware. Matches domain name IOCs related to the Ruby Sleet activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes. Solution
Tarrask malware IOC - April 2022 AnalyticsRule Identifies a hash match related to Tarrask malware across various data sources. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Solution
Denim Tsunami C2 Domains July 2022 AnalyticsRule This query looks for references to known Denim Tsunami Domains in network logs. This query was published July 2022. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ Solution
Solorigate Network Beacon AnalyticsRule Identifies a match across various data feeds for domains IOCs related to the Solorigate incident. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1 Solution
Exchange Server Vulnerabilities Disclosed March 2021 IoC Match AnalyticsRule This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements. Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ Solution
Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021 AnalyticsRule Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs Reference: https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders https://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar Solution
SolarWinds Inventory HuntingQuery Solution
Dev-0322 File Drop Activity November 2021 HuntingQuery Solution
Dev-0322 Command Line Activity November 2021 (ASIM Version) HuntingQuery Solution
Connection from external IP to OMI related Ports HuntingQuery Solution
Dev-0322 Command Line Activity November 2021 HuntingQuery Solution
Dev-0322 File Drop Activity November 2021 (ASIM Version) HuntingQuery Solution
Retrospective hunt for Forest Blizzard IP IOCs HuntingQuery Solution
Nylon Typhoon Command Line Activity November 2021 HuntingQuery Solution
Dev-0056 Command Line Activity November 2021 HuntingQuery Solution
Known Nylon Typhoon Registry modifications patterns HuntingQuery Solution
ISC Bind The ISC Bind solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 ISC Bind DataConnector The ISC Bind connector allows you to easily connect your ISC Bind logs with Microsoft Sentinel. This gives you more insight into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities. Solution
ISCBind Parser Solution
Ivanti Unified Endpoint Management The Ivanti Unified Endpoint Management data connector provides the capability to ingest Ivanti UEM Alerts into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Ivanti Unified Endpoint Management DataConnector The Ivanti Unified Endpoint Management data connector provides the capability to ingest Ivanti UEM Alerts into Microsoft Sentinel. Solution
IvantiUEMEvent Parser Solution
Jboss The JBoss Enterprise Application Platform data connector provides the capability to ingest JBoss events into Microsoft Sentinel. Refer to Red Hat documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1 JBoss Enterprise Application Platform DataConnector The JBoss Enterprise Application Platform data connector provides the capability to ingest JBoss events into Azure Sentinel. Refer to Red Hat documentation for more information. Solution
JBossEvent Parser Solution
Juniper IDP The Juniper IDP solution provides the capability to ingest Juniper IDP events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1 Juniper IDP DataConnector The Juniper IDP data connector provides the capability to ingest Juniper IDP events into Microsoft Sentinel. Solution
Juniper IDP Data Parser Parser Solution
Juniper SRX The Juniper SRX solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Juniper SRX DataConnector The Juniper SRX connector allows you to easily connect your Juniper SRX logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
JuniperSRX Parser Solution
Kaspersky Security Center The Kaspersky Security Center solution provides the capability to ingest Kaspersky Security Center logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 Kaspersky Security Center DataConnector The Kaspersky Security Center data connector provides the capability to ingest Kaspersky Security Center logs into Microsoft Sentinel. Solution
KasperskySecurityCenter Data Parser Parser Solution
Azure Logic Apps The Azure Logic Apps solution for Microsoft Sentinel enables you to ingest Azure Logic App diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Logic Apps DataConnector Azure Logic Apps is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems. This connector lets you stream your Azure Logic Apps diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Solution
MarkLogic Audit The MarkLogic Solution provides the capability to ingest MarkLogic Audit logs into Microsoft Sentinel. Refer to MarkLogic documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1 MarkLogic Audit DataConnector MarkLogic data connector provides the capability to ingest MarkLogicAudit logs into Microsoft Sentinel. Refer to MarkLogic documentation for more information. Solution
MarkLogicAudit Parser Solution
Maturity Model For Event Log Management M2131 This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies. For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31)).Workbooks: 1, Analytic Rules: 8, Hunting Queries: 4, Playbooks: 3 M2131_EventLogManagementPostureChanged_EL1 AnalyticsRule This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL1 policy compliance falls below 70% within a 1 week timeframe. Solution
M2131_EventLogManagementPostureChanged_EL0 AnalyticsRule This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL0 policy compliance falls below 70% within a 1 week timeframe. Solution
M2131_AssetStoppedLogging AnalyticsRule This alert is designed to monitor assets within the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a monitored asset fails to provide a heartbeat within 24 hours. Solution
M2131_EventLogManagementPostureChanged_EL3 AnalyticsRule This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL3 policy compliance falls below 70% within a 1 week timeframe. Solution
M2131_LogRetentionLessThan1Year AnalyticsRule This alert is designed to monitor log retention within the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a log analytics workspace in active storage is configured for less than 1 year. Solution
M2131_RecommendedDatatableUnhealthy AnalyticsRule This alert is designed to monitor recommended data tables aligned to the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a recommended data table hasn't been observed in over 48 hours. Solution
M2131_EventLogManagementPostureChanged_EL2 AnalyticsRule This alert is desinged to monitor Azure policies aligned with the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when EL2 policy compliance falls below 70% within a 1 week timeframe. Solution
M2131_DataConnectorAddedChangedRemoved AnalyticsRule This alert is designed to monitor data connector configurations. This alert is triggered when a data connector is added, updated, or deleted. Solution
M2131_RecommendedDatatableNotLogged_EL2 HuntingQuery Solution
M2131_RecommendedDatatableNotLogged_EL3 HuntingQuery Solution
M2131_RecommendedDatatableNotLogged_EL0 HuntingQuery Solution
M2131_RecommendedDatatableNotLogged_EL1 HuntingQuery Solution
Notify-LogManagementTeam Playbook This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the log management team of respective details via Teams chat and exchange email. this automation reduces requirements to manually monitor the workbook or analytics rules while increasing response times. Solution
Create-AzureDevOpsTask Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
Create Jira Issue Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
MaturityModelForEventLogManagementM2131 Workbook Select the time range for this Overview. Solution
McAfee ePolicy Orchestrator The McAfee ePO provides the capability to ingest McAfee ePO events into Microsoft Sentinel through the syslog. Refer to documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 14, Hunting Queries: 10 McAfee ePO - Logging error occurred AnalyticsRule Detects when logging errors on agent. Solution
McAfee ePO - Deployment failed AnalyticsRule Detects when errors occur during deployment new changes/policies. Solution
McAfee ePO - Error sending alert AnalyticsRule Detects when error sending alert occurs. Solution
McAfee ePO - Attempt uninstall McAfee agent AnalyticsRule Detects attempts uninstalling McAfee agent on host. Solution
McAfee ePO - Agent Handler down AnalyticsRule Detects when AgentHandler is down. Solution
McAfee ePO - Task error AnalyticsRule Detects when task error occurs. Solution
McAfee ePO - Update failed AnalyticsRule Detects when update failed event occurs on agent. Solution
McAfee ePO - Scanning engine disabled AnalyticsRule Detects when OAS scanning engine was disabled. Solution
McAfee ePO - Threat was not blocked AnalyticsRule Detects when a threat was not blocked on a host. Solution
McAfee ePO - Unable to clean or delete infected file AnalyticsRule Detects when McAfee failed to clean or delete infected file. Solution
McAfee ePO - File added to exceptions AnalyticsRule Detects when file was added to exception list on a host. Solution
McAfee ePO - Firewall disabled AnalyticsRule Detects when firewall was disabled from Mctray. Solution
McAfee ePO - Multiple threats on same host AnalyticsRule Rule fires when multiple threat events were detected on the same host. Solution
McAfee ePO - Spam Email detected AnalyticsRule Detects when email was marked as spam. Solution
McAfee ePolicy Orchestrator (ePO) DataConnector The McAfee ePolicy Orchestrator data connector provides the capability to ingest McAfee ePO events into Microsoft Sentinel through the syslog. Refer to documentation for more information. Solution
McAfee ePO - Sources with multiple threats HuntingQuery Solution
McAfee ePO - Infected Systems HuntingQuery Solution
McAfee ePO - Objects not scanned HuntingQuery Solution
McAfee ePO - Threats detected and not blocked, cleaned or deleted HuntingQuery Solution
McAfee ePO - Email Treats HuntingQuery Solution
McAfee ePO - Scan Errors HuntingQuery Solution
McAfee ePO - Long term infected systems HuntingQuery Solution
McAfee ePO - Agent Errors HuntingQuery Solution
McAfee ePO - Applications blocked or contained HuntingQuery Solution
McAfee ePO - Infected files by source HuntingQuery Solution
McAfeeePO Data Parser Parser Solution
McAfee ePolicy Orchestrator Workbook Sets the time name for analysis Solution
McAfee Network Security Platform The McAfee Network Security Platform data connector provides the capability to ingest McAfee Network Security Platform events into Microsoft Sentinel. Refer to McAfee Network Security Platform for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 McAfee Network Security Platform DataConnector The McAfee® Network Security Platform data connector provides the capability to ingest McAfee® Network Security Platform events into Microsoft Sentinel. Refer to McAfee® Network Security Platform for more information. Solution
McAfee Network Security Platform Data Parser Parser Solution
Microsoft Defender for Identity The Microsoft Defender for Identity solution for Microsoft Sentinel allows you to ingest security alerts reported in the Microsoft Defender for Identity platform to get better insights into the identity posture of your organizationΓÇÖs Active Directory environment.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1 Microsoft Defender for Identity DataConnector Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to: - Monitor users, entity behavior, and activities with learning-based analyticsΓÇï - Protect user identities and credentials stored in Active Directory - Identify and investigate suspicious user activities and advanced attacks throughout the kill chain - Provide clear incident information on a simple timeline for fast triage Try now > Deploy now > For more information, see the Microsoft Sentinel documentation. Solution
Microsoft 365 Defender The Microsoft 365 Defender solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft 365 Defender suite into Microsoft Sentinel.Additional Hunting Queries to support proactive and reactive hunting for the Microsoft 365 Defender solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Workbooks: 1, Analytic Rules: 8, Hunting Queries: 4 AV detections related to Tarrask malware AnalyticsRule This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Solution
Potential Build Process Compromise - MDE AnalyticsRule The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry. More details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463 Solution
AV detections related to SpringShell Vulnerability AnalyticsRule This query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device. This query joins the DeviceInfo table to clearly connect other information such as device group, IP, logged-on users, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ Solution
SUNSPOT malware hashes AnalyticsRule This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807 Solution
Possible Phishing with CSL and Network Sessions AnalyticsRule This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. If your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored. Solution
TEARDROP memory-only dropper AnalyticsRule Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f Solution
SUNBURST and SUPERNOVA backdoor hashes AnalyticsRule Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f Solution
AV detections related to Ukraine threats AnalyticsRule This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine. Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ Solution
SUNBURST network beacons AnalyticsRule Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f Solution
Microsoft 365 Defender DataConnector Microsoft 365 Defender is a unified, natively integrated, pre- and post-breach enterprise defense suite that protects endpoint, identity, email, and applications and helps you detect, prevent, investigate, and automatically respond to sophisticated threats. Microsoft 365 Defender suite includes: - Microsoft Defender for Endpoint - Microsoft Defender for Identity - Microsoft Defender for Office 365 - Threat & Vulnerability Management - Microsoft Defender for Cloud Apps For more information, see the Microsoft Sentinel documentation. Solution
Spoofing attempts from Specific Domains HuntingQuery Solution
Determine Successfully Delivered Phishing Emails to Inbox/Junk folder. HuntingQuery Solution
Determine Successfully Delivered Phishing Emails by top IP Addresses HuntingQuery Solution
Appspot Phishing Abuse HuntingQuery Solution
Microsoft 365 Defender MDOWorkbook Workbook Gain extensive insight into your organization's Microsoft Defender for Office Activity by analyzing, and correlating events. You can track malware and phishing detection over time. Solution
Microsoft Defender For EndPoint Workbook A wokbook to provide details about Microsoft Defender for Endpoint Advance Hunting to Overview & Analyse data brought through M365 Defender Connector. Solution
Microsoft Defender For Identity Workbook Use this workbook to analyse the advance hunting data ingested for Defender For Identity. Solution
Microsoft Defender for Cloud Apps The Microsoft Defender for Cloud Apps solution for Microsoft Sentinel enables you to ingest security alerts and discovery logs from the Defender for Cloud Apps platform, providing visibility into threats in your cloud app environment, including coverage for shadow IT, impossible travel, ransomware, and data exfiltration use cases.Data Connectors: 1, Workbooks: 1, Analytic Rules: 1 Linked Malicious Storage Artifacts AnalyticsRule This query identifies the additional files uploaded by the same IP address which triggered a malware alert for malicious content upload on Azure Blob or File Storage Container. Solution
Microsoft Defender for Cloud Apps DataConnector By connecting with Microsoft Defender for Cloud Apps you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels. - Identify shadow IT cloud apps on your network. - Control and limit access based on conditions and session context. - Use built-in or custom policies for data sharing and data loss prevention. - Identify high-risk use and get alerts for unusual user activities with Microsoft behavioral analytics and anomaly detection capabilities, including ransomware activity, impossible travel, suspicious email forwarding rules, and mass download of files. - Mass download of files Deploy now > Solution
Microsoft Cloud App Security - discovery logs Workbook Using this workbook, you can identify which cloud apps are being used in your organization, gain insights from usage trends and drill down to a specific user and application Solution
Microsoft Defender for Endpoint The Microsoft Defender for Endpoint solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Sentinel Incidents queue.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Codeless Connector Platform/Native Sentinel PollingData Connectors: 1, Parsers: 2, Analytic Rules: 1, Hunting Queries: 2, Playbooks: 16 Aqua Blizzard AV hits - Feb 2022 AnalyticsRule Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor Solution
Microsoft Defender for Endpoint DataConnector Microsoft Defender for Endpoint is a security platform designed to prevent, detect, investigate, and respond to advanced threats. The platform creates alerts when suspicious security events are seen in an organization. Fetch alerts generated in Microsoft Defender for Endpoint to Microsoft Sentinel so that you can effectively analyze security events. You can create rules, build dashboards and author playbooks for immediate response. For more information, see the Microsoft Sentinel documentation >. Solution
SUNBURST suspicious SolarWinds child processes HuntingQuery Solution
AssignedIPAddress Parser Solution
Devicefromip Parser Solution
Isolate MDE Machine using entity trigger Playbook This playbook will isolate Microsoft Defender for Endpoint (MDE) device using entity trigger. Solution
Isolate MDE Machine - Alert Triggered Playbook This playbook will isolate (full) the machine in Microsoft Defender for Endpoint. Solution
Isolate endpoint - MDE - Incident Triggered Playbook This playbook will isolate (full) the machine in Microsoft Defender for Endpoint. Solution
Restrict MDE App Execution - Alert Triggered Playbook This playbook will restrict app execution on the machine in Microsoft Defender for Endpoint. Solution
Restrict MDE App Execution - Incident Triggered Playbook This playbook will restrict app execution on the machine in Microsoft Defender for Endpoint. Solution
Restrict MDE Domain - Alert Triggered Playbook This play book will take DNS entities and generate alert and block threat indicators for each domain in Microsoft Defender for Endpoint for 90 days. Solution
Restrict MDE Domain - Entity Triggered Playbook This playbook will take the triggering entity and generate an alert and block threat indicator for the domain in MDE for 90 days. Solution
Restrict MDE Domain - Incident Triggered Playbook This play book will take DNS entities and generate alert and block threat indicators for each domain in Microsoft Defender for Endpoint for 90 days. Solution
Restrict MDE FileHash - Alert Triggered Playbook This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days. Solution
Restrict MDE FileHash - Entity Triggered Playbook This playbook will take the triggering FileHash entity and generate an alert and block threat indicator for the file hash in MDE for 90 days. Solution
Restrict MDE FileHash - Incident Triggered Playbook This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days. Solution
Restrict MDE Ip Address - Alert Triggered Playbook This playbook will take IP entities and generate alert and block threat indicators for each IP in MDE for 90 days. Solution
Restrict MDE Ip Address - Entity Triggered Playbook This playbook will and generate alert and block threat indicators for the IP entity in MDE for 90 days. Solution
Restrict MDE Ip Address - Incident Triggered Playbook This playbook will take IP entities and generate alert and block threat indicators for each IP in MDE for 90 days. Solution
Restrict MDE Url - Alert Triggered Playbook This playbook will take Url entities and generate alert and block threat indicators for each IP in MDE for 90 days. Solution
Restrict MDE URL - Entity Triggered Playbook This playbook will take the triggering entity and generate an alert and block threat indicator for the URL in MDE for 90 days. Solution
Restrict MDE Url - Incident Triggered Playbook This playbook will take Url entities and generate alert and block threat indicators for each IP in MDE for 90 days. Solution
Run MDE Antivirus - Alert Triggered Playbook This playbook will run a antivirus (full) scan on the machine in Microsoft Defender for Endpoint. Solution
Run MDE Antivirus - Incident Triggered Playbook This playbook will run a antivirus (full) scan on the machine in Microsoft Defender for Endpoint. Solution
Unisolate MDE Machine using entity trigger Playbook This playbook will unisolate Microsoft Defender for Endpoint (MDE) device using entity trigger. Solution
Unisolate MDE Machine - Alert Triggered Playbook This playbook will release a machine from isolation in Microsoft Defender for Endpoint. Solution
Unisolate MDE Machine - Incident Triggered Playbook This playbook will release a machine from isolation in Microsoft Defender for Endpoint. Solution
Microsoft Defender for Cloud The Microsoft Defender for Cloud solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for Cloud on assessing your hybrid cloud workload's security posture.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Analytic Rules: 1 Detect CoreBackUp Deletion Activity from related Security Alerts AnalyticsRule The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker's actions.' Though such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services. Solution
Microsoft Defender for Cloud DataConnector Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents. For more information> Solution
Microsoft Defender for Office 365 The Microsoft Defender for Office 365 solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.Underlying Microsoft Technologies used:This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Codeless Connector Platform/Native Sentinel PollingData Connectors: 1, Workbooks: 1 Microsoft Defender for Office 365 DataConnector Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. By ingesting Microsoft Defender for Office 365 alerts into Microsoft Sentinel, you can incorporate information about email- and URL-based threats into your broader risk analysis and build response scenarios accordingly. The following types of alerts will be imported: - A potentially malicious URL click was detected - Email messages containing malware removed after delivery - Email messages containing phish URLs removed after delivery - Email reported by user as malware or phish - Suspicious email sending patterns detected - User restricted from sending email These alerts can be seen by Office customers in the ** Office Security and Compliance Center**. For more information, see the Microsoft Sentinel documentation. Solution
Microsoft Defender For Office 365 Workbook Gain insights into your Microsoft Defender for Office 365 raw data logs. This workbook lets you look at trends in email senders, attachments and embedded URL data to find anomalies. You can also search by, sender, recipient, subject, attachment or embedded URL to find where the related messages have been sent. Solution
Microsoft Defender Threat Intelligence Microsoft centralizes numerous data sets into a single platform, Microsoft Defender Threat Intelligence (MDTI), making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases and enabling automation for Incident management in Microsoft Sentinel. MDTI-Automated-Triage Playbook This playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable. Solution
MDTI-Base Playbook This playbook creates a shared API Connection for all MDTI playbooks to leverage. This eases the configuration process for a user during deployment of the Microsoft Defender Threat Intelligence(MDTI) solution. In time, this base playbook may be extended to set more functionality. Azure AD App Registration credentials(ClientId/ClientSecret/TenantId) with MDTI API Permissions are needed when configuring this playbook. Those can be found on your Azure Client App page. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com). Solution
MDTI-Data-WebComponents Playbook This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with Webcomponents data hosted by the indicators found within the incident. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running. Solution
MDTI-Intel-Reputation Playbook This playbook uses the MDTI API to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the MDTI platform for more information. Solution
Threat Intelligence Workbook Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable. Solution
Microsoft PowerBI The Microsoft PowerBI solution enables you to track user activities in your PowerBI environment. You can filter the audit data by date range, user, dashboard, report, dataset, and activity type.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Office Management APIData Connectors: 1, Workbooks: 1 Microsoft PowerBI DataConnector Microsoft PowerBI is a collection of software services, apps, and connectors that work together to turn your unrelated sources of data into coherent, visually immersive, and interactive insights. Your data may be an Excel spreadsheet, a collection of cloud-based and on-premises hybrid data warehouses, or a data store of some other type. This connector lets you stream PowerBI audit logs into Microsoft Sentinel, allowing you to track user activities in your PowerBI environment. You can filter the audit data by date range, user, dashboard, report, dataset, and activity type. Solution
Microsoft PowerBI Activity Workbook Workbook This workbook provides details on Microsoft PowerBI Activity Solution
Microsoft Project The Microsoft Project solution allows you to stream your Microsoft Project audit logs into Microsoft Sentinel in order to track your project activities.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Office Management APIData Connectors: 1 Microsoft Project DataConnector Microsoft Project (MSP) is a project management software solution. Depending on your plan, Microsoft Project lets you plan projects, assign tasks, manage resources, create reports and more. This connector allows you to stream your Azure Project audit logs into Microsoft Sentinel in order to track your project activities. Solution
Minemeld The Minemeld solution for Microsoft Sentinel has SOAR Connector and Playbooks, which not only enriches the Microsoft Sentinel incident using Minemeld indicators data but also helps to add indicators to Minemeld platform if needed.Custom Azure Logic Apps Connectors: 1, Playbooks: 2 MinemeldCustomConnector LogicAppsCustomConnector Solution
Create Indicator - Minemeld Playbook This playbook search for indicators in Minemeld related to the entities(IP, filehash, URL) gathered from Sentinel incident. If the search result is positive a comment stating the indicator is already present or it creates a new indicator in Minemeld. Solution
Entity (IP, URL, FileHash) Enrichment - Minemeld Playbook This playbook search for indicators in Minemeld related to the entities(IP, filehash, URL) gathered from Sentinel incident. If the search result is positive a comment will be added to enrich the incident, if not a comment stating no information available on Minemeld for searched indicator will be added to the incident. Solution
Microsoft Purview Information Protection The Microsoft Information Protection Solution for Microsoft Sentinel integrates Microsoft Purview Information Protection logs for security monitoring in Microsoft Sentinel. Customers can stream auditing events generated from the Microsoft Purview Information Protection unified labeling clients and scanners and emitted to M365 audit log for central reporting in Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Microsoft Purview Information Protection DataConnector Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels. Using these capabilities enable you to know your data, identify items that are sensitive and gain visibility into how they are being used to better protect your data. Sensitivity labels are the foundational capability that provide protection actions, applying encryption, access restrictions and visual markings. Integrate Microsoft Purview Information Protection logs with Microsoft Sentinel to view dashboards, create custom alerts and improve investigation. For more information, see the Microsoft Sentinel documentation. Solution
Threat Analysis & Response MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 MITRE ATT&CK: Cloud MatrixWorkbooks: 2 Dynamic Threat Modeling Response Workbook Sets the time name for analysis Solution
Threat Analysis Response Workbook Sets the time name for analysis Solution
MongoDB Audit The MongoDBAudit solution allows you to ingest Mongo DB audit information into Microsoft Sentinel. Refer to MongoDB documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 MongoDB Audit DataConnector MongoDB data connector provides the capability to ingest MongoDBAudit into Microsoft Sentinel. Refer to MongoDB documentation for more information. Solution
MongoDBAudit Parser Solution
Mulesoft The MuleSoft Cloudhub solution provides the capability to retrieve logs from Cloudhub applications using the Cloudhub API and more events into Microsoft Sentinel through the REST API.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 MuleSoft Cloudhub (using Azure Functions) DataConnector The MuleSoft Cloudhub data connector provides the capability to retrieve logs from Cloudhub applications using the Cloudhub API and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
MuleSoftCloudhub Parser Solution
Azure Network Security Groups The Azure Network Security Group solution enables you to stream and ingest diagnostic logs from your Azure NSG instances for Security Monitoring in to Microsoft Sentinel using Resource Diagnostic settings.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Network Security Groups DataConnector Azure network security groups (NSG) allow you to filter network traffic to and from Azure resources in an Azure virtual network. A network security group includes rules that allow or deny traffic to a virtual network subnet, network interface, or both. When you enable logging for an NSG, you can gather the following types of resource log information: - Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. - Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds. This connector lets you stream your NSG diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation. Solution
Network Session Essentials Network Session Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.Prerequisite :-Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.Amazon Web ServicesAzure FirewallAzure Network Security GroupsCheck PointCisco ASACisco Meraki Security EventsCorelightFortinet FortiGateMicrosoft Defender for IoTMicrosoft Defender for CloudMicrosoft Sysmon For LinuxWindows FirewallPalo Alto PANOSVectra AI StreamWatchGuard FireboxZscaler Internet AccessUnderlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Product solutions as described aboveLogic app for data summarizationRecommendation :-It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.Workbooks: 1, Analytic Rules: 7, Hunting Queries: 4, Watchlists: 1, Playbooks: 1 Detect port misuse by static threshold (ASIM Network Session schema) AnalyticsRule This detection rule detects port usage above the configured threshold. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema. To tune the rule to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. Note that to enhance performance, the rule uses summarized data generated from the summarization logic app. Solution
Port scan detected (ASIM Network Session schema) AnalyticsRule This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a port scanner is trying to identify open ports in order to penetrate a system. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema Solution
Excessive number of failed connections from a single source (ASIM Network Session schema) AnalyticsRule This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema Solution
Detect port misuse by anomaly based detection (ASIM Network Session schema) AnalyticsRule This rule detects anomalous pattern in port usage. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema. To tune the rule to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. Note that to enhance performance, the rule uses summarized data generated from the summarization logic App. Solution
Anomaly found in Network Session Traffic (ASIM Network Session schema) AnalyticsRule The rule identifies anomalous pattern in network session traffic based on previously seen data, different Device Action, Network Protocol, Network Direction or overall volume. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema Solution
Network Port Sweep from External Network (ASIM Network Session schema) AnalyticsRule This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema. Solution
Potential beaconing activity (ASIM Network Session schema) AnalyticsRule This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this Blog.\ This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema' Solution
Detect port misuse by static threshold (ASIM Network Session schema) HuntingQuery Solution
Detect port misuse by anomaly (ASIM Network Session schema) HuntingQuery Solution
Mismatch between Destination App name and Destination Port (ASIM Network Session schema) HuntingQuery Solution
Detects several users with the same MAC address (ASIM Network Session schema) HuntingQuery Solution
Summarize Data for Network Session Essentials Playbook This playbook summarizes data for Network Session Essentials and lands it into custom tables. Solution
Network Session Essentials Workbook This workbook is included as part of Network Session Essentials solution and gives a summary of analyzed traffic, helps with threat analysis and investigating suspicious IPΓÇÖs and traffic analysis. Network Session Essentials Solution also includes playbooks to periodically summarize the logs thus enhancing user experience and improving data search. For the effective usage of workbook, we highly recommend to enable the summarization playbooks that are provided with this solution. Solution
Network Threat Protection Essentials The Network Threat Protection Essentials solution contains queries that identifies suspicious network behavior based on various data sources ingested in Sentinel. The solution contains queries to detect common network-based attacks - things like malicious user agents, mining pools, Base64 encoded IPv4 address in request URL etc. The solution will be constantly updated to add more detection/hunting query as well as other sentinel content.Pre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.Microsoft 365Amazon Web ServicesMicrosoft Windows DNSAzure FirewallWindows Forwarded EventsZScaler Internet AccessPalo Alto NetworksFortinet FortiGateCheck PointKeywords: Malicious IP/User agent, DNS, TOR, miningAnalytic Rules: 2, Hunting Queries: 3 Network endpoint to host executable correlation AnalyticsRule Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run. Solution
New UserAgent observed in last 24 hours AnalyticsRule Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. These new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity. Note: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections. Solution
Base64 encoded IPv4 address in request url HuntingQuery Solution
Risky base64 encoded command in URL HuntingQuery Solution
Exploit and Pentest Framework User Agent HuntingQuery Solution
Netwrix Auditor The Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1 Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) DataConnector Netwrix Auditor data connector provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information. Solution
NetwrixAuditor Parser Solution
Neustar IP GeoPoint The Neustar IP GeoPoint Solution for Microsoft Sentinel contains playbook which allows easy IP address lookup to enrich Microsoft Sentinel's incident and helps auto remediation scenariosPlaybooks: 1 EnrichIP-GetIPGeoInfo-Neustar Playbook When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets IP Addresses from incident. 2. Gets Geographical location information from Neustart IP GeoPoint API. 3. Summarize the details and add as a comment to the incident. Solution
Nginx Important: This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.The NGINX solution for Microsoft Sentinel enables you to ingest NGINX HTTP Server events into Microsoft Sentinel. Refer to NGINX Logs documentation for more information.Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 NGINX - Private IP address in URL AnalyticsRule Detects requests to unusual URL Solution
NGINX - Request to sensitive files AnalyticsRule Detects request to sensitive files. Solution
NGINX - Sql injection patterns AnalyticsRule Detects possible sql injection patterns Solution
NGINX - Multiple client errors from single IP address AnalyticsRule Detects multiple client errors from one source in short timeframe Solution
NGINX - Multiple user agents for single source AnalyticsRule Detects requests with different user agents from one source in short timeframe. Solution
NGINX - Core Dump AnalyticsRule Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts. Solution
NGINX - Known malicious user agent AnalyticsRule Detects known malicious user agents Solution
NGINX - Multiple server errors from single IP address AnalyticsRule Detects multiple server errors from one source in short timeframe Solution
NGINX - Command in URI AnalyticsRule Detects command in URI Solution
NGINX - Put file and get file from same IP address AnalyticsRule Detects put or get files from one source in short timeframe Solution
NGINX HTTP Server DataConnector The NGINX HTTP Server data connector provides the capability to ingest NGINX HTTP Server events into Microsoft Sentinel. Refer to NGINX Logs documentation for more information. Solution
NGINX - Top files requested HuntingQuery Solution
NGINX - Requests from bots and crawlers HuntingQuery Solution
NGINX - Requests to unexisting files HuntingQuery Solution
NGINX - Top URLs server errors HuntingQuery Solution
NGINX - Abnormal request size HuntingQuery Solution
NGINX - Top files with error requests HuntingQuery Solution
NGINX - Rare files requested HuntingQuery Solution
NGINX - Uncommon user agent strings HuntingQuery Solution
NGINX - Top URLs client errors HuntingQuery Solution
NGINX - Rare URLs requested HuntingQuery Solution
Nginx Data Parser Parser Solution
NGINX HTTP Server Workbook Sets the time name for analysis Solution
NIST SP 800-53 Important: This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 R4 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡National Institute of Standards and Technology (NIST). This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. This workbook does not address all controls within the framework. It should be considered a supplemental tool to gain visibility of technical controls within cloud, multi-cloud, and hybrid networks. For the full listing of respective controls, see the💡Microsoft Cloud Service Trust PortalMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.Workbooks: 1, Analytic Rules: 1, Playbooks: 3 NIST SP 800-53 Posture Changed AnalyticsRule This alert is desinged to monitor Azure policies aligned with the NIST SP 800-53 Regulatory Compliance initative. The alert triggers when policy compliance falls below 70% within a 1 week timeframe. Solution
Create-AzureDevOpsTask Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
Create Jira Issue Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
Notify_GovernanceComplianceTeam Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
NISTSP80053workbook Workbook Sets the time name for analysis. Solution
Nozomi Networks The Nozomi Networks solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks PDF documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1 Nozomi Networks N2OS DataConnector The Nozomi Networks data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks PDF documentation for more information. Solution
NozomiNetworksEvents Parser Solution
Oracle Cloud Infrastructure The Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 OCI - Multiple instances terminated AnalyticsRule Detects when multiple instances were terminated. Solution
OCI - Event rule deleted AnalyticsRule Detects when event rule was deleted. Solution
OCI - Multiple rejects on rare ports AnalyticsRule Detects multiple rejects on rare ports. Solution
OCI - Discovery activity AnalyticsRule Detects possible discovery activity. Solution
OCI - Insecure metadata endpoint AnalyticsRule Detects insecure metadata endpoint. Solution
OCI - Unexpected user agent AnalyticsRule Detects unexpected user agent strings. Solution
OCI - Instance metadata access AnalyticsRule Detects instance metadata access. Solution
OCI - Multiple instances launched AnalyticsRule Detects when multiple instances were launched. Solution
OCI - SSH scanner AnalyticsRule Detects possible SSH scanning activity. Solution
OCI - Inbound SSH connection AnalyticsRule Detects inbound SSH connection. Solution
Oracle Cloud Infrastructure (using Azure Functions) DataConnector The Oracle Cloud Infrastructure (OCI) data connector provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API. Solution
OCI - User source IP addresses HuntingQuery Solution
OCI - Destination ports (inbound traffic) HuntingQuery Solution
OCI - Launched instances HuntingQuery Solution
OCI - Deleted users HuntingQuery Solution
OCI - Terminated instances HuntingQuery Solution
OCI - Updated instances HuntingQuery Solution
OCI - New users HuntingQuery Solution
OCI - Update activities HuntingQuery Solution
OCI - Delete operations HuntingQuery Solution
OCI - Destination ports (outbound traffic) HuntingQuery Solution
OCILogs Parser Solution
Oracle Cloud Infrastructure Workbook Sets the time name for analysis Solution
Microsoft 365 The Microsoft 365 solution for Microsoft Sentinel enables you to ingest operational logs from Microsoft 365 to gain insights into user and admin activity across your collaboration platforms such as Teams, SharePoint and Exchange.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Workbooks: 3, Analytic Rules: 14, Hunting Queries: 21 Possible Forest Blizzard attempted credential harvesting - Sept 2020 AnalyticsRule Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events. References: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/. Solution
Multiple Teams deleted by a single user AnalyticsRule This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365 Connector in Microsoft Sentinel. Solution
Exchange AuditLog disabled AnalyticsRule Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses. Solution
SharePointFileOperation via previously unseen IPs AnalyticsRule Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses exceeds a threshold (default is 50). Solution
Mail redirect via ExO transport rule AnalyticsRule Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts. Solution
SharePointFileOperation via devices with previously unseen user agents AnalyticsRule Identifies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5). Solution
Malicious Inbox Rule AnalyticsRule Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/ Solution
Multiple users email forwarded to same destination AnalyticsRule Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts. Solution
Rare and potentially high-risk Office operations AnalyticsRule Identifies Office operations that are typically rare and can provide capabilities useful to attackers. Solution
Exchange workflow MailItemsAccessed operation anomaly AnalyticsRule Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive actions should be further investigated for malicious activity. Manually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria. Read more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed Solution
Accessed files shared by temporary external user AnalyticsRule This detection identifies an external user is added to a Team or Teams chat and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity. Solution
External user added and removed in short timeframe AnalyticsRule This detection flags the occurances of external user accounts that are added to a Team and then removed within one hour. Solution
New executable via Office FileUploaded Operation AnalyticsRule Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive. List currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions. Additionally, identifies when a given user is uploading these files to another users workspace. This may be indication of a staging location for malware or other malicious activity. Solution
Office policy tampering AnalyticsRule Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps. Solution
Office 365 DataConnector The Office 365 activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Office 365 logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process. For more information, see the Microsoft Sentinel documentation. Solution
Non-owner mailbox login activity HuntingQuery Solution
External user added and removed in a short timeframe - Hunt Version HuntingQuery Solution
Anomalous access to other user's mailboxes HuntingQuery Solution
User added to Team and immediately uploads file HuntingQuery Solution
Powershell or non-browser mailbox login activity HuntingQuery Solution
User made Owner of multiple teams HuntingQuery Solution
Windows Reserved Filenames staged on Office file services HuntingQuery Solution
New Windows Reserved Filenames staged on Office file services HuntingQuery Solution
Multiple Teams deleted by a single user HuntingQuery Solution
External user from a new organisation added to Teams HuntingQuery Solution
New Admin account activity seen which was not seen historically HuntingQuery Solution
Files uploaded to teams and access summary HuntingQuery Solution
Mail redirect via ExO transport rule HuntingQuery Solution
Bots added to multiple teams HuntingQuery Solution
Multiple users email forwarded to same destination HuntingQuery Solution
Previously unseen bot or application added to Teams HuntingQuery Solution
Exes with double file extension and access summary HuntingQuery Solution
Office Mail Forwarding - Hunting Version HuntingQuery Solution
SharePointFileOperation via previously unseen IPs HuntingQuery Solution
SharePointFileOperation via clientIP with previously unseen user agents HuntingQuery Solution
SharePointFileOperation via devices with previously unseen user agents HuntingQuery Solution
Exchange Online Workbook Gain insights into Microsoft Exchange online by tracing and analyzing all Exchange operations and user activities. This workbook let you monitor user activities, including logins, account operations, permission changes, and mailbox creations to discover suspicious trends among them. Solution
Office 365 Workbook Gain insights into Office 365 by tracing and analyzing all operations and activities. You can drill down into your SharePoint, OneDrive, and Exchange. This workbook lets you find usage trends across users, files, folders, and mailboxes, making it easier to identify anomalies in your network. Solution
SharePoint & OneDrive Workbook Gain insights into SharePoint and OneDrive by tracing and analyzing all operations and activities. You can view trends across user operation, find correlations between users and files, and identify interesting information such as user IP addresses. Solution
Okta Single Sign-On The Okta Single Sign-On (SSO) solution for Microsoft Sentinel provides the capability to ingest audit and event logs into Microsoft Sentinel using the Okta API.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Workbooks: 1, Analytic Rules: 3, Hunting Queries: 5, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 User Login from Different Countries within 3 hours AnalyticsRule This query searches for successful user logins to the Okta Console from different countries within 3 hours Solution
Failed Logins from Unknown or Invalid User AnalyticsRule This query searches for numerous login attempts to the management console with an unknown or invalid user name Solution
Potential Password Spray Attack AnalyticsRule This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack Solution
Okta Single Sign-On (using Azure Function) DataConnector The Okta Single Sign-On (SSO) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Solution
Rare MFA Operations (Okta) HuntingQuery Solution
User password reset(Okta) HuntingQuery Solution
Admin privilege granted (Okta) HuntingQuery Solution
Initiate impersonation session (Okta) HuntingQuery Solution
Create API Token (Okta) HuntingQuery Solution
OktaCustomConnector LogicAppsCustomConnector Solution
User enrichment - Okta Playbook This playbook will collect user information from Okta and post a report on the incident. Solution
Prompt Okta user Playbook This playbook uses the OKTA connector to prompt the risky user on Teams. User is asked action was taken by them. Based on the user confirmation the SOC admin is notified to investige on the user account. Also, comment is added to the incident with user information and summary of actions taken. Solution
Response on Okta user from Teams Playbook This playbooks sends an adaptive card to the SOC Teams channel with information about the Okta user and incident details. The SOC is allowed to take action such suspend, reset password, expire password, add to group. An informative comment will be posted to the incident. Solution
Okta Single Sign-On Workbook Gain extensive insight into Okta Single Sign-On (SSO) by analyzing, collecting and correlating Audit and Event events. This workbook provides visibility into message and click events that were permitted, delivered, or blocked Solution
OneLogin IAM The OneLogin solution for Microsoft Sentinel provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 OneLogin IAM Platform(using Azure Functions) DataConnector The OneLogin data connector provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks. The OneLogin Event Webhook API which is also known as the Event Broadcaster will send batches of events in near real-time to an endpoint that you specify. When a change occurs in the OneLogin, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
OneLogin Parser Solution
OpenCTI The OpenCTI solution for Microsoft Sentinel enables you to ingest threat intelligence data from OpenCTI platform into Microsoft Sentinel. This solution includes SOAR Connector and Playbooks which leverage OpenCTI indicators data to not only enrich Microsoft Sentinel incidents but also add indicators to OpenCTI.Custom Azure Logic Apps Connectors: 1, Playbooks: 4 OpenCTICustomConnector LogicAppsCustomConnector Solution
Create Indicator - OpenCTI Playbook This playbook adds new indicator in OpenCTI based on the entities info present in Sentinel incident. This playbook search in OpenCTI for indicatoes based on the entities (Account, Host, IP, FileHash, URL) present in Microsoft Sentinel incident. If it presnts in OpenCTI, information will be added to incident comment otherwise it creates new indicator in OpenCTI Solution
Entity (IP, URL, FileHash, Account, Host) Enrichment - OpenCTI Playbook This playbook search in OpenCTI for indicatoes based on the entities (Account, Host, IP, FileHash, URL) present in Microsoft Sentinel incident. If it presnts in OpenCTI, information will be added to incident comment. Solution
Read Stream- OpenCTI Indicators Playbook This playbook fetches indicators from OpenCTI and send to Sentinel. Supported types are Domain, File, IPv4, IPv6, Account, Url. This runs for every 10 minutes Solution
Send to Security Graph API - Batch Import (OpenCTI) Playbook This playbook sends messages to Security GraphAPI in batches Solution
OpenVPN The OpenVPN solution for Microsoft Sentinel provides the capability to ingest OpenVPN Server logs into Microsoft Sentinel. These logs contain details and specifics about VPN connection activity.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 OpenVPN Server DataConnector The OpenVPN data connector provides the capability to ingest OpenVPN Server logs into Microsoft Sentinel. Solution
OpenVpnEvent Parser Solution
Oracle Database Audit The Oracle Database Audit solution provides the capability to ingest Oracle Database audit events into Microsoft Sentinel through the syslog. Refer to documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 OracleDBAudit - Shutdown Server AnalyticsRule Detects when "SHUTDOWN" command was sent to server. Solution
OracleDBAudit - User connected to database from new IP AnalyticsRule Detects when a user connects to database from new IP address. Solution
OracleDBAudit - Connection to database from external IP AnalyticsRule Detects when connection to database is from external IP source. Solution
OracleDBAudit - User activity after long inactivity time AnalyticsRule Detects when an action was made by a user which last activity was observed more than 30 days ago. Solution
OracleDBAudit - Unusual user activity on multiple tables AnalyticsRule Detects when user queries many tables in short period of time. Solution
OracleDBAudit - Connection to database from unknown IP AnalyticsRule Detects when user connects to a database from IP address which is not present in AllowList. Solution
OracleDBAudit - SQL injection patterns AnalyticsRule Detects common known SQL injection patterns used in automated scripts. Solution
OracleDBAudit - Multiple tables dropped in short time AnalyticsRule Detects when user drops many tables in short period of time. Solution
OracleDBAudit - New user account AnalyticsRule Detects when an action was made by new user. Solution
OracleDBAudit - Query on Sensitive Table AnalyticsRule Detects when user queries sensitive tables. Solution
Oracle Database Audit DataConnector The Oracle DB Audit data connector provides the capability to ingest Oracle Database audit events into Microsoft Sentinel through the syslog. Refer to documentation for more information. Solution
OracleDBAudit - Inactive Users HuntingQuery Solution
OracleDBAudit - Users Privileges Review HuntingQuery Solution
OracleDBAudit - Users connected to databases during non-operational hours. HuntingQuery Solution
OracleDBAudit - Users with new privileges HuntingQuery Solution
OracleDBAudit - Active Users HuntingQuery Solution
OracleDBAudit - Action by Ip HuntingQuery Solution
OracleDBAudit - Top tables queries HuntingQuery Solution
OracleDBAudit - Audit large queries HuntingQuery Solution
OracleDBAudit - Action by user HuntingQuery Solution
OracleDBAudit - Dropped Tables HuntingQuery Solution
OracleDatabaseAudit Data Parser Parser Solution
Oracle WebLogic Server The Oracle WebLogic Server solution for Microsoft Sentinel provides the capability to ingest Oracle Web Logic Server events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Oracle - Put file and get file from same IP address AnalyticsRule Detects put or get files from one source in short timeframe Solution
Oracle - Private IP in URL AnalyticsRule Detects requests to unusual URL Solution
Oracle - Multiple server errors from single IP AnalyticsRule Detects multiple server errors from one source in short timeframe Solution
Oracle - Multiple client errors from single IP AnalyticsRule Detects multiple client errors from one source in short timeframe Solution
Oracle - Multiple user agents for single source AnalyticsRule Detects requests with different user agents from one source in short timeframe. Solution
Oracle - Malicious user agent AnalyticsRule Detects known malicious user agent strings Solution
Oracle - Oracle WebLogic Exploit CVE-2021-2109 AnalyticsRule Detects exploitation of Oracle WebLogic vulnerability CVE-2021-2109 Solution
Oracle - Command in URI AnalyticsRule Detects command in URI Solution
Oracle - Request to sensitive files AnalyticsRule Detects request to sensitive files. Solution
Oracle - Put suspicious file AnalyticsRule Detects PUT or POST of suspicious file Solution
Oracle WebLogic Server DataConnector OracleWebLogicServer data connector provides the capability to ingest OracleWebLogicServer events into Microsoft Sentinel. Refer to OracleWebLogicServer documentation for more information. Solution
Oracle - Rare user agents with client errors HuntingQuery Solution
Oracle - Top files requested by users with error HuntingQuery Solution
Oracle - Abnormal request size HuntingQuery Solution
Oracle - Error messages HuntingQuery Solution
Oracle - Request to forbidden files HuntingQuery Solution
Oracle - Critical event severity HuntingQuery Solution
Oracle - Top URLs server errors HuntingQuery Solution
Oracle - Top URLs client errors HuntingQuery Solution
Oracle - Rare user agents HuntingQuery Solution
Oracle - Rare URLs requested HuntingQuery Solution
OracleWebLogicServer Data Parser Parser Solution
Oracle WebLogic Server Workbook Sets the time name for analysis Solution
OSSEC The OSSEC solution provides the capability to ingest OSSEC events into Microsoft Sentinel. Refer to OSSEC documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF)Data Connectors: 1, Parsers: 1 OSSEC DataConnector OSSEC data connector provides the capability to ingest OSSEC events into Microsoft Sentinel. Refer to OSSEC documentation for more information. Solution
OSSECEvent Parser Solution
Palo Alto Networks Cortex Data Lake The Palo Alto Networks CDL solution provides the capability to ingest CDL logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 PaloAlto - Possible port scan AnalyticsRule Detects possible port scan. Solution
PaloAlto - User privileges was changed AnalyticsRule Detects changing of user privileges. Solution
PaloAlto - File type changed AnalyticsRule Detects when file type changed. Solution
PaloAlto - MAC address conflict AnalyticsRule Detects several users with the same MAC address. Solution
PaloAlto - Forbidden countries AnalyticsRule Detects suspicious connections from forbidden countries. Solution
PaloAlto - Inbound connection to high risk ports AnalyticsRule Detects inbound connection to high risk ports. Solution
PaloAlto - Possible attack without response AnalyticsRule Detects possible attack without response. Solution
PaloAlto - Dropping or denying session with traffic AnalyticsRule Detects dropping or denying session with traffic. Solution
PaloAlto - Put and post method request in high risk file type AnalyticsRule Detects put and post method request in high risk file type. Solution
PaloAlto - Possible flooding AnalyticsRule Detects possible flooding. Solution
Palo Alto Networks Cortex Data Lake (CDL) DataConnector The Palo Alto Networks CDL data connector provides the capability to ingest CDL logs into Microsoft Sentinel. Solution
PaloAlto - Multiple Deny result by user HuntingQuery Solution
PaloAlto - Rare application layer protocols HuntingQuery Solution
PaloAlto - File permission with PUT or POST request HuntingQuery Solution
PaloAlto - Agent versions HuntingQuery Solution
PaloAlto - Outdated config vesions HuntingQuery Solution
PaloAlto - Incomplete application protocol HuntingQuery Solution
PaloAlto - Rare files observed HuntingQuery Solution
PaloAlto - Critical event result HuntingQuery Solution
PaloAlto - Destination ports by IPs HuntingQuery Solution
PaloAlto - Rare ports by user HuntingQuery Solution
PaloAltoCDLEvent Parser Solution
Palo Alto PAN-OS The Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. . Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Workbooks: 2, Analytic Rules: 4, Hunting Queries: 1, Custom Azure Logic Apps Connectors: 2, Playbooks: 7 Microsoft COVID-19 file hash indicator matches AnalyticsRule Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/ Solution
Palo Alto - possible internal to external port scanning AnalyticsRule Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an "ApplicationProtocol = incomplete" designation. The server resets coupled with an "Incomplete" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack. References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK Solution
Palo Alto Threat signatures from Unusual IP addresses AnalyticsRule Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall Solution
Palo Alto - potential beaconing detected AnalyticsRule Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts. Reference Blog: http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/ https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 Solution
Palo Alto Networks (Firewall) DataConnector The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
Palo Alto - high-risk ports HuntingQuery Solution
Palo Alto - potential beaconing detected HuntingQuery Solution
LogicAppsCustomConnector Solution
LogicAppsCustomConnector Solution
Block IP - Palo Alto PAN-OS - Entity trigger Playbook This playbook interacts with relevant stackholders, such incident response team, to approve blocking/allowing IPs in Palo Alto PAN-OS, using Address Object Groups. This allows to make changes on predefined address group, which is attached to predefined security policy rule. Solution
PaloAlto-PAN-OS-BlockIP Playbook This playbook allows blocking/unblocking IPs in PaloAlto, using Address Object Groups. This allows to make changes on predefined address group, which is attached to predefined security policy rule. Solution
PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook This playbook allows blocking/unblocking URLs in PaloAlto, using predefined address group. This allows to make changes on predefined address group, which is attached to security policy rule. Solution
PaloAlto-PAN-OS-BlockURL Playbook This playbook allows blocking/unblocking URLs in PaloAlto, using predefined address group. This allows to make changes on predefined address group, which is attached to security policy rule. Solution
Get System Info - Palo Alto PAN-OS XML API Playbook This playbook allows us to get System Info of a Palo Alto device for a Sentinel alert. Solution
Get Threat PCAP - Palo Alto PAN-OS XML API Playbook This playbook allows us to get a threat PCAP for a given PCAP ID. Solution
PaloAlto-PAN-OS-GetURLCategoryInfo Playbook When a new sentinal incident is created, this playbook gets triggered and performs below actions: Solution
Palo Alto Network Threat Workbook Gain insights into Palo Alto network activities by analyzing threat events. You can extract meaningful security information by correlating data between threats, applications, and time. This workbook makes it easy to track malware, vulnerability, and virus log events. Solution
Palo Alto overview Workbook Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities. This workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships. You can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results. Solution
Palo Alto Prisma Cloud CSPM The Palo Alto Prisma Cloud CSPM solution provides the capability to ingest Prisma Cloud CSPM alerts and audit logs into Microsoft Sentinel using the Prisma Cloud CSPM API. Refer to Prisma Cloud CSPM API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 9, Custom Azure Logic Apps Connectors: 1, Playbooks: 2 Palo Alto Prisma Cloud - Maximum risk score alert AnalyticsRule Detects alerts with maximum risk score value. Solution
Palo Alto Prisma Cloud - Network ACL allow all outbound traffic AnalyticsRule Detects network ACLs with outbound rule to allow all traffic. Solution
Palo Alto Prisma Cloud - Multiple failed logins for user AnalyticsRule Detects multiple failed logins for the same user account. Solution
Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic AnalyticsRule Detects Network ACLs with Inbound rule to allow All Traffic. Solution
Palo Alto Prisma Cloud - High risk score alert AnalyticsRule Detects alerts with high risk score value. Solution
Palo Alto Prisma Cloud - Access keys are not rotated for 90 days AnalyticsRule Detects access keys which were not rotated for 90 days. Solution
Palo Alto Prisma Cloud - Inactive user AnalyticsRule Detects users inactive for 30 days. Solution
Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions AnalyticsRule Detects IAM Groups with Administrator Access Permissions. Solution
Palo Alto Prisma Cloud - Anomalous access key usage AnalyticsRule Detects anomalous API key usage activity. Solution
Palo Alto Prisma Cloud - High severity alert opened for several days AnalyticsRule Detects high severity alert which is opened for several days. Solution
Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports AnalyticsRule Detects Network ACLs allow ingress traffic to server administration ports. Solution
Palo Alto Prisma Cloud CSPM (using Azure Function) DataConnector The Palo Alto Prisma Cloud CSPM data connector provides the capability to ingest Prisma Cloud CSPM alerts and audit logs into Microsoft sentinel using the Prisma Cloud CSPM API. Refer to Prisma Cloud CSPM API documentation for more information. Solution
Palo Alto Prisma Cloud - Top recources with alerts HuntingQuery Solution
Palo Alto Prisma Cloud - Top sources of failed logins HuntingQuery Solution
Palo Alto Prisma Cloud - High risk score opened alerts HuntingQuery Solution
Palo Alto Prisma Cloud - Opened alerts HuntingQuery Solution
Palo Alto Prisma Cloud - Top users by failed logins HuntingQuery Solution
Palo Alto Prisma Cloud - Updated resources HuntingQuery Solution
Palo Alto Prisma Cloud - High severity alerts HuntingQuery Solution
Palo Alto Prisma Cloud - Access keys used HuntingQuery Solution
Palo Alto Prisma Cloud - New users HuntingQuery Solution
PrismaCloudCSPMCustomConnector LogicAppsCustomConnector Solution
PaloAltoPrismaCloud Data Parser Parser Solution
Fetch Security Posture from Prisma Cloud Playbook This playbook provides/updates the compliance security posture details of asset in comments section of triggered incident so that SOC analysts can directly take corrective measure to prevent the attack Solution
Remediate assets on prisma cloud Playbook This playbook provides/updates the compliance security posture details of asset in comments section of triggered incident so that SOC analysts can directly take corrective measure to prevent the attack Solution
Palo Alto Prisma Workbook Sets the time name for analysis. Solution
PCI DSS Compliance This Solution enables Microsoft Sentinel users to harness the power of their SIEM to assist in meeting PCI-DSS 3.2.1 requirements. This Solution comes with pre-defined dashboards, visualizations, and reports, providing users with immediate insights in their PCI environment.Workbooks: 1 PCI DSS Compliance Workbook Choose your subscription and workspace in which PCI assets are deployed Solution
PingFederate The PingFederate solution provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 Ping Federate - New user SSO success login AnalyticsRule Detects new user SSO success login. Solution
Ping Federate - Forbidden country AnalyticsRule Detects requests from forbidden countries. Solution
Ping Federate - Password reset request from unexpected source IP address.. AnalyticsRule Detects password reset requests from unexpected source IP address. Solution
Ping Federate - Authentication from new IP. AnalyticsRule Detects authentication requests from new IP address. Solution
Ping Federate - Abnormal password resets for user AnalyticsRule Detects multiple password reset for user. Solution
Ping Federate - Unexpected country for user AnalyticsRule Detects requests from different countries for user in shotr term. Solution
Ping Federate - OAuth old version AnalyticsRule Detects requests using not the latest version of OAuth protocol. Solution
Ping Federate - Unexpected authentication URL. AnalyticsRule Detects unexpected authentication URL. Solution
Ping Federate - Unusual mail domain. AnalyticsRule Detects unusual mail domain in authentication requests. Solution
Ping Federate - Abnormal password reset attempts AnalyticsRule Detects abnormal password reset attempts for user in short period of time. Solution
Ping Federate - SAML old version AnalyticsRule Detects requests using not the latest version of SAML protocol. Solution
PingFederate DataConnector The PingFederate data connector provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information. Solution
Ping Federate - Authentication from unusual sources HuntingQuery Solution
Ping Federate - Password reset requests HuntingQuery Solution
Ping Federate - Requests from unusual countries HuntingQuery Solution
Ping Federate - Users recently reseted password HuntingQuery Solution
Ping Federate - Rare source IP addresses HuntingQuery Solution
Ping Federate - New users HuntingQuery Solution
Ping Federate - Failed Authentication HuntingQuery Solution
Ping Federate - SAML subjects HuntingQuery Solution
Ping Federate - Top source IP addresses HuntingQuery Solution
Ping Federate - Authentication URLs HuntingQuery Solution
PingFederate Data Parser Parser Solution
PingFederate Workbook Sets the time name for analysis Solution
PostgreSQL The PostgreSQL solution provides the capability to ingest PostgreSQL events into Microsoft Sentinel. Refer to PostgreSQL documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesSupported ASIM schema:AuthenticationNote: Please visit the ASIM Authentication repository and use the Deploy to Azure button to deploy the ASIM Authentication parsers to your Microsoft Sentinel workspace.**Data Connectors: 1, Parsers: 1 PostgreSQL Events DataConnector PostgreSQL data connector provides the capability to ingest PostgreSQL events into Microsoft Sentinel. Refer to PostgreSQL documentation for more information. Solution
PostgreSQLEvent Parser Solution
Pulse Connect Secure The Pulse Connect Secure solution for Microsoft Sentinel enables you to ingest Pulse Connect Secure logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2 PulseConnectSecure - Large Number of Distinct Failed User Logins AnalyticsRule This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server Solution
PulseConnectSecure - Potential Brute Force Attempts AnalyticsRule This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server Solution
Pulse Connect Secure DataConnector The Pulse Connect Secure connector allows you to easily connect your Pulse Connect Secure logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Pulse Connect Secure with Microsoft Sentinel provides more insight into your organization's network and improves your security operation capabilities. Solution
PulseConnectSecure Parser Solution
Pulse Connect Secure Workbook Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data. This workbook provides visibility into user VPN activities Solution
Qualys VM Knowledgebase The Qualys Vulnerability Management KB solution for Microsoft Sentinel enables you to ingest Qualys VM KB logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 Qualys VM KnowledgeBase (using Azure Function) DataConnector The Qualys Vulnerability Management (VM) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from the Qualys KB into Microsoft Sentinel. This data can used to correlate and enrich vulnerability detections found by the Qualys Vulnerability Management (VM) data connector. Solution
QualysKB Parser Solution
InsightVM CloudAPI The Rapid7 Insight platform brings together Rapid7ΓÇÖs library of vulnerability research, exploit knowledge, global attacker behavior, Internet-wide scanning data, exposure analytics, and real-time reporting to provide a fully available, scalable, and efficient way to collect your vulnerability data and turn it into answers. InsightVM leverages this platform for live vulnerability and endpoint analytics.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector API b. Azure FunctionsData Connectors: 1, Parsers: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 Rapid7 Insight Platform Vulnerability Management Reports (using Azure Functions) DataConnector The Rapid7 Insight VM Report data connector provides the capability to ingest Scan reports and vulnerability data into Microsoft Sentinel through the REST API from the Rapid7 Insight platform (Managed in the cloud). Refer to API documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
LogicAppsCustomConnector Solution
InsightVMAssets Parser Solution
InsightVMVulnerabilities Parser Solution
Rapid7 Insight VM - Enrich incident with asset info Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset ids by the IPs. 3. Gets assets information. 4. Adds obtained information as a comment to the incident. Solution
Rapid7 Insight VM - Enrich vulnerability info Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset ids by the IPs. 3. Gets vulnerability ids. 4. Gets vulnerability information. 5. Adds obtained information as a comment to the incident. Solution
Rapid7 Insight VM - Run scan Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset ids by the IPs. 3. Obtains a list of scan engines. 4. Sends an adaptive card to the Teams channel where the user can choose an action to be taken. 5. Runs scans for selected IPs using chosen scan engines. 6. Add inforamtions about launched scans as a comment to the incident. Solution
RiskIQ Illuminate RiskIQ Illuminate is a complete security intelligence offering, blending attack surface visibility with detailed threat intelligence. With RiskIQ Illuminate, security teams will accelerate their investigations, increase their visibility, respond more effectively to threats, and maximize the impact of their existing security solutions.Playbooks: 27 RiskIQ-Automated-Triage-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable. Solution
RiskIQ-Automated-Triage-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with RiskIQ reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable. Solution
RiskIQ-Base Playbook This playbook creates a shared API Connection for all RiskIQ playbooks to leverage. This eases the configuration process for a user during deployment of the RiskIQ solution. In time, this base playbook may be extended to set more functionality. You will need your API credentials (email/secret) when configuring this playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the 'organization' credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com). Solution
RiskIQ-Data-PassiveDns-Domain Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident. Solution
RiskIQ-Data-PassiveDns-Ip Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident. Solution
RiskIQ-Data-PassiveDns Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident. Solution
RiskIQ Data Summary Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation. Solution
RiskIQ-Data-Summary-Domain-alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation. Solution
RiskIQ-Data-Summary-Domain-incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation. Solution
RiskIQ Data Summary Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation. Solution
RiskIQ-Data-Summary-Ip-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation. Solution
RiskIQ-Data-Summary-Ip-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. The RiskIQ summary data will provide analysts with an understanding of what RiskIQ knows about a given indicator extracted from the incident in the form of result counts with corresponding data sets. Each data set will be linked, making it easy for an analyst to one-click pivot into a deeper investigation. Solution
RiskIQ-Data-Whois-Domain Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment. Solution
RiskIQ-Data-Whois-Ip Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment. Solution
RiskIQ-Data-Whois Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. WHOIS is akin to a phone book for the Internet; it reveals the owners behind domain registrations and IP address hosting. Analysts can leverage WHOIS, both active and historic, in order to identify analytical leads. This data can sometimes reveal the threat actor behind a given set of infrastructure or provide deeper context as to what else may be related. This playbook will query for WHOIS data from indicators contained within the incident and post the results in the form of a comment. Solution
RiskIQ-Intel-Reputation-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information. Solution
RiskIQ-Intel-Reputation-Domain-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information. Solution
RiskIQ-Intel-Reputation-Domain-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information. Solution
RiskIQ-Intel-Reputation-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information. Solution
RiskIQ-Intel-Reputation-Ip-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information. Solution
RiskIQ-Intel-Reputation-Ip-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the RiskIQ platform for more information. Solution
RiskIQ-Intel-Summary-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ. Solution
RiskIQ-Intel-Summary-Domain-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ. Solution
RiskIQ-Intel-Summary-Domain-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ. Solution
RiskIQ-Intel-Summary-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ. Solution
RiskIQ-Intel-Summary-Ip-Alert Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ. Solution
RiskIQ-Intel-Summary-Ip-Incident Playbook This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. RiskIQ intelligence provides analyst with deeper context around vulnerabilities, threat actors, their campaigns or other noteworthy context found from analyzing the Internet. Analysts can leverage this playbook to add context to indicators found within incidents. Each comment added to the incident will link to a more detailed intelligence card from RiskIQ. Solution
Salesforce Service Cloud The Salesforce Service Cloud solution for Microsoft Sentinel enables you to ingest Service Cloud events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3 User Sign in from different countries AnalyticsRule This query searches for successful user logins from different countries within 30min. Solution
Brute force attack against user credentials AnalyticsRule Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes. Solution
Potential Password Spray Attack AnalyticsRule This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack. Solution
Salesforce Service Cloud (using Azure Function) DataConnector The Salesforce Service Cloud data connector provides the capability to ingest information about your Salesforce operational events into Microsoft Sentinel through the REST API. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity. Solution
SalesforceServiceCloud Parser Solution
Salesforce Service Cloud Workbook Sets the time name for analysis. Solution
RSA SecurID The RSA® SecurID Authentication Manager data connector provides the capability to ingest RSA® SecurID Authentication Manager events into Microsoft Sentinel. Refer to RSA® SecurID Authentication Manager documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1 RSA® SecurID (Authentication Manager) DataConnector The RSA® SecurID Authentication Manager data connector provides the capability to ingest RSA® SecurID Authentication Manager events into Microsoft Sentinel. Refer to RSA® SecurID Authentication Manager documentation for more information. Solution
RSASecurIDAMEvent Parser Solution
Windows Security Events The Windows Security Events solution for Microsoft Sentinel allows you to ingest Security events from your Windows machines using the Windows Agent into Microsoft Sentinel. This solution includes two (2) data connectors to help ingest the logs.Windows Security Events via AMA - This data connector helps in ingesting Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.Security Events via Legacy Agent - This data connector helps in ingesting Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.NOTE: Microsoft recommends Installation of Windows Security Events via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31.2024, and thus should only be installed where AMA is not supported.Data Connectors: 2, Workbooks: 2, Analytic Rules: 20, Hunting Queries: 43 New EXE deployed via Default Domain or Default Domain Controller Policies AnalyticsRule This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain. Solution
Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task AnalyticsRule This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task. Solution
Excessive Windows Logon Failures AnalyticsRule This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days. Solution
Starting or Stopping HealthService to Avoid Detection AnalyticsRule This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent. The query requires a SACL to audit for access request to the service. Solution
Process Execution Frequency Anomaly AnalyticsRule This detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. The query leverages KQL's built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive processes should be further investigated for malicious activity. Tune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score. Solution
AD FS Remote Auth Sync Connection AnalyticsRule This detection uses Security events from the "AD FS Auditing" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server. References: https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging https://twitter.com/OTR_Community/status/1387038995016732672 Solution
NRT Security Event log cleared AnalyticsRule Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance. Solution
Potential Fodhelper UAC Bypass AnalyticsRule This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required. Solution
AD user enabled and password not set within 48 hours AnalyticsRule Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours. Effectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which indicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur after 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows. It is recommended that this time period is adjusted per your internal company policy. Solution
Scheduled Task Hide AnalyticsRule This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/ Solution
Potential re-named sdelete usage AnalyticsRule This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host. Solution
NRT Process executed from binary hidden in Base64 encoded file AnalyticsRule Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64. Solution
AAD Local Device Join Information and Transport Key Registry Keys Access AnalyticsRule This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv). This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv). These set of keys can be used to impersonate existing Azure AD joined devices. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects: HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin (AAD joined devices) HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin (AAD registered devices) HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\KeyTransportKey (Transport Key) Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml Reference: https://o365blog.com/post/deviceidentity/ Solution
Non Domain Controller Active Directory Replication AnalyticsRule This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS). A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times. A domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html Solution
NRT Base64 Encoded Windows Process Command-lines AnalyticsRule This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter. Solution
SecurityEvent - Multiple authentication failures followed by a success AnalyticsRule Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment. The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert. Solution
AD FS Remote HTTP Network Connection AnalyticsRule This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable Sysmon telemetry on the AD FS Server. Reference: https://twitter.com/OTR_Community/status/1387038995016732672 Solution
Sdelete deployed via GPO and run recursively AnalyticsRule This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them. Solution
ADFS Database Named Pipe Connection AnalyticsRule This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]" Solution
Exchange OAB Virtual Directory Attribute Containing Potential Webshell AnalyticsRule This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns Solution
Security Events via Legacy Agent DataConnector You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Solution
Windows Security Events via AMA DataConnector You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Solution
Entropy for Processes for a given Host HuntingQuery Solution
Least Common Processes by Command Line HuntingQuery Solution
Rare Process Path HuntingQuery Solution
Host Exporting Mailbox and Removing Export HuntingQuery Solution
Uncommon processes - bottom 5% HuntingQuery Solution
Cscript script daily summary breakdown HuntingQuery Solution
Least Common Parent And Child Process Pairs HuntingQuery Solution
User created by unauthorized user HuntingQuery Solution
New PowerShell scripts encoded on the commandline HuntingQuery Solution
New processes observed in last 24 hours HuntingQuery Solution
Hosts Running a Rare Process with Commandline HuntingQuery Solution
Suspected LSASS Dump HuntingQuery Solution
Crash dump disabled on host HuntingQuery Solution
Service installation from user writable directory HuntingQuery Solution
Summary of users created using uncommon/undocumented commandline switches HuntingQuery Solution
Masquerading files HuntingQuery Solution
Long lookback User Account Created and Deleted within 10mins HuntingQuery Solution
Hosts with new logons HuntingQuery Solution
Least Common Processes Including Folder Depth HuntingQuery Solution
Hosts Running a Rare Process HuntingQuery Solution
Nishang Reverse TCP Shell in Base64 HuntingQuery Solution
VIP account more than 6 failed logons in 10 HuntingQuery Solution
Exchange PowerShell Snapin Added HuntingQuery Solution
User Account added to Built in Domain Local or Global Group HuntingQuery Solution
Commands executed by WMI on new hosts - potential Impacket HuntingQuery Solution
Multiple Explicit Credential Usage - 4648 events HuntingQuery Solution
Windows System Time changed on hosts HuntingQuery Solution
Enumeration of users and groups HuntingQuery Solution
Invoke-PowerShellTcpOneLine Usage. HuntingQuery Solution
Decoy User Account Authentication Attempt HuntingQuery Solution
Rare Processes Run by Service Accounts HuntingQuery Solution
Powercat Download HuntingQuery Solution
Potential Exploitation of MS-RPRN printer bug HuntingQuery Solution
Group added to Built in Domain Local or Global Group HuntingQuery Solution
Summary of user logons by logon type HuntingQuery Solution
User account added or removed from a security group by an unauthorized user HuntingQuery Solution
PowerShell downloads HuntingQuery Solution
Suspicious Enumeration using Adfind Tool HuntingQuery Solution
Summary of failed user logons by reason of failure HuntingQuery Solution
Suspicious Windows Login Outside Normal Hours HuntingQuery Solution
Discord download invoked from cmd line HuntingQuery Solution
VIP account more than 6 failed logons in 10 HuntingQuery Solution
New Child Process of W3WP.exe HuntingQuery Solution
Event Analyzer Workbook The Event Analyzer workbook allows to explore, audit and speed up analysis of Windows Event Logs, including all event details and attributes, such as security, application, system, setup, directory service, DNS and others. Solution
Identity & Access Workbook Gain insights into Identity and access operations by collecting and analyzing security logs, using the audit and sign-in logs to gather insights into use of Microsoft products. You can view anomalies and trends across login events from all users and machines. This workbook also identifies suspicious entities from login and access events. Solution
Security Threat Essentials Note: Please refer to the following before installing the solution:Review the solution Release NotesThere may be known issues pertaining to this Solution. The Security Threat Essentials solution published by Microsoft is based on the continuous evaluation of threat campaigns and provides out-of-the-box security content that helps you to enhance your security posture. This solution leverages the following tables:ΓÇó AuditLogsΓÇó AzureActivityΓÇó CommonSecurityLogΓÇó OfficeActivityΓÇó SigninLogsΓÇó VMConnectionAnalytic Rules: 7, Hunting Queries: 2 Threat Essentials - NRT User added to Azure Active Directory Privileged Groups AnalyticsRule This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles Solution
Possible AiTM Phishing Attempt Against Azure AD AnalyticsRule Threat actors may attempt to phish users in order to hijack a users sign-in session, and skip the authentication process even if the user had enabled multifactor authentication (MFA) by stealing and replaying stolen credentials and session cookies. This detection looks for successful Azure AD sign ins that had a high risk profile, indicating it had suspicious characteristics such as an unusual location, ISP, user agent, or use of anonymizer services. It then looks for a network connection to the IP address that made the sign in immediately before the sign in, that may indicate a user connecting to a phishing site at that IP address and having their authentication session hijacked. Ref: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/ Solution
Threat Essentials - Multiple admin membership removals from newly created admin. AnalyticsRule This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly. Solution
Threat Essentials - User Assigned Privileged Role AnalyticsRule Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1 Solution
Threat Essentials - Time series anomaly for data size transferred to public internet AnalyticsRule Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. The output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour. The source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed . You may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious Solution
Threat Essentials - Mail redirect via ExO transport rule AnalyticsRule Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts. Solution
Threat Essentials - Mass Cloud resource deletions Time Series Anomaly AnalyticsRule This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary Solution
Threat Essentials - Signins from Nord VPN Providers HuntingQuery Solution
Threat Essentials - Signins From VPS Providers HuntingQuery Solution
SentinelOne The SentinelOne solution provides ability to bring SentinelOne events to your Microsoft Sentinel Workspace to inform and to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 Sentinel One - Admin login from new location AnalyticsRule Detects admin user login from new location (IP address). Solution
Sentinel One - Exclusion added AnalyticsRule Detects when new exclusion added. Solution
Sentinel One - Multiple alerts on host AnalyticsRule Detects when multiple alerts received from same host. Solution
Sentinel One - Agent uninstalled from multiple hosts AnalyticsRule Detects when agent was uninstalled from multiple hosts. Solution
Sentinel One - User viewed agent's passphrase AnalyticsRule Detects when a user viewed agent's passphrase. Solution
Sentinel One - Same custom rule triggered on different hosts AnalyticsRule Detects when same custom rule was triggered on different hosts. Solution
Sentinel One - Alert from custom rule AnalyticsRule Detects when alert from custom rule received. Solution
Sentinel One - Rule disabled AnalyticsRule Detects when a rule was disabled. Solution
Sentinel One - Blacklist hash deleted AnalyticsRule Detects when blacklist hash was deleted. Solution
Sentinel One - Rule deleted AnalyticsRule Detects when a rule was deleted. Solution
Sentinel One - New admin created AnalyticsRule Detects when new admin user is created. Solution
SentinelOne (using Azure Functions) DataConnector The SentinelOne data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: https://.sentinelone.net/api-doc/overview for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Sentinel One - Scanned hosts HuntingQuery Solution
Sentinel One - Agent status HuntingQuery Solution
Sentinel One - Users by alert count HuntingQuery Solution
Sentinel One - Alert triggers (files, processes, strings) HuntingQuery Solution
Sentinel One - Agent not updated HuntingQuery Solution
Sentinel One - Deleted rules HuntingQuery Solution
Sentinel One - New rules HuntingQuery Solution
Sentinel One - Sources by alert count HuntingQuery Solution
Sentinel One - Hosts not scanned recently HuntingQuery Solution
Sentinel One - Uninstalled agents HuntingQuery Solution
SentinelOne Parser Solution
SentinelOneWorkbook Workbook Sets the time name for analysis. Solution
Sentinel SOAR Essentials The Sentinel SOAR Essentials solution for Microsoft Sentinel contains Playbooks that can help you get started with basic notification and orchestration scenarios for common use cases. These include Playbooks for sending notifications over email and/or collaboration platforms such as MS Teams, Slack, etc.Playbooks: 12 CreateIncident-MicrosoftForm Playbook This playbook will create a new Microsoft Sentinel incident when Microsoft Forms response is submitted. Solution
CreateIncident-SharedMailbox Playbook This playbook will create a new Microsoft Sentinel incident when new email arrives to shared mailbox with 'incident' keyword in the subject. Solution
Sentinel_Incident_Assignment_Shifts Playbook This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams. When an incident is assigned, the incident owner will be notified via email. Incidents are assigned to users based on the following criteria: *Only users who have started their shifts during the time the Logic App runs will be considered. *Users who still have at least 1 hours left before going off shift (can be configured in playbook) *User with the least incidents assigned on the current Shift will be assigned incident first. Refer to Automate Incident Assignment with Shifts for Teams for more details. Solution
M365D_BEC_Playbook_for_SecOps-Tasks Playbook This playbook add Incident Tasks based on Microsoft 365 Defender BEC Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a BEC incident: containment, investigation, remediation and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks. Solution
M365D_Phishing_Playbook_for_SecOps-Tasks Playbook This playbook add Incident Tasks based on Microsoft 365 Defender Phishing Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a phishing incident: containment, investigation, remediation and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks. Solution
M365D_Ransomware_Playbook_for_SecOps-Tasks Playbook This playbook add Incident Tasks based on Microsoft 365 Defender Ransomware Playbook for SecOps. This playbook will walk the analyst through four stages of responding to a ransomware incident: containment, investigation, eradication and recovery, and prevention. The step-by-step instructions will help you take the required remedial action to protect information and minimize further risks. Solution
Notify-IncidentClosed Playbook This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is closed. Solution
Notify-IncidentReopened Playbook This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is reopened. Solution
Notify-IncidentSeverityChanged Playbook This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident severity change. Solution
updatetrigger-notifyOwner Playbook This playbook sends a Teams message to the new incident owner. Solution
PostMessageSlack-OnAlert Playbook This playbook will post a message in a Slack channel when an alert is created in Microsoft Sentinel Solution
PostMessageSlack Playbook This playbook will post a message in a Slack channel when an Incident is created in Microsoft Sentinel Solution
PostMessageTeams-OnAlert Playbook This playbook will post a message in a Microsoft Teams channel when an Alert is created in Microsoft Sentinel. Solution
PostMessageTeams Playbook This playbook will post a message in a Microsoft Teams channel when an Incident is created in Microsoft Sentinel. Solution
relateAlertsToIncident-basedOnIP Playbook This playbook looks for other alerts with the same IP as the triggered incident. When such an alert is found, this playbook will add the alert to the incident (only if it isn't related to another incident). Solution
Send-basic-email Playbook This playbook will be sending email with basic incidents details (Incident title, severity, tactics, link,…) when incident is created in Microsoft Sentinel. Solution
Send-email-with-formatted-incident-report Playbook This playbook will be sending email with formated incidents report (Incident title, severity, tactics, link,…) when incident is created in Microsoft Sentinel. Email notification is made in HTML. Solution
Send-Teams-adaptive-card-on-incident-creation Playbook This playbook will send Microsoft Teams Adaptive Card on incident creation, with the option to change the incident's severity and/or status. Solution
Automation health Workbook Have a holistic overview of your automation health, gain insights about failures, correlate Microsoft Sentinel health with Logic Apps diagnostics logs and deep dive automation details per incident Solution
Incident overview Workbook The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including: * General information * Entity data * Triage time (time between incident creation and first response) * Mitigation time (time between incident creation and closing) * Comments Customize this workbook by saving and editing it. You can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template. Solution
Incident Tasks Workbook Workbook Use this workbook to review and modify existing incidents with tasks. This workbook provides views that higlight incident tasks that are open, closed, or deleted, as well as incidents with tasks that are either owned or unassigned. The workbook also provides SOC metrics around incident task performance, such as percentage of incidents without tasks, average time to close tasks, and more. Solution
Security Operations Efficiency Workbook Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency. Solution
Azure Service Bus The Azure Service Bus solution for Microsoft Sentinel enables you to ingest Azure Service Bus diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Service Bus DataConnector Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics (in a namespace). This connector lets you stream your Azure Service Bus diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Solution
ServiceNow The ServiceNow ITSM solution for Microsoft Sentinel makes it easy to synchronize incidents between Microsoft Sentinel and ServiceNow IT Service Management (ITSM). This can be achieved by either one of the following two options -Option 1 (Recommended): Bi-directional incident sync using app hosted on ServiceNow store. This option includes the following key features:ΓÇó Retrieve Microsoft Sentinel incidents and automate the creation of incidents in ServiceNow.ΓÇó Bi-directional sync of Status, Severity, Owner, Comments/Work notes, Entities and alerts.ΓÇó Details of alerts and entities added to Work Notes, to improve analyst experience.ΓÇó Filtering of Microsoft Sentinel incidents, based on tags or custom filters.ΓÇó Support of multiple workspaces, with different incidents filters.ΓÇó Support any incident custom table, status or severity fields.Please note that this option doesn't require installation of content hub solution and will need to be installed and managed from ServiceNow store. Refer to ServiceNow Store for details on how to use this option.Option 2: Unidirectional sync from Microsoft Sentinel to ServiceNow. Install this solution that includes Microsoft Sentinel playbooks to help create, update (incident comments) and close incidents in ServiceNow when a corresponding incident is created, updated or closed in Microsoft Sentinel.Playbooks: 3 Create SNOW record - Alert trigger Playbook This playbook will open a Service Now incident when a new incident is opened in Microsoft Sentinel. Solution
Create SNOW record - Incident trigger Playbook This playbook will open a Service Now incident when a new incident is opened in Microsoft Sentinel. Solution
Create And Update Service Now Record Playbook This playbook will create or update incident in SNOW. When incident is created, playbook will run and create incident in SNOW. When incident is updated, playbook will run and add update to comment section. When incident is closed, playbook will run and close incident in SNOW. Solution
Shodan Shodan is the search engine for Internet-connected devices. Discover how Internet intelligence can help you make better decisions. Its Beyond The Web platform helps to discover everything from power plants, mobile phones, refrigerators and Minecraft servers. Integrating this solution with Sentinel will help enriching the IOT incidents using Shodan's search engine.Custom Azure Logic Apps Connectors: 1, Playbooks: 3 ShodanCustomConnector LogicAppsCustomConnector Solution
Shodan-EnrichDomain-EntityTrigger Playbook This playbook can be triggered manually from a Domain Entity context to fetch geo location and running services details from Shodan.io. Solution
Shodan-EnrichIP-EntityTrigger Playbook This playbook can be triggered manually from an IP Address Entity context to fetch geo location and running services details from Shodan.io. Solution
Shodan-EnrichIPAndDomain Playbook When a new sentinel incident is created, this playbook gets triggered and fetches geo location and running services details for IP addresses and domain names from Shodan.io. Solution
Slack Audit Slack Audit solution connector provides the capability to ingest Slack Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 9, Hunting Queries: 10 SlackAudit - Empty User Agent AnalyticsRule This query shows connections to the Slack Workspace with empty User Agent. Solution
SlackAudit - Suspicious file downloaded. AnalyticsRule Detects potentialy suspicious downloads. Solution
SlackAudit - Public link created for file which can contain sensitive information. AnalyticsRule Detects public links for files which potentialy may contain sensitive data such as passwords, authentication tokens, secret keys. Solution
SlackAudit - Unknown User Agent AnalyticsRule This query helps to detect who trying to connect to the Slack Workspace with unknown User Agent. Solution
SlackAudit - Multiple archived files uploaded in short period of time AnalyticsRule This query helps to detect when a user uploads multiple archived files in short period of time. Solution
SlackAudit - Multiple failed logins for user AnalyticsRule This query helps to detect bruteforce of a user account. Solution
SlackAudit - User email linked to account changed. AnalyticsRule Detects when user email linked to account changes. Solution
SlackAudit - User role changed to admin or owner AnalyticsRule This query helps to detect a change in the users role to admin or owner. Solution
SlackAudit - User login after deactivated. AnalyticsRule Detects when user email linked to account changes. Solution
Slack Audit (using Azure Function) DataConnector The Slack Audit data connector provides the capability to ingest Slack Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
SlackAudit - Suspicious files downloaded HuntingQuery Solution
SlackAudit - Downloaded files stats HuntingQuery Solution
SlackAudit - User Permission Changed HuntingQuery Solution
SlackAudit - User logins by IP HuntingQuery Solution
SlackAudit - Uploaded files stats HuntingQuery Solution
SlackAudit - Failed logins with unknown username HuntingQuery Solution
SlackAudit - Applications installed HuntingQuery Solution
SlackAudit - New User created HuntingQuery Solution
SlackAudit - Users joined channels without invites HuntingQuery Solution
SlackAudit - Deactivated users HuntingQuery Solution
SlackAudit Data Parser Parser Solution
SlackAudit Workbook Sets the time name for analysis Solution
Snowflake The Snowflake solution provides the capability to ingest Snowflake login logs and query logs into Microsoft Sentinel using the Snowflake Python Connector. Refer to Snowflake documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Snowflake - Possible discovery activity AnalyticsRule Detects possible discovery activity. Solution
Snowflake - Abnormal query process time AnalyticsRule Detects query with abnormal proccess time. Solution
Snowflake - Unusual query AnalyticsRule Detects unusual query. Solution
Snowflake - User granted admin privileges AnalyticsRule Detects when user asigned admin privileges. Solution
Snowflake - Multiple failed queries AnalyticsRule Detects multiple failed queries in short timeframe. Solution
Snowflake - Possible privileges discovery activity AnalyticsRule Detects possible privileges discovery activity. Solution
Snowflake - Multiple login failures from single IP AnalyticsRule Detects Mmltiple login failures from single IP. Solution
Snowflake - Possible data destraction AnalyticsRule Detects possible data destruction. Solution
Snowflake - Multiple login failures by user AnalyticsRule Detects multiple login failures by user. Solution
Snowflake - Query on sensitive or restricted table AnalyticsRule Detects query on sensitive or restricted table. Solution
Snowflake (using Azure Function) DataConnector The Snowflake data connector provides the capability to ingest Snowflake login logs and query logs into Microsoft Sentinel using the Snowflake Python Connector. Refer to Snowflake documentation for more information. Solution
Snowflake - Deleted databases HuntingQuery Solution
Snowflake - Rarely used privileged users HuntingQuery Solution
Snowflake - Users' source IP addresses HuntingQuery Solution
Snowflake - Deleted tables HuntingQuery Solution
Snowflake - Privileged users' source IP addresses HuntingQuery Solution
Snowflake - Credit consuming queries HuntingQuery Solution
Snowflake - Time consuming queries HuntingQuery Solution
Snowflake - Unknown query type HuntingQuery Solution
Snowflake - Failed logins HuntingQuery Solution
Snowflake - Rarely used account HuntingQuery Solution
Snowflake Data Parser Parser Solution
Snowflake Workbook Sets the time name for analysis Solution
SOC Process Framework Important: This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.This Solution contains all resources for the SOC Process Framework Microsoft Sentinel Solution. The SOC Process Framework Solution is built in order to easily integrate with Microsoft Sentinel and build a standard SOC Process and Procedure Framework within your Organization.By deploying this solution, you'll be able to monitor progress within your SOC Operations and update the SOC CMMI Assessment Score. This solution consists of the following resources:Integrated workbooks interconnected into a single workbook for single pane of glass operation.One Playbook for pushing SOC Actions to your Incidents.Multiple Watchlists helping you maintain and organize your SOC efforts, including IR Planning, SOC CMMI Assessment Score, and many more.Workbooks: 7, Watchlists: 12, Playbooks: 1 Get SOC Actions Playbook This playbook uses the SOCRA Watchlist to automatically enrich incidents generated by Microsoft Sentinel with Actions to review and take. Actions will be evaluated per Customer Organization and edited/modified per their standards of conduct Solution
SOC Large Staff Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
SOC Medium Staff Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
SOC Part Time Staff Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
SOC Small Staff Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
SOC IR Planning Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
SOC Process Framework Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
Update SOC Maturity Score Workbook Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Microsoft Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence. Solution
Sophos Endpoint Protection The Sophos Endpoint Protection solution provides the capability to ingest Sophos events into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1 Sophos Endpoint Protection (using Azure Function) DataConnector The Sophos Endpoint Protection data connector provides the capability to ingest Sophos events into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information. Solution
Sophos Endpoint Protection Data Parser Parser Solution
Sophos XG Firewall The Sophos XG Firewall solution for Microsoft Sentinel enables you to ingest Sophos XG Firewall logs into Microsoft Sentinel. . Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2 Excessive Amount of Denied Connections from a Single Source AnalyticsRule This creates an incident in the event that a single source IP address generates a excessive amount of denied connections. Solution
Port Scan Detected AnalyticsRule This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period. Solution
Sophos XG Firewall DataConnector The Sophos XG Firewall allows you to easily connect your Sophos XG Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Microsoft Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities. Solution
SophosXGFirewall Parser Solution
Sophos XG Firewall Workbook Gain insight into Sophos XG Firewall by analyzing, collecting and correlating firewall data. This workbook provides visibility into network traffic Solution
SquidProxy The Squid Proxy solution for Microsoft Sentinel enables you to ingest Squid Proxy logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1 Squid Proxy DataConnector The Squid Proxy connector allows you to easily connect your Squid Proxy logs with Microsoft Sentinel. This gives you more insight into your organization's network proxy traffic and improves your security operation capabilities. Solution
SquidProxy Parser Solution
Azure Stream Analytics The Azure Stream Analytics solution for Microsoft Sentinel enables you to ingest Azure Stream Analytics diagnostics logs using Diagnostic Settings into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor Resource DiagnosticsData Connectors: 1 Azure Stream Analytics DataConnector Azure Stream Analytics is a real-time analytics and complex event-processing engine that is designed to analyze and process high volumes of fast streaming data from multiple sources simultaneously. This connector lets you stream your Azure Stream Analytics hub diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Solution
Symantec Endpoint Protection The Symantec Endpoint Protection (SEP) solution allows you to easily connect your SEP logs with Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2 Malware Detected AnalyticsRule Creates an incident when a Symantec Endpoint Proection agent detects malware and the malware was not cleaned. Solution
Excessive Blocked Traffic Events Generated by User AnalyticsRule Creates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user. Solution
Symantec Endpoint Protection DataConnector The Broadcom Symantec Endpoint Protection (SEP) connector allows you to easily connect your SEP logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
SymantecEndpointProtection Parser Solution
Symantec VIP The Symantec VIP solution for Microsoft Sentinel enables you to ingest Symantec VIP's authentication logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsAgent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2 ClientDeniedAccess AnalyticsRule Creates an incident in the event a Client has an excessive amounts of denied access requests. Solution
Excessive Failed Authentication from Invalid Inputs AnalyticsRule Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force. Solution
Symantec VIP DataConnector The Symantec VIP connector allows you to easily connect your Symantec VIP logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
SymantecVIP Parser Solution
Symantec VIP Workbook Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data. This workbook provides visibility into user authentications Solution
Syslog The Syslog solution allows you to ingest events from applications or appliances that generate and can forward logs in the Syslog format to a Syslog Forwarder. The Agent for Linux is then able to forward these logs to the Log Analytics/Microsoft Sentinel workspace.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Workbooks: 1, Analytic Rules: 5, Hunting Queries: 9 Squid proxy events related to mining pools AnalyticsRule Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/ Solution
Squid proxy events for ToR proxies AnalyticsRule Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/ Solution
NRT Squid proxy events related to mining pools AnalyticsRule Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. http://www.squid-cache.org/Doc/config/access_log/ Solution
SSH - Potential Brute Force AnalyticsRule Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur. As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in the entity mapping within Sentinel. Solution
Failed logon attempts in authpriv AnalyticsRule Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. If there are many of hits, especially from outside your network, it could indicate a brute force attack. Default threshold for logon attempts is 15. Solution
Syslog DataConnector Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the Microsoft Sentinel documentation. Solution
Suspicious crytocurrency mining related threat activity detected HuntingQuery Solution
SCX Execute RunAs Providers HuntingQuery Solution
Crypto currency miners EXECVE HuntingQuery Solution
Editing Linux scheduled tasks through Crontab HuntingQuery Solution
Squid commonly abused TLDs HuntingQuery Solution
Rare process running on a Linux host HuntingQuery Solution
Squid data volume timeseries anomalies HuntingQuery Solution
Linux scheduled task Aggregation HuntingQuery Solution
Squid malformed requests HuntingQuery Solution
Linux machines Workbook Gain insights into your workspaces' Linux machines by connecting Microsoft Sentinel and using the logs to gather insights around Linux events and errors. Solution
Microsoft Sysmon For Linux Sysmon for Linux provides detailed information about process creations, network connections and other system events. The Sysmon for Linux connector uses Syslog as its data ingestion method. This solution depends on ASIM to work as expected. Deploy ASIM to get the full value from the solution.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1 Microsoft Sysmon For Linux DataConnector Sysmon for Linux provides detailed information about process creations, network connections and other system events. [Sysmon for linux link:]. The Sysmon for Linux connector uses Syslog as its data ingestion method. This solution depends on ASIM to work as expected. Deploy ASIM to get the full value from the solution. Solution
TheHive TheHive solution provides the capability to ingest common The Hive events into Microsoft Sentinel through Webhooks. The Hive can notify external system of modification events (case creation, alert update, task assignment) in real time. When a change occurs in The Hive, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 TheHive Project - TheHive (using Azure Function) DataConnector The TheHive data connector provides the capability to ingest common TheHive events into Microsoft Sentinel through Webhooks. TheHive can notify external system of modification events (case creation, alert update, task assignment) in real time. When a change occurs in the TheHive, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
LogicAppsCustomConnector Solution
TheHive Data Parser Parser Solution
The Hive - Create alert Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alert extended properties. 2. Parses alert custom details. 3. Creates alert in TheHive with description, source, sourceRef, title and type passed. Solution
The Hive - Create case Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Creates case in TheHive instance with enriched description and title. 2. Gets Hosts, IPs entities. 3. Creates task and bind it to case. 4. Creates observables with hosts and IPs for created case. Solution
The Hive - Lock user Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alerts custom details 2. Locks Users by UserId or UserLogin passed from alert. Solution
Threat Intelligence The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.Data Connectors: 4, Workbooks: 1, Analytic Rules: 38, Hunting Queries: 5 TI map IP entity to AzureFirewall AnalyticsRule Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI Solution
TI Map URL Entity to PaloAlto Data AnalyticsRule This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data. Solution
TI Map IP Entity to AzureActivity AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity. Solution
TI map Email entity to SecurityEvent AnalyticsRule Identifies a match in SecurityEvent table from any Email IOC from TI Solution
TI map Email entity to SigninLogs AnalyticsRule Identifies a match in SigninLogs table from any Email IOC from TI Solution
TI Map URL Entity to OfficeActivity Data AnalyticsRule This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data. Solution
TI map Email entity to OfficeActivity AnalyticsRule Identifies a match in OfficeActivity table from any Email IOC from TI Solution
TI map Domain entity to Syslog AnalyticsRule Identifies a match in Syslog table from any Domain IOC from TI Solution
TI map IP entity to Azure Key Vault logs AnalyticsRule Identifies a match in Azure Key Vault logsfrom any IP IOC from TI Solution
TI map File Hash to CommonSecurityLog Event AnalyticsRule Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI Solution
TI Map IP Entity to W3CIISLog AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog. Solution
TI Map IP Entity to CommonSecurityLog AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog. Solution
(Preview) TI map IP entity to DNS Events (ASIM DNS schema) AnalyticsRule This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema. Solution
TI Map IP Entity to DnsEvents AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents. Solution
TI Map URL Entity to AuditLogs AnalyticsRule This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs. Solution
TI map Domain entity to DnsEvents AnalyticsRule Identifies a match in DnsEvents from any Domain IOC from TI Solution
TI map Domain entity to SecurityAlert AnalyticsRule Identifies a match in SecurityAlert table from any Domain IOC from TI Solution
TI Map IP Entity to VMConnection AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity. Solution
(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema) AnalyticsRule Identifies a match in DNS events from any Domain IOC from TI This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema' Solution
TI map Email entity to SecurityAlert AnalyticsRule Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others Solution
TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs) AnalyticsRule Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed Solution
TI map File Hash to Security Event AnalyticsRule Identifies a match in Security Event data from any File Hash IOC from TI Solution
TI map IP entity to GitHub_CL AnalyticsRule Identifies a match in GitHub_CL table from any IP IOC from TI Solution
(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema) AnalyticsRule This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM. Solution
TI Map URL Entity to Syslog Data AnalyticsRule This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data. Solution
TI map Email entity to AzureActivity AnalyticsRule Identifies a match in AzureActivity table from any Email IOC from TI Solution
TI Map IP Entity to Azure SQL Security Audit Events AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events. Solution
TI Map IP Entity to Duo Security AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity. Solution
TI map Domain entity to CommonSecurityLog AnalyticsRule Identifies a match in CommonSecurityLog table from any Domain IOC from TI Solution
TI map IP entity to Network Session Events (ASIM Network Session schema) AnalyticsRule This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema Solution
(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema) AnalyticsRule This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM. Solution
TI map Domain entity to PaloAlto AnalyticsRule Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI Solution
TI map IP entity to AWSCloudTrail AnalyticsRule Identifies a match in AWSCloudTrail from any IP IOC from TI Solution
TI map IP entity to OfficeActivity AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity. Solution
TI Map IP Entity to SigninLogs AnalyticsRule This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs. Solution
TI Map URL Entity to SecurityAlert Data AnalyticsRule This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data. Solution
TI map IP entity to AppServiceHTTPLogs AnalyticsRule Identifies a match in AppServiceHTTPLogs from any IP IOC from TI Solution
TI map Email entity to PaloAlto CommonSecurityLog AnalyticsRule Identifies a match in CommonSecurityLog table from any Email IOC from TI Solution
Microsoft Defender Threat Intelligence (Preview) DataConnector Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Solution
Threat Intelligence Platforms DataConnector Microsoft Sentinel integrates with Microsoft Graph Security API data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >. Solution
Threat intelligence - TAXII DataConnector Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >. Solution
Threat Intelligence Upload Indicators API (Preview) DataConnector Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. Solution
TI Map File Entity to VMConnection Event HuntingQuery Solution
TI Map File Entity to Syslog Event HuntingQuery Solution
TI Map File Entity to Security Event HuntingQuery Solution
TI Map File Entity to OfficeActivity Event HuntingQuery Solution
TI Map File Entity to WireData Event HuntingQuery Solution
Threat Intelligence Workbook Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable. Solution
ThreatX WAF The ThreatX solution for Microsoft Sentinel provides an automated approach for analysts to remediate the attacks happening at application level by blocking the suspicious ip and url and also empowers them to gather the threat intelligence data for the malicious ip activity. This solution includes SOAR Connector and Playbooks by which the analyst can automate the security operations tasksCustom Azure Logic Apps Connectors: 1, Playbooks: 2 ThreatX-WAFCustomConnector LogicAppsCustomConnector Solution
Block IP & URL on ThreatX-WAF cloud Playbook This Playbook Provides the automation on blocking the suspicious/malicious IP and URL on ThreatX cloud waf Solution
Fetch Threat Intel from ThreatX Playbook This playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack Solution
Trend Micro Apex One The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 ApexOne - C&C callback events AnalyticsRule Detects C&C callback events. Solution
ApexOne - Commands in Url AnalyticsRule Detects commands in Url. Solution
ApexOne - Suspicious commandline arguments AnalyticsRule Detects suspicious commandline arguments. Solution
ApexOne - Inbound remote access connection AnalyticsRule Detects inbound remote access connection. Solution
ApexOne - Attack Discovery Detection AnalyticsRule Detects Attack Discovery Detection events. Solution
ApexOne - Suspicious connections AnalyticsRule Detects suspicious connections. Solution
ApexOne - Device access permissions was changed AnalyticsRule Query shows device access permissions was changed. Solution
ApexOne - Spyware with failed response AnalyticsRule Detects spyware with failed response. Solution
ApexOne - Multiple deny or terminate actions on single IP AnalyticsRule Detects multiple deny or terminate actions on single IP. Solution
ApexOne - Possible exploit or execute operation AnalyticsRule Detects possible exploit or execute operation. Solution
Trend Micro Apex One DataConnector The Trend Micro Apex One data connector provides the capability to ingest Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information. Solution
ApexOne - Behavior monitoring operations by users HuntingQuery Solution
ApexOne - Behavior monitoring triggered policy by command line HuntingQuery Solution
ApexOne - Channel type by users HuntingQuery Solution
ApexOne - Behavior monitoring event types by users HuntingQuery Solution
ApexOne - Spyware detection HuntingQuery Solution
ApexOne - Data loss prevention action by IP HuntingQuery Solution
ApexOne - Suspicious files events HuntingQuery Solution
ApexOne - Top sources with alerts HuntingQuery Solution
ApexOne - Behavior monitoring actions by files HuntingQuery Solution
ApexOne - Rare application protocols by Ip address HuntingQuery Solution
Trend Micro Apex One Data Parser Parser Solution
Trend Micro Apex One Workbook Sets the time name for analysis. Solution
Ubiquiti UniFi The Ubiquiti UniFi solution provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Ubiquiti - SSH from external source AnalyticsRule Detects remote to local (R2L) SSH connection to internal host. Solution
Ubiquiti - Unusual DNS connection AnalyticsRule Detects unusual remote to local (R2L) DNS connections. Solution
Ubiquiti - Unusual traffic AnalyticsRule Detects unusual traffic masking as HTTP(S). Solution
Ubiquiti - Large ICMP to external server AnalyticsRule Detects large ICMP packets to external host. Solution
Ubiquiti - Possible connection to cryptominning pool AnalyticsRule Detects connections which may indicate that device is infected with cryptominer. Solution
Ubiquiti - RDP from external source AnalyticsRule Detects remote to local (R2L) RDP connection. Solution
Ubiquiti - Unknown MAC Joined AP AnalyticsRule Detects when device with unseen MAC Address joined AP. Solution
Ubiquiti - Connection to known malicious IP or C2 AnalyticsRule Detects allowed connections to IP addresses which are in TI list and are known to be malicious. Solution
Ubiquiti - Unusual FTP connection to external server AnalyticsRule Detects local to remote (L2R) FTP connections. Solution
Ubiquiti - connection to non-corporate DNS server AnalyticsRule Detects connections to non-corporate DNS servers. Solution
Ubiquiti UniFi (Preview) DataConnector The Ubiquiti UniFi data connector provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel. Solution
Ubiquiti - Top blocked external services HuntingQuery Solution
Ubiquiti - DNS requests timed out HuntingQuery Solution
Ubiquiti - Hidden internal DNS server HuntingQuery Solution
Ubiquiti - Unusual number of subdomains for top level domain (TLD) HuntingQuery Solution
Ubiquiti - Top blocked destinations HuntingQuery Solution
Ubiquiti - Top firewall rules HuntingQuery Solution
Ubiquiti - Rare internal ports HuntingQuery Solution
Ubiquiti - Top blocked sources HuntingQuery Solution
Ubiquiti - Vulnerable devices HuntingQuery Solution
Ubiquiti - Top blocked internal services HuntingQuery Solution
Ubiquiti Data Parser Parser Solution
Ubiquiti UniFi Workbook Sets the time name for analysis Solution
UEBA Essentials The Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. YouΓÇÖll be able to investigate and search for anomalous activities over UEBAΓÇÖs enriched data, and get inspired to customize queries according to your own use-cases.Important : Some of the queries that are part of this solution, make use of Built-in Watchlist Templates and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.Hunting Queries: 23 Anomalies on users tagged as VIP HuntingQuery Solution
Anomalous AAD Account Creation HuntingQuery Solution
Anomalous update Key Vault activity by high blast radius user HuntingQuery Solution
Anomalous Password Reset HuntingQuery Solution
Anomalous Login to Devices HuntingQuery Solution
Anomalous Role Assignment HuntingQuery Solution
Anomalous connection from highly privileged user HuntingQuery Solution
Anomalous Failed Logon HuntingQuery Solution
Anomalous Resource Access HuntingQuery Solution
Dormant account activity from uncommon country HuntingQuery Solution
Anomalous AAD Account Manipulation HuntingQuery Solution
New account added to admin group HuntingQuery Solution
Anomalous Data Access HuntingQuery Solution
Anomalous action performed in tenant by privileged user HuntingQuery Solution
Anomalous Sign-in Activity HuntingQuery Solution
Anomalous Activity Role Assignment HuntingQuery Solution
Anomalous RDP Activity HuntingQuery Solution
Anomalous login activity originated from Botnet, Tor proxy or C2 HuntingQuery Solution
Activity from terminated employees after their termination date HuntingQuery Solution
Anomalous Geo Location Logon HuntingQuery Solution
Terminated employee accessing High Value Asset HuntingQuery Solution
Anomalous Code Execution HuntingQuery Solution
Anomalous Defensive Mechanism Modification HuntingQuery Solution
Microsoft Defender for IoT The Microsoft Defender for IoT solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for IoT on assessing your Internet of Things (IoT)/Operational Technology (OT) infrastructure.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Codeless Connector Platform/Native Sentinel PollingData Connectors: 1, Workbooks: 1, Analytic Rules: 15, Playbooks: 8 Unauthorized remote access to the network (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect unauthorized remote access to network devices, if another device on the network is compromised, target devices can be accessed remotely, increasing the attack surface. Solution
No traffic on Sensor Detected (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect that a sensor can no longer detect the network traffic, which indicates that the system is potentially insecure. Solution
Multiple scans in the network (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect multiple scans on the network indicating new devices, functionality, application misconfiguration, or malicious reconnaissance activity on the network. Solution
Suspicious malware found in the network (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect IoT/OT malware found on the network indicating possible attempts to compromise production systems. Solution
Illegal Function Codes for ICS traffic (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect Illegal function codes in SCADA equipment indicating improper application configuration or malicious activity such using illegal values within a protocol to exploit a PLC vulnerability. Solution
Firmware Updates (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect unauthorized firmware updates that may indicate malicious activity on the network such as a cyber threat that attempts to manipulate PLC firmware to compromise PLC function. Solution
Internet Access (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect an OT device communicating with Internet which is possibly an indication of improper configuration of an application or malicious activity on the network. Solution
PLC Stop Command (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect PLC stop commands which could indicate improper configuration or malicious activity on the network such as a threat manipulating PLC programming to affect the function of the network. Solution
Unauthorized PLC changes (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect unauthorized changes to PLC ladder logic code indicating new functionality in the PLC, improper configuration of an application, or malicious activity on the network. Solution
Unauthorized DHCP configuration in the network (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect an unauthorized DHCP configuration indicating a possible unauthorized device configuration. Solution
High bandwidth in the network (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect an unusually high bandwidth which may be an indication of a new service/process or malicious activity on the network. An example scenario is a cyber threat attempting to manipulate the SCADA network. Solution
Denial of Service (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect attacks that would prevent the use or proper operation of a DCS system including Denial of Service events. Solution
Unauthorized device in the network (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect a new device indicating a legitimate device recently installed on the network or an indication of malicious activity such as a cyber threat attempting to manipulate the SCADA network. Solution
Excessive Login Attempts (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat attempting to manipulate the SCADA network. Solution
PLC unsecure key state (Microsoft Defender for IoT) AnalyticsRule This alert leverages Defender for IoT to detect PLC operating mode changes indicating the PLC is potentially insecure. If the PLC is compromised, devices that interact with it may be impacted. This may affect overall system security and safety. Solution
Microsoft Defender for IoT DataConnector Gain insights into your IoT security by connecting Microsoft Defender for IoT alerts to Microsoft Sentinel. You can get out-of-the-box alert metrics and data, including alert trends, top alerts, and alert breakdown by severity. You can also get information about the recommendations provided for your IoT hubs including top recommendations and recommendations by severity. For more information, see the Microsoft Sentinel documentation >. Solution
AD4IoT-AutoAlertStatusSync Playbook This playbook updates alert statuses in Defender for IoT whenever a related alert in Microsoft Sentinel has a Status update. Solution
AD4IoT-AutoCloseIncidents Playbook In some cases, maintenance activities generate alerts in Sentinel which distracts the SOC team from handling the real problems. This playbook allows to input the time period in which the maintenance is expected and the assets IP (Excel file can be found). The playbook requires a watchlist which includes all the IP addresses of the assets on which alerts will handled automatically. This playbook parses explicitly the IoT device entity fields. For more information, see AD4IoT-AutoCloseIncidents Solution
AD4IoT-AutoTriageIncident Playbook SOC and OT engineers can stream their workflows using the playbook, which automatically updates the incident severity based on the devices involved in the incident and their importance. Solution
AD4IoT-CVEAutoWorkflow Playbook The playbook automates the SOC workflow by automatically enriching incident comments with the CVEs of the involved devices based on Defender for IoT data. An automated triage is performed if the CVE is critical, and the asset owner is automatically notified by email. Solution
AD4IoT-MailByProductionLine Playbook The following playbook will send mail to notify specific stake holders. One example can be in the case of specific security team per product line or per physical location. This playbook requires a watchlist which maps between the sensors name and the mail addresses of the alerts stockholders. For more information, see AD4IoT-MailbyProductionLine Solution
AD4IoT-NewAssetServiceNowTicket Playbook Normally, the authorized entity to program a PLC is the Engineering Workstation, to program a PLC attackers might create a new Engineering Workstation to create malicious programing. The following playbook will open a ticket in ServiceNow each time a new Engineering Workstation is detected. This playbook parses explicitly the IoT device entity fields. For more information, see AD4IoT-NewAssetServiceNowTicket Solution
AD4IoT-SendEmailtoIoTOwner Playbook The playbooks automate the SOC workflow by automatically emailing the incident details to the right IoT/OT device owner (based on Defender for IoT dafinition) and allowing him to respond by email. The incident is automatically updated based on the email response from the device owner Solution
Microsoft Defender for IoT Workbook The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, Vulnerabilities and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture. Solution
URLhaus The URLhaus solution for Microsoft Sentinel allows enriching incidents with additional information about file hashes, Hostname and URL using feeds and lists from URLhaus.Beside the APIs documented on URLhaus that serves various feeds and lists, abuse.ch also offers a dedicated API that allows to gather information on a specific URL, file hash or host from URLhaus through an automated way. It is also possible to retrieve a payload (malware sample) URLhaus has collected from malware URLs it tracks.Custom Azure Logic Apps Connectors: 1, Playbooks: 3 LogicAppsCustomConnector Solution
URLhaus-CheckHashAndEnrichIncident Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Information from URLhaus by hashes, provided in the alert custom entities. 2. Enriches the incident with the obtained info. Solution
URLhaus-CheckHostAndEnrichIncident Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Information from URLhaus by hashes, provided in the alert custom entities. 2. Enriches the incident with the obtained info. Solution
URLhaus-CheckURLAndEnrichIncident Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Information from URLhaus by hashes, provided in the alert custom entities. 2. Enriches the incident with the obtained info. Solution
VMware vCenter The VMware vCenter Server solution allows you ingest logs from your vCenter platform using Syslog into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2 VMware vCenter - Root login AnalyticsRule Detects when root user login from uncommon IP address. Solution
vCenter - Root impersonation AnalyticsRule Detects when root impersonation occurs. Solution
VMware vCenter DataConnector The vCenter connector allows you to easily connect your vCenter server logs with Microsoft Sentinel. This gives you more insight into your organization's data centers and improves your security operation capabilities. Solution
vCenter Parser Solution
vCenter Workbook This data connector depends on a parser based on Kusto Function vCenter to work as expected. Follow steps to get this Kusto Function Solution
VirusTotal The VirusTotal solution for Microsoft Sentinel contains Playbooks that can help enrich incident information with threat information and intelligence for IPs, file hashes and URLs from VirusTotal. Enriched information can help drive focused investigations in Security Operations.Playbooks: 8 IP Enrichment - Virus Total Report - Entity Trigger Playbook This playbook will query VirusTotal Report for the selected IP Address (https://developers.virustotal.com/v3.0/reference#ip-info). The report will be added as a comment to the incident Solution
URL Enrichment - Virus Total domain report - Alert Triggered Playbook This playbook will take each URL entity and query VirusTotal for Domain info (https://developers.virustotal.com/v3.0/reference#domain-info). Solution
URL Enrichment - Virus Total domain report - Incident Triggered Playbook This playbook will take each URL entity and query VirusTotal for Domain Report (https://developers.virustotal.com/v3.0/reference#domain-info). It will write the results to Log Analytics and add a comment to the incident. Solution
FileHash Enrichment - Virus Total report - Alert Triggered Playbook This playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info). Solution
FileHash Enrichment - Virus Total report - Incident Triggered Playbook This playbook will take each File Hash entity and query VirusTotal for file report (https://developers.virustotal.com/v3.0/reference#file-info). Solution
IP Enrichment - Virus Total report - Alert Triggered Playbook This playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comment to the incident. Solution
IP Enrichment - Virus Total report - Incident Triggered Playbook This playbook will take each IP entity and query VirusTotal for IP Address Report (https://developers.virustotal.com/v3.0/reference#ip-info). It will write the results to Log Analytics and add a comment to the incident. Solution
URL Enrichment - Virus Total report - Alert Triggered Playbook This playbook will take each URL entity and query VirusTotal for info (https://developers.virustotal.com/v3.0/reference#url-info). Solution
URL Enrichment - Virus Total report - Incident Triggered Playbook This playbook will take each URL entity and query VirusTotal for info (https://developers.virustotal.com/v3.0/reference#url-info). Solution
VMware Carbon Black Cloud The VMware Carbon Black Cloud solution for Microsoft Sentinel allows ingesting Carbon Black Audit, Notification and Event logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 3 Critical Threat Detected AnalyticsRule This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint. Solution
Known Malware Detected AnalyticsRule This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black. Solution
VMware Carbon Black Cloud (using Azure Functions) DataConnector The VMware Carbon Black Cloud connector provides the capability to ingest Carbon Black data into Microsoft Sentinel. The connector provides visibility into Audit, Notification and Event logs in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Solution
CarbonBlackCloudConnector LogicAppsCustomConnector Solution
Endpoint enrichment - Carbon Black Playbook This playbook will collect device information from Carbon Black and post a report on the incident. Solution
Isolate endpoint - Carbon Black Playbook This playbook will quarantine the host in Carbon Black. Solution
Endpoint take action from Teams - Carbon Black Playbook This playbook sends an adaptive card to the SOC Teams channel, lets the analyst decide on action: Quarantine the device or Update the policy. It posts a comment on the incident with the information collected from the Carbon Black and summary of the actions taken, and closes the incident if required. Solution
VMware ESXi The VMware ESXi solution for Microsoft Sentinel enables you to ingest VMWare ESXi logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10 VMware ESXi - New VM started AnalyticsRule Detects when new VM was started. Solution
VMware ESXi - Root impersonation AnalyticsRule Detects when root impersonation occurs. Solution
VMware ESXi - Low temp directory space AnalyticsRule This rule is triggered when temp directory space is detected. Solution
VMware ESXi - Unexpected disk image AnalyticsRule Detects unexpected disk image for VM. Solution
VMware ESXi - VM stopped AnalyticsRule Detects when VM was stopped. Solution
VMware ESXi - Low patch disk space AnalyticsRule This rule is triggered when low patch disk store space is detected. Solution
VMware ESXi - Dormant VM started AnalyticsRule Detects when dormant VM was started. Solution
VMware ESXi - Multiple VMs stopped AnalyticsRule Detects when multiple VMs ware stopped by user. Solution
VMware ESXi - Shared or stolen root account AnalyticsRule Detects when shared or stolen root account. Solution
VMware ESXi - Multiple new VMs started AnalyticsRule Detects when multiple new VMs were started. Solution
VMware ESXi - Root login AnalyticsRule Detects when root user login from uncommon IP address. Solution
VMware ESXi DataConnector The VMware ESXi connector allows you to easily connect your VMWare ESXi logs with Microsoft Sentinel This gives you more insight into your organization's ESXi servers and improves your security operation capabilities. Solution
VMware ESXi - VM high resource load HuntingQuery Solution
VMware ESXi - Download errors HuntingQuery Solution
VMware ESXi - List of powered on VMs HuntingQuery Solution
VMware ESXi - List of virtual disks (images) HuntingQuery Solution
VMware ESXi - List of dormant users. HuntingQuery Solution
VMware ESXi - NFC download activities HuntingQuery Solution
VMware ESXi - List of powered off VMs HuntingQuery Solution
VMware ESXi - List of unused VMs HuntingQuery Solution
VMware ESXi - Root logins HuntingQuery Solution
VMware ESXi - Root logins failures HuntingQuery Solution
VMware ESXi Data Parser Parser Solution
VMware ESXi Workbook Sets the time name for analysis Solution
Watchlists Utilities The Watchlist Utilities solution for Microsoft Sentinel contains Playbooks that can help automate watchlist usage and integration with incident's management. These include use cases for adding entities (Hosts, IP, URL, User, etc.) to Microsoft Sentinel Watchlists and for incident management.Playbooks: 12 Add Host To Watchlist - Alert Trigger Playbook This playbook will add a host entity from the alert to a new or existing watchlist. Solution
Add Host To Watchlist - Incident Trigger Playbook This playbook will add a Host entity to a new or existing watchlist. Solution
Add IP To Watchlist - Alert Trigger Playbook This playbook will add a IP entity from the alert to a new or existing watchlist. Solution
Add IP To Watchlist - Incident Trigger Playbook This playbook will add a IP entity to a new or existing watchlist. Solution
Add URL To Watchlist - Alert Trigger Playbook This playbook will add a URL entity from the alert to a new or existing watchlist. Solution
Add URL To Watchlist - Incident Trigger Playbook This playbook will add a URL entity to a new or existing watchlist. Solution
Add User To Watchlist - Alert Trigger Playbook This playbook will add a user entity from the alert to a new or existing watchlist. Solution
Add User To Watchlist - Incident Trigger Playbook This playbook will add a User entity to a new or existing watchlist. Solution
Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger Playbook This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list. Solution
Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger Playbook This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list Solution
Watchlist - close incidents with safe IPs Playbook This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe. Solution
Watchlists - Inform Subscription Owner Playbook This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner. Solution
Web Shells Threat Protection Note: Please refer to the following before installing the solution:Review the solution Release Notes.There may be known issues pertaining to this Solution.The Web Shells Threat Protection solution contains security content that helps proactive and reactive detection of Web Shells used by attackers. Web Shells are malicious scripts that attackers use to compromise internet facing servers. These are commonly used as a backdoor into the targeted web applications and servers. Microsoft Security Research has highlighted the threat, usage and detection of Web Shells in an enterprise environment in the following blogs:Web shell attacks continue to riseAnalyzing attacks taking advantage of the Exchange Server vulnerabilitiesPre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.Microsoft 365 DefenderWindows Security EventsAzure Web Application FirewallKeywords: WebDAV, SysAid, Mercury, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, SUPERNOVA, SpringShell, CVE-2022-22965Analytic Rules: 3, Hunting Queries: 6 SUPERNOVA webshell AnalyticsRule Identifies SUPERNOVA webshell based on W3CIISLog data. References: - https://unit42.paloaltonetworks.com/solarstorm-supernova/ Solution
Identify SysAid Server web shell creation AnalyticsRule This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ Solution
Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts AnalyticsRule Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity. The lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions has been provided in scriptExtensions that should be tailored to your environment. Solution
Exchange IIS Worker Dropping Webshells HuntingQuery Solution
UMWorkerProcess Creating Webshell HuntingQuery Solution
Possible Webshell usage attempt related to SpringShell(CVE-2022-22965) HuntingQuery Solution
Possible webshell drop HuntingQuery Solution
Webshell Detection HuntingQuery Solution
Web Shell Activity HuntingQuery Solution
Windows Firewall The Windows Firewall solution for Microsoft Sentinel allows you to ingest Windows Firewall Events into Microsoft Sentinel using the Log Analytics agent for Windows.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Workbooks: 1 Windows Firewall DataConnector Windows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. The software blocks most programs from communicating through the firewall. Users simply add a program to the list of allowed programs to allow it to communicate through the firewall. When using a public network, Windows Firewall can also secure the system by blocking all unsolicited attempts to connect to your computer. Solution
Windows Forwarded Events The Windows Forwarded Events solution allows you to ingest all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).Underlying Microsoft Technologies used:This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent based logs collection from Windows and Linux machinesData Connectors: 1, Analytic Rules: 2 Caramel Tsunami Actor IOC - July 2021 AnalyticsRule Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami Solution
Chia_Crypto_Mining IOC - June 2021 AnalyticsRule Identifies a match across IOC's related to Chia cryptocurrency farming/plotting activity Solution
Windows Forwarded Events DataConnector You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Solution
Workplace from Facebook The Workplace solution provides the capability to ingest common Workplace events into Microsoft Sentinel through Webhooks.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Azure Monitor HTTP Data Collector APIAzure FunctionsData Connectors: 1, Parsers: 1 Workplace from Facebook (using Azure Function) DataConnector The Workplace data connector provides the capability to ingest common Workplace events into Microsoft Sentinel through Webhooks. Webhooks enable custom integration apps to subscribe to events in Workplace and receive updates in real time. When a change occurs in Workplace, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Workplace_Facebook Parser Solution
Zero Trust (TIC 3.0) The Microsoft Sentinel Zero Trust (TIC 3.0) solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡Microsoft Zero Trust Model 💡Trusted Internet Connections: Core Guidance DocumentsMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.Workbooks: 1, Analytic Rules: 1, Playbooks: 3 ZeroTrust(TIC3.0) Control Assessment Posture Change AnalyticsRule Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines Solution
Notify-GovernanceComplianceTeam Playbook This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the governance compliance team of respective details via Teams chat and exchange email. This automation reduces requirements to manually monitor the workbook or analytics rules while increasing response times. Solution
Create-AzureDevOpsTask Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Solution
Create Jira Issue Playbook This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel. Solution
ZeroTrust(TIC3.0) Workbook Sets the time name for analysis Solution
ZINC Open Source Threat Protection Microsoft security research teams have detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor tracked as ZINC. ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn, followed by communication over WhatsApp, which acted as the means of delivery for their malicious payloads. ZINC was found weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader etc. For more technical and in-depth information about the attack, please read the Microsoft Security blog post.This solution provides content to detect and investigate signals related to the attack in Microsoft Sentinel.Pre-requisites:This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.1.Windows Security Events2.Microsoft 365 Defender3.Microsoft Windows DNS4.F5 Advanced WAF5.Cisco ASA6.Palo Alto Networks7.Common Event Format8.Fortinet FortiGate9.Check Point10.Microsoft 36511.Azure Firewall12.Microsoft Windows Firewall13.Windows Forwarded EventsKeywords: Zinc, Open Source, ZetaNile , Putty, Kitty, TightVNC , EventHorizon, FoggyBrass, PhantomStar, threat actor, Adversary.Analytic Rules: 3 AV detections related to Zinc actors AnalyticsRule This query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ Solution
Zinc Actor IOCs domains hashes IPs and useragent - October 2022 AnalyticsRule Identifies a match across domainname, IP, hash and useragent IOCs related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ Solution
Zinc Actor IOCs files - October 2022 AnalyticsRule Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ Solution
Zoom Reports Note: Please refer to the following before installing the solution:Review the solution Release Notes.There may be known issues pertaining to this Solution.The Zoom Reports solution enables you to ingest Zoom Reports' events into Microsoft Sentinel through the Zoom Report REST APIUnderlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1 Zoom Reports (using Azure Functions) DataConnector The Zoom Reports data connector provides the capability to ingest Zoom Reports events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Zoom Parser Solution
Zoom Reports Workbook Visualize various details & visuals on Zoom Report data ingested though the solution. This also have a dependency on the parser which is available as a part of Zoom solution named Zoom Solution
Zscaler Private Access The Zscaler Private Access (ZPA) solution provides the capability to ingest Zscaler Private Access events into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Azure Monitor HTTP Data Collector APIData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Zscaler - ZPA connections by new user AnalyticsRule Detects ZPA connections by new user. Solution
Zscaler - ZPA connections from new IP AnalyticsRule Detects ZPA connections from new IP. Solution
Zscaler - ZPA connections outside operational hours AnalyticsRule Detects ZAP connections outside operational hours. Solution
Zscaler - Shared ZPA session AnalyticsRule Detects shared ZPA session. Solution
Zscaler - Unexpected event count of rejects by policy AnalyticsRule Detects unexpected event count of rejects by policy. Solution
Zscaler - Connections by dormant user AnalyticsRule Detects ZPA connections by dormant user. Solution
Zscaler - Unexpected update operation AnalyticsRule Detects unexpected version of update operation. Solution
Zscaler - Forbidden countries AnalyticsRule Detects suspicious ZPA connections from forbidden countries. Solution
Zscaler - ZPA connections from new country AnalyticsRule Detects ZPA connections from new country. Solution
Zscaler - Unexpected ZPA session duration AnalyticsRule Detects Unexpected ZPA session duration. Solution
Zscaler Private Access DataConnector The Zscaler Private Access (ZPA) data connector provides the capability to ingest Zscaler Private Access events into Microsoft Sentinel. Refer to Zscaler Private Access documentation for more information. Solution
Zscaler - Users access groups HuntingQuery Solution
Zscaler - Abnormal total bytes size HuntingQuery Solution
Zscaler - Destination ports by IP HuntingQuery Solution
Zscaler - Server error by user HuntingQuery Solution
Zscaler - Top connectors HuntingQuery Solution
Zscaler - Connection close reasons HuntingQuery Solution
Zscaler - Applications using by accounts HuntingQuery Solution
Zscaler - Top source IP HuntingQuery Solution
Zscaler - Users by source location countries HuntingQuery Solution
Zscaler - Rare urlhostname requests HuntingQuery Solution
Zscaler Private Access Data Parser Parser Solution
Zscaler Private Access (ZPA) Workbook Select the time range for this Overview. Solution
Symantec ProxySG The Symantec ProxySG solution for Microsoft Sentinel enables you to ingest Symantec ProxySGΓÇÖs network proxy traffic logs into Microsoft Sentinel.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (Syslog)Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2 Excessive Denied Proxy Traffic AnalyticsRule This alert creates an incident when a client generates an excessive amounts of denied proxy traffic. Solution
User Accessed Suspicious URL Categories AnalyticsRule Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking. Solution
Symantec ProxySG DataConnector The Symantec ProxySG allows you to easily connect your Symantec ProxySG logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Symantec ProxySG with Microsoft Sentinel provides more visibility into your organization's network proxy traffic and will enhance security monitoring capabilities. Solution
SymantecProxySG Parser Solution
Symantec ProxySG Workbook Gain insight into Symantec ProxySG by analyzing, collecting and correlating proxy data. This workbook provides visibility into ProxySG Access logs Solution
Symantec Integrated Cyber Defense The Symantec Integrated Cyber Defense Exchange (ICDx) solution allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIData Connectors: 1 Symantec Integrated Cyber Defense Exchange DataConnector Symantec ICDx connector allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs network and improves your security operation capabilities. Solution
Trend Micro Cloud App Security The Trend Micro Cloud App Security data connector provides the capability to retrieve security event logs of the services that Cloud App Security protects and more events into Microsoft Sentinel through the Log Retrieval API. Refer to API documentation for more information. The connector provides the ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Azure Monitor HTTP Data Collector APIb. Azure FunctionsData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10 Trend Micro CAS - Ransomware infection AnalyticsRule Triggeres when ransomware was detected. Solution
Trend Micro CAS - DLP violation AnalyticsRule Detects when DLP policy violation occurs. Solution
Trend Micro CAS - Unexpected file via mail AnalyticsRule Detects when unexpected file recieved via mail. Solution
Trend Micro CAS - Infected user AnalyticsRule Detects when malware was detected for user account. Solution
Trend Micro CAS - Ransomware outbreak AnalyticsRule Triggeres when ransomware was detected on several accounts. Solution
Trend Micro CAS - Suspicious filename AnalyticsRule Detects unexpected filename. Solution
Trend Micro CAS - Multiple infected users AnalyticsRule Detects when same malware was detected for multiple user account. Solution
Trend Micro CAS - Possible phishing mail AnalyticsRule Detects possible phishing mail. Solution
Trend Micro CAS - Threat detected and not blocked AnalyticsRule Detects when threat was not blocked by CAS solution. Solution
Trend Micro CAS - Unexpected file on file share AnalyticsRule Detects unexpected files on file share. Solution
Trend Micro Cloud App Security (using Azure Function) DataConnector The Trend Micro Cloud App Security data connector provides the capability to retrieve security event logs of the services that Cloud App Security protects and more events into Microsoft Sentinel through the Log Retrieval API. Refer to API documentation for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Trend Micro CAS - DLP violations HuntingQuery Solution
Trend Micro CAS - Rare files received via email services HuntingQuery Solution
Trend Micro CAS - Ransomware threats HuntingQuery Solution
Trend Micro CAS - Risky users HuntingQuery Solution
Trend Micro CAS - Files received via email services HuntingQuery Solution
Trend Micro CAS - Virtual Analyzer threats HuntingQuery Solution
Trend Micro CAS - Files stored on cloud fileshare services HuntingQuery Solution
Trend Micro CAS - Infected files received via email HuntingQuery Solution
Trend Micro CAS - Security risk scan threats HuntingQuery Solution
Trend Micro CAS - Suspicious files on sharepoint HuntingQuery Solution
TrendMicroCAS Parser Solution
Barracuda WAF Sentinel Barracuda WAF solution package for Azure Sentinel offers threat intelligence insights for the attacks targeted at the web application. These insights can be used to create incident response rules and follow up action to avoid such attempts. All aspects of Security, Orchestration , Automation and Response can be handled with this integration. Barracuda Web Application Firewall DataConnector The Barracuda Web Application Firewall (WAF) connector allows you to easily connect your Barracuda logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizationΓÇÖs network and improves your security operation capabilities. For more information >ΓÇï Solution
BETTER Mobile Threat Defense (MTD) Are mobile security threats putting your corporate resources at risk?Today, employees work from anywhere globally and are handling more sensitive data on their mobile devices. At the same time, mobile malware attacks are growing at an alarming rate. In 2021, cybercrime is expected to cost the world around $6 trillion annually, which has increased from $3 trillion since 2015. Companies need solutions that provide risk-based conditional access to corporate resources based on existing workflows and policies. Better MTD extends MDM protection without disturbing user privacy or disrupting mobile productivity. It is the only solution on the market with a customizable threat detection engine, allowing customers to quickly implement their risk policies. Tight integration with Microsoft Intune provides easy deployment to vast mobile networks in "Just four clicks." After evaluating all MTD vendors in the market, Coca-Cola's Mobility and Innovation Team concluded Better Mobile had a complete endpoint security platform available. Better MTD was selected for the following attributes: Superior threat detection Extensibility to IoT class devices Customizable threat models on Deep Thinker-AI platform Enterprise mobile app scanning with deep malware scanning capabilities Ability to block blacklisted websites and apps.Global rollout across all eight market regions One of the largest MTD deployments to dateDeployed on corporate-owned and BYOD iOS, Android phones, iPads, and tablets Win Results Unprecedented visibility into the mobile network, allowing for a more in-depth assessment of mobile threats and fine-tuned policy responses Flawless rollout with no impact on user productivity, network or business functions Complete visibility into OS vulnerabilities, full CVE number, and patch level details – within 30 seconds - across the entire device spectrum. A simple security policy definition with an easy-to-use console and intuitive user experience. "Since 2016, we have been working with Better Mobile and have deployed Better MTD solution for different bottlers in USA, Canada, Vietnam, Cambodia, Myanmar, and other countries. We have been pleased with our selection and the value we get from the joint solution. We have partnered very closely with Microsoft for our security platforms. Better Mobile's deep integration with Microsoft security products and Microsoft Global ISV Partner provides huge value to us."~ Stephen Vance- Senior Director, IT Architecture and Systems We are offering Microsoft Intune customers a Free Trial.* Requires an active Microsoft Intune account and an Admin with Global Admin privilege to perform the Integration. BETTER Mobile Threat Defense (MTD) DataConnector The BETTER MTD Connector allows Enterprises to connect their Better MTD instances with Microsoft Sentinel, to view their data in Dashboards, create custom alerts, use it to trigger playbooks and expands threat hunting capabilities. This gives users more insight into their organization's mobile devices and ability to quickly analyze current mobile security posture which improves their overall SecOps capabilities. Solution
BETTER Mobile Threat Defense (MTD) Workbook Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture. Solution
Check Point The Check Point Logic App Connector and Playbooks allow customers to easily find and deploy pre-packaged Check Point connectors and playbooks directly from Azure Sentinel. Users can configure Azure Sentinel’s SOAR playbooks to automatically remediate threats using CloudGuard security gateways and on-premises Check Point Gateways, enhancing the security functionality of both Microsoft Azure and of Check Point CloudGuard.The Check Point Logic App Connector and Playbooks can also provide automated remediation. Customers can configure SOAR playbooks to automatically trigger Check Point CloudGuard security gateways to update security policies, block malicious traffic, and more. By taking advantage of the Check Point Management API, the connector can automate these security operations tasks, which can be not only a time-saver for IT staff, network administrators, and security personnel, but also dramatically reduces the window that attackers can take advantage of security issues—because those problems don’t have to be fixed manually. This can help minimize the organization’s attack surface while saving hours of time for Network and Security Administrators, Security Analysts, DevOps/DevSecOps teams, and more. The pre-defined playbooks will also eliminate the need to write individual API calls and can easily integrate Check Point playbooks with all native Azure services and hundreds of existing logic app connectors.Check Point and Azure Sentinel provide complete visibility for security events. Customers can manage all functionality from a single-pane-of-glass control center from which they can see both events coming from Check Point as one source, and events coming from other sources—from both inside and outside the Azure environment. Customers can correlate and visualize these events on Azure Sentinel. AzureFunction Solution
LogicAppsCustomConnector Solution
checkpoint-add-host-to-group Playbook This playbook will create Check Point objects and add to block group Solution
Check Point Software Technologies Workbook Gain insights into Check Point network activities, including number of gateways and servers, security incidents, and identify infected hosts. Solution
Cisco Firepower eStreamer The Cisco Firepower eStreamer connector provides configuration settings to directly connect Secure Firewall event data to Microsoft Sentinel. The built-in connector is designed to save customers time configuring and forwarding data in the eStreamer client settings by using default Sentinel port and configuration management settings. This product provides a seamless method to transport data from the Secure Firewall into Microsoft Sentinel for data visualization, retention, and other benefits of the Sentinel SIEM. Cisco Firepower eStreamer DataConnector eStreamer is a Client Server API designed for the Cisco Firepower NGFW Solution. The eStreamer client requests detailed event data on behalf of the SIEM or logging solution in the Common Event Format (CEF). Solution
CiscoFirepowerConnector LogicAppsCustomConnector Solution
Block URL - Cisco Firepower Playbook This playbook allows blocking of FQDNs in Cisco Firepower, using a Network Group object. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry. Solution
Block IP - Cisco Firepower Playbook This playbook allows blocking of IPs in Cisco Firepower, using a Network Group object. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry. Solution
Block IP - Take Action from Teams - Cisco Firepower Playbook This playbook allows blocking of IPs in Cisco Firepower, using a Network Group object. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry. Solution
Citrix Analytics Application Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Application for Microsoft Sentinel allows you to import your Citrix Analytics for Security Risk insights and associated events into your Microsoft Sentinel environment.The included workbooks provides valuable dashboards, based on Citrix Analytics Machine Learning insights and aggregate data source events. This integration also enables SOC admins to identify and proactively remediate security risks. It improves time to value and enables faster detection as admins are able to easily aggregate events from disparate data sources and ways to export data. SOC Threat hunters can also further leverage all Citrix data and CAS dashboards for search, risk analysis and correlation across wider IT Infrastructure. CITRIX SECURITY ANALYTICS DataConnector Citrix Analytics (Security) integration with Microsoft Sentinel helps you to export data analyzed for risky events from Citrix Analytics (Security) into Microsoft Sentinel environment. You can create custom dashboards, analyze data from other sources along with that from Citrix Analytics (Security) and create custom workflows using Logic Apps to monitor and mitigate security events. Solution
Citrix Analytics Workbook Citrix Analytics for Security aggregates and correlates information across network traffic, users, files and endpoints in Citrix environments. This generates actionable insights that enable Citrix administrators and security teams to remediate user security threats through automation while optimizing IT operations. Machine learning and artificial intelligence empowers Citrix Analytics for Security to identify and take automated action to prevent data exfiltration. While delivered as a cloud service, Citrix Analytics for Security can generate insights from resources located on-premises, in the cloud, or in hybrid architectures. The Citrix Analytics Workbook further enhances the value of both your Citrix Analytics for Security and Microsoft Sentinel. The Workbook enables you to integrate data sources together, helping you gain even richer insights. It also gives Security Operations (SOC) teams the ability to correlate data from disparate logs, helping you identify and proactively remediate security risk quickly. Additionally, valuable dashboards that were unique to the Citrix Analytics for Security can now be implemented in Sentinel. You can also create new custom Workbooks that were not previously available, helping extend the value of both investments. Solution
Citrix WAF Citrix WAF (Web App Firewall) is an industry-leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more.Citrix WAF provides comprehensive protection for your applications with unparalleled ease of use. Getting up and running is a matter of minutes. With auto scaling, you can rest assured that your applications remain protected even as traffic scales up.Compliant with major regulatory standards and bodies, Citrix WAF includes PCI-DSS, HIPAA, and more. It has never been easier to safeguard your applications in a compliant manner safely, reliably, and quickly.HighlightsComprehensive App Security: Citrix WAF is a single code base across cloud, physical, virtual, bare-metal, and containers that enables consistency across your hybrid multi cloud applications and workflows. Holistic application security from Layer 3 to Layer 7 and built-in API protection ensures you don't have to worry about being vulnerable.Secure your Websites, Apps, and APIs: Securing applications is more than just using basic WAF functionality. Citrix WAF includes basic through advanced WAF, bot mitigation, dynamic profiling, and API gateway.Robust Reporting & Analytics: Citrix ADM is the only one-stop shop for reporting all things Citrix, including: WAF incidents, bot incidents, application latency, application performance, and more. No other solution provides the same depth of reporting and analytics, providing unparalleled insights into security, performance, and infrastructure state.Citrix Ingress Controller: (Available on Azure marketplace) Configures Ingress rules on Citrix ADC VPX to route/secure external HTTP(S), TCP, UDP traffic to Kubernetes cluster. This is supported for apps running on Azure Kubernetes Service (AKS) or self-managed Kubernetes running on Azure VM instances. Citrix WAF (Web App Firewall) DataConnector Citrix WAF (Web App Firewall) is an industry leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more. Citrix WAF supports Common Event Format (CEF) which is an industry standard format on top of Syslog messages . By connecting Citrix WAF CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. Solution
Cohesity Security Integration This is a Cohesity integration for use with Microsoft Sentinel's cloud-native security information and event manager (SIEM) platform, to enable Security Operators and ITOps the automation and operational simplicity to respond to threats and recover from ransomware incidents, from inside Microsoft Sentinel. Below are the key workflows:Ransomware alerts from Cohesity Data Cloud and Cohesity Cloud Services into Microsoft Sentinel via RESTful APIs integrationAutomatic Incidents with details of the alerts Escalate to ITSM tool via pre-built or custom PlaybookInitiate recovery of clean snapshot with no anomalies via pre-built PlaybookClosed loop integration closes out the alert in Cohesity Data Cloud via a pre-built Playbook Cohesity (using Azure Function) DataConnector The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel. Solution
Close Cohesity Helios Incident Playbook This playbook closes the corresponding Cohesity DataHawk (Helios) ticket. Solution
Cohesity Create or Update ServiceNow incident Playbook This playbook creates and updates the incident in the ServiceNow platform. Solution
Delete Cohesity incident blobs Playbook This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps. Solution
Restore From Last Cohesity Snapshot Playbook This playbook restores the latest good Data Hawk (Helios) snapshot. Solution
Cohesity Incident Email Playbook This playbook sends an email to the recipient with the details related to the incidents. Solution
Contrast Protect Contrast Protect empowers teams to defend their applications anywhere they run, by embedding an automated and accurate runtime protection capability within the application to continuously monitor and block attacks. By focusing on actionable and timely application layer threat intelligence we make it easier for security and operation teams to understand and manage the severity of threats and attacks. Contrast Protect seamlessly integrates into Microsoft Sentinel so you can gain additional security risk visibility into the application layer. Contrast Probes AnalyticsRule Creates Incidents for Probed events sourced from the Contrast Protect agent. Solution
Contrast Blocks AnalyticsRule Creates Incidents for Blocked events sourced from the Contrast Protect agent. Solution
Contrast Exploits AnalyticsRule Creates Incidents for Exploit events sourced from the Contrast Protect agent. Solution
Contrast Suspicious AnalyticsRule Creates Incidents for Suspicious events sourced from the Contrast Protect agent. Solution
Contrast Protect DataConnector Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Microsoft Sentinel to blend with security information from other systems. Solution
Corelight Corelight for Microsoft Sentinel enables incident responders and threat hunters who use Microsoft Sentinel to work faster and more effectively. Corelight provides a network detection and response (NDR) solution based on best-of-breed open-source technologies, Zeek and Suricata that enables network defenders to get broad visibility into their environments. The data connector enables ingestion of events from Zeek and Suricata via Corelight Sensors into Microsoft Sentinel. Corelight for Microsoft Sentinel also includes workbooks and dashboards, hunting queries, and analytic rules to help organizations drive efficient investigations and incident response with the combination of Corelight and Microsoft Sentinel. Corelight - External Proxy Detected AnalyticsRule Detects external proxy usage. Solution
Corelight - Multiple Compressed Files Transferred over HTTP AnalyticsRule Detects compressed archives transferre over HTTP. Solution
Corelight - SMTP Email containing NON Ascii Characters within the Subject AnalyticsRule Detects where an emails contain non ascii characters within the Subject. Solution
Corelight - Network Service Scanning Multiple IP Addresses AnalyticsRule Identify scanning of services that may be available on the internal network. Solution
Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request AnalyticsRule Detects when an HTTP request was made to a domain that was using unicode/punycode. Solution
Corelight - Multiple files sent over HTTP with abnormal requests AnalyticsRule Detects sources sending multiple compressed files greater than 10MBs sent over HTTP in a short amount of time. Solution
Corelight - Forced External Outbound SMB AnalyticsRule Detects SMB requests that originate internally and communicate with an external IP address. Solution
Corelight - C2 DGA Detected Via Repetitive Failures AnalyticsRule Detects large amounts of DNS resolution failures. Solution
Corelight - Possible Webshell (Rare PUT or POST) AnalyticsRule Detects rare post requests to a single webserver location. Solution
Corelight - Possible Webshell AnalyticsRule Detects post requests to unusual extensions. Solution
Corelight DataConnector The Corelight data connector enables incident responders and threat hunters who use Microsoft Sentinel to work faster and more effectively. The data connector enables ingestion of events from Zeek and Suricata via Corelight Sensors into Microsoft Sentinel. Solution
Corelight - Files in logs HuntingQuery Solution
Corelight - Repetitive DNS Failures HuntingQuery Solution
Corelight - External Facing Services HuntingQuery Solution
Corelight - Multiple Remote SMB Connections from single client HuntingQuery Solution
Corelight - File transferred by source HuntingQuery Solution
Corelight - Rare PUT or POST HuntingQuery Solution
Corelight - Obfuscated binary filenames HuntingQuery Solution
Corelight - Top sources of data transferred HuntingQuery Solution
Corelight - Abnormal Email Subject HuntingQuery Solution
Corelight - Compressed Files Transferred over HTTP HuntingQuery Solution
Corelight Parser Solution
Corelight Workbook Sets the time name for analysis Solution
CyberArk Enterprise Password Vault (EPV)/Sentinel CyberArk Enterprise Password Vault Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. The EPV generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics. Refer to the CyberArk documentation for more guidance on SIEM integrations.Underlying Microsoft Technologies used: This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Agent-based log collection (CEF over Syslog)Data Connectors: 1, Workbooks: 1 Azure-Sentinel/known_issues.md at master ┬╖ Azure/Azure-Sentinel Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure-Sentinel/known_issues.md at master ┬╖ Azure/Azure-Sentinel CyberArk Enterprise Password Vault (EPV) Events DataConnector CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the CyberArk documentation for more guidance on SIEM integrations. Solution
CyberArk EPV Events Workbook The CyberArk Syslog connector allows you to easily connect all your CyberArk security solution logs with your Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Integration between CyberArk and Microsoft Sentinel makes use of the CEF Data Connector to properly parse and display CyberArk Syslog messages. Solution
CyberArk Endpoint Privilege Manager Important: This Microsoft Sentinel solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.CyberArk Endpoint Privilege Manager (EPM) helps to remove the barriers to enforcing least privilege and allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom.The Microsoft Sentinel solution for CyberArk EPM allows a security administrator to pull Application Events and Policy Audit from EPM management console using the cloud APIs, into Microsoft Sentinel for analysis and as part of customers threat modeling procedures.Data Connectors: 1, Parsers: 1Learn more about CyberArk Endpoint Privilege Manager (EPM) CyberArkEPM - Process started from different locations AnalyticsRule Detects when process started from different locations on a host. Solution
CyberArkEPM - Uncommon Windows process started from System folder AnalyticsRule Detects when uncommon windows proccess is started from System folder. Solution
CyberArkEPM - Attack attempt not blocked AnalyticsRule This rule triggers on attack attempt which was not blocked by CyberArkEPM. Solution
CyberArkEPM - Unexpected executable extension AnalyticsRule Detects Windows executable with unexpected extension. Solution
CyberArkEPM - Renamed Windows binary AnalyticsRule Detects renamed windows binaries. Solution
CyberArkEPM - Uncommon process Internet access AnalyticsRule Detects access to the Internet by uncommon processes. Solution
CyberArkEPM - MSBuild usage as LOLBin AnalyticsRule Detects usage of msbuild tool as LOLBin. Solution
CyberArkEPM - Multiple attack types AnalyticsRule This rule triggers on multiple attack attemts triggered by same user. Solution
CyberArkEPM - Unexpected executable location AnalyticsRule Detects program run from unexpected location. Solution
CyberArkEPM - Possible execution of Powershell Empire AnalyticsRule Detects possible execution of Powershell Empire. Solution
CyberArkEPM (using Azure Functions) DataConnector The CyberArk Endpoint Privilege Manager data connector provides the capability to retrieve security event logs of the CyberArk EPM services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
CyberArkEPM - Elevation requests HuntingQuery Solution
CyberArkEPM - Rare process vendors HuntingQuery Solution
CyberArkEPM - Powershell downloads HuntingQuery Solution
CyberArkEPM - Process hash changed HuntingQuery Solution
CyberArkEPM - Rare process run by users HuntingQuery Solution
CyberArkEPM - Scripts executed on hosts HuntingQuery Solution
CyberArkEPM - Processes with Internet access attempts HuntingQuery Solution
CyberArkEPM - Suspicious activity attempts HuntingQuery Solution
CyberArkEPM - Processes run as admin HuntingQuery Solution
CyberArkEPM - Powershell scripts execution parameters HuntingQuery Solution
CyberArkEPM Data Parser Parser Solution
CyberArk EPM Workbook Sets the time name for analysis Solution
ESET Inspect integration Use the ESET Inspect REST API to grab all detections and ingest them into Microsoft Sentinel. For more information about what is ingested exactly please refer to the following URL: https://help.eset.com/ei_navigate/latest/en-US/api.html). ESET Inspect (using Azure Function) DataConnector This connector will ingest detections from ESET Inspect using the provided REST API. This API is present in ESET Inspect version 1.4 and later. Solution
Threats detected by ESET AnalyticsRule Escalates threats detected by ESET. Solution
Website blocked by ESET AnalyticsRule Create alert on websites blocked by ESET. Solution
ESET PROTECT DataConnector This connector gathers all events generated by ESET software through the central management solution ESET PROTECT (formerly ESET Security Management Center). This includes Anti-Virus detections, Firewall detections but also more advanced EDR detections. For a complete list of events please refer to the documentation. Solution
ESETPROTECT Data Parser Parser Solution
EsetProtect Workbook Visualize events and threats from Eset protect. Solution
Cyberpion Security Logs The Cyberpion Security Logs will provide customers a connector to import Action Items into Microsoft Sentinel High Urgency Cyberpion Action Items AnalyticsRule This query creates an alert for active Cyberpion Action Items with high urgency (9-10). Urgency can be altered using the "min_urgency" variable in the query. Solution
Cyberpion Security Logs DataConnector The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations. Solution
Cyberpion Overview Workbook Use Cyberpion's Security Logs and this workbook, to get an overview of your online assets, gain insights into their current state, and find ways to better secure your ecosystem. Solution
Cybersixgill Actionable Alerts The challenge Incident response activities often include repetitive tasks based on fragmented or insufficient information. Irrelevant alerts which cause fatigue and disparate tools for different tasks all add up - SOC analysts find it very difficult to keep up. At the same time, threat actors are actively searching for potential vulnerabilities and entry points. Once in the hands of even an amateur attacker, malicious tools can inflict considerable damage to an organization. However, it is not simple for an analyst to manually find threats - They would have to be familiar with the undergroundΓÇÖs many forums and markets and also require them to have advanced skills and considerable time.Cybersixgill SolutionCybersixgillΓÇÖs actionable alerts solution is designed to help SOC and CTI analysts fight cyber crime, detect phishing, data leaks, fraud and vulnerabilities as well as amplify incident response in real-time. The Cybersixgill alert integration empowers security teams that are using Microsoft Sentinel with contextual and actionable insights as well as the ability to proactively remediate threats as they emerge.Contextual data per alert includes:Know - Date, Description, Triggered AssetEvaluate - Threat LevelClassify - Threat TypeInvestigate - Actor, Site, Post detailsAction - Cybersixgill Assessment and RecommendationsAlerts are triggered based on Cybersixgill data lake, collected covertly from a wide range of sources including content from limited-access deep & dark web forums and markets, invite-only messaging groups, code repositories, paste sites and clear web platforms, processed to provide comprehensive insight into the nature and source of each threat. Cybersixgill Actionable Alerts (using Azure Function) DataConnector Actionable alerts provide customized alerts based on configured assets Solution
Cybersixgill Actionable alerts HuntingQuery Solution
Cybersixgill-Alert-Status-Update Playbook This playbook will update status of Cybersixgill Alerts when respective incident status is updated in Microsoft Sentinel Solution
Delete-Cybersixgill-Alert Playbook This playbook will delete Alert on Cybersixgill portal when resective Incident is deleted in Microsoft Sentinel Solution
Cybersixgill Actionable Alerts Dashboard Workbook None. Solution
Cybersixgill Actionable Alerts List Workbook None. Solution
Cynerio Medical Device Security Sentinel Connector Cynerio is transforming healthcare IoT security so that patient care is completely insulated from attackers seeking to shut it down for malicious reasons. To that end we have several goals that inform how we want to help hospitals secure their healthcare IoT:- Promoting IoT security as a crucial extension of IT security.- Demonstrating that Inventory by itself is not enough for IoMT and healthcare IoT security.- Assisting hospitals with making their networks less flat.- Leveraging IT security solutions that hospitals are already comfortable using for protecting their IoT assets.- Developing and disseminating a series of best practices for healthcare IoT security. Cynerio Security Events DataConnector The Cynerio connector allows you to easily connect your Cynerio Security Events with Microsoft Sentinel, to view IDS Events. This gives you more insight into your organization network security posture and improves your security operation capabilities. Solution
CynerioEvent_Authentication Parser Solution
CynerioEvent_NetworkSession Parser Solution
Darktrace Please note, this solution is replacing ΓÇ£AI Analyst DarktraceΓÇ¥ Microsoft Sentinel solution which will not be supported from 01 Dec, 2022. For full installation guidance please visit the Darktrace Customer Portal. OverviewThe new Darktrace solution for Microsoft Sentinel brings unparalleled Self-Learning AI insights from Darktrace to be analyzed and correlated against the Microsoft product suite data in Microsoft Sentinel SIEM. Microsoft Sentinel users will find a detailed Darktrace Workbook which graphs a broad set of Darktrace data, including AI Analyst, apps, network and email alerting. Alongside that, Analytic Rule templates are provided to assist with automatic Microsoft Sentinel incident creation from AI Analyst breaches and Alert creation from Darktrace Model Breaches and System Alerts.The setup is greatly simplified with the Darktrace Data Connector. This outbound REST API connector only requires authentication details and web connectivity between Darktrace and Microsoft Sentinel, allowing users to connect Darktrace data to their SIEM in minutes, without having to rely on complex log-forwarding scenarios.Changes and improvementsNew Data ConnectorThe Darktrace solution for Microsoft Sentinel moves away from using limited CEF Syslog data and pushes all Darktrace information directly into Microsoft Sentinel using Azure Monitor API over HTTPs. Not only does this greatly simplify initial setup and troubleshooting, but it also ensures that more context-rich data is collected in Microsoft Sentinel minimizing analyst context-switching.With the added flexibility of consuming JSON data, additional new data categories are now brought to Microsoft Sentinel:Darktrace/EmailAI Analyst IncidentsDarktrace/EndpointSystem Status AlertsAll data ingested from Darktrace is now placed in the custom log table. Redesigned WorkbookThe Darktrace workbook has been redesigned from the ground up, ensuring Microsoft Sentinel analysts can get a comprehensive overview of Darktrace data at a glance:AI Analyst data now ingested into Microsoft Sentinel. A queue of AI Analyst incidents is displayed with a one-click pivot into a list of AI Analyst Incident Events belonging to the current incident groupingDarktrace/Email data now ingested which provides a breakdown of actions over emails in a specified timeframe as well as a recipient search allowing to quickly locate held emails and evaluate specific users for threatsData from Darktrace DETECT, graphed and organized based on new model breach tags ΓÇô Compliance, Information, Suspicious, CriticalA dedicated tab for Darktrace RESPOND for a quick review of the latest autonomous response actionsDarktrace/Endpoint data graphed in a separate tab, allowing a quick overview of threats beyond the perimeterSystem Status alerts tab ensuring Darktrace users can stay on top of system health Analytic Rule TemplatesThe new solution ships with a selection of Analytics Rules templates which automate the creation of Microsoft Sentinel Incidents and Alerts from Darktrace data.AI Analyst Incidents - runs as a Near-Real-Time (NRT) rule, a Microsoft Sentinel Incident is created with a dynamic severity setting for AI Analyst IncidentsModel Breaches - runs as a Near-Real-Time (NRT) rule, a Microsoft Sentinel alert is created with a dynamic severity based on Model Breach System Status Alerts - runs as a scheduled rule with 5 minute frequency and creates Microsoft Sentinel Alerts out of Darktrace System Status AlertsThe Microsoft Sentinel analysts can pick which rules to activate and can modify the severities of resulting events according to the workflow standards for their organization. Darktrace System Status AnalyticsRule This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes. Solution
Darktrace Model Breach AnalyticsRule This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes. Solution
Darktrace AI Analyst AnalyticsRule This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes. Solution
Darktrace Connector for Microsoft Sentinel REST API DataConnector The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled "darktrace_model_alerts_CL"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters. Solution
Darktrace Workbook The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email. Solution
AI Analyst Darktrace The Darktrace connector and workbook allows users to connect Darktrace's real-time alerting with Microsoft Sentinel and enables the creation of custom Dashboards and alerts to improve investigations. In addition, the enhanced visibility that Microsoft Sentinel provides into Darktrace logs empowers more effective monitoring and mitigation of security threats. AI Analyst Darktrace DataConnector The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. Solution
AI Analyst Darktrace Model Breach Summary Workbook A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector Solution
Delinea Secret Server Delinea Secret Server is our flagship Privileged Access Management (PAM) SaaS offering hosted in Microsoft Azure. Our architecture is deployed in multiple global Azure Regions, including the USA, Canada, Germany, Singapore & Australia, and ensures performance, high availability and adherence with global compliance & privacy mandates. Delinea also has multiple integration points within the Microsoft stack, including Microsoft Sentinel. Secret Server and Microsoft Sentinel give organizations deep insight into privileged account usage. Used together, these tools provide secure access to privileged accounts and provide greater visibility to meet compliance mandates and detect internal network threats. The Delinea Secret Server data connector allows you to easily connect your Delinea Secret Server logs with Microsoft Sentinel so you can view dashboards, create custom alerts, and improve investigation. Delinea takes advantage of AzureΓÇÖs auto-scaling and built-in geo-redundancy, as well as MicrosoftΓÇÖs latest threat management tools, including intrusion detection, denial-of-service (DDoS) attack prevention, anti-malware, penetration testing, analytics and machine learning. Delinea Secret Server DataConnector Common Event Format (CEF) from Delinea Secret Server Solution
Delinea Secret Server Workbook Workbook The Delinea Secret Server Syslog connector Solution
SIGNL4 ΓÇô Mobile Alerting If you are a Security MSP it is all about fulfilling your customers SLAs. SIGNL4 makes sure that you can respond to any security incident or threat up to 10x faster and from wherever you are. This will raise your response levels and increase accountability and visibility across your different teams and stakeholders.SIGNL4 adds the following capabilities to Microsoft Sentinel:Enables instant response to security alerts, incidents and threats anywhere, anytimeReliable and persistent alerting via mobile push, sms text and voice callsTargeted mobile notifications with response tracking and automated escalationsOn-call scheduling and on-call management built-intAutomated workflows for mobile alert and incident delivery to on-call engineersReal-time cross-team transparency on ticket status and ownership on mobile devicesProvides transparency of incident ownership while away from the deskMobile app for Android and iPhone to conveniently manage alerts and incidents from anywhereSIGNL4 provides seamless 2-way integration with your Microsoft Azure Security Solutions. SIGNL4 uses the Graph Security API and the Microsoft Sentinel API to access and pull incidents that are generated by tools like Sentinel, Defender for cloud and others. SIGNL4 is a plug & play cloud solution.See the integration video here. Learn more and sign up for a free trial at signl4.com. Derdack SIGNL4 DataConnector When critical systems fail or security incidents happen, SIGNL4 bridges the ΓÇÿlast mileΓÇÖ to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time. Learn more > Solution
SIGNL4 Alerting and Response Playbook This playbook will be sending alerts with basic incidents to SIGNL4 teams when an incident is created in Microsoft Sentinel. Solution
Digital Shadows SearchLight Digital Shadows monitors and manages digital risk across the widest range of data sources within the open, deep, and dark web to protect an organizationΓÇÖs business, brand, and reputation. The Digital Shadows SearchLightΓäó service combines scalable data analytics with intelligence analysts to manage and mitigate risks associated with an organizationΓÇÖs cyber threat, data exposure, brand exposure, infrastructure exposure, physical threat, and third party risk. SearchLight creates an up-to-the-minute view of an organizationΓÇÖs external digital risk with tailored threat intelligence. The Digital Shadows SearchLight for Microsoft Sentinel solution supports triage and reporting use cases:Synchronize SearchLight alerts into Microsoft Sentinel.Triage SearchLight alerts within the Incidents section of Microsoft Sentinel.Visualize, analyze and export SearchLight alert trends using Microsoft Sentinel Workbooks.More information about the solution is available for clients at https://resources.digitalshadows.com/3859604261920687403723844504/digital-shadows-solution-for-microsoft-sentinel-v1-0-0-installation-configuration-and-user-guide Digital Shadows Incident Creation for include-app AnalyticsRule Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications Solution
Digital Shadows Incident Creation for exclude-app AnalyticsRule Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications Solution
Digital Shadows Searchlight (using Azure Functions) DataConnector The Digital Shadows data connector provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. The connector will provide the incidents and alerts information such that it helps to examine, diagnose and analyse the potential security risks and threats. Solution
Digital Shadows Playbook to Update Incident Status Playbook This playbook will update the status of Microsoft Sentinel incidents to match the status of the alerts imported from Digital Shadows SearchLight Solution
Digital Shadows Workbook For gaining insights into Digital Shadows logs. Solution
DomainTools Iris Investigate DomainTools Iris InvestigateMap connected infrastructure to get ahead of threats. Iris Investigate delivers dozens of domain-related attributes on every result including Risk Score, DNS, Whois, SSL, and more. It enables easy pivoting through different domain infrastructure and exposes meaningful insights with connection counts on most data fields. The Iris Investigate API is best suited for human-scale interactions, up to 20 lookups per minute. Use the optional Iris Enrich integration for higher volume lookups, up to 6,000 domains per minute.Available PlaybooksDomainTools Iris Investigate Domain Playbook - Given a domain or set of domains associated with an incident, return Whois, MX, DNS, SSL and related indicators from Iris Investigate, highlighting fields where fewer than 200-400 domains share an attribute.DomainTools Iris Investigate Domain Risk Score Playbook - Given a domain or set of domains associated with an incident, return the risk scores and adjust the severity of the incident if a high risk domain is observed. Add the risk scoring details in the comments of the incident.DomainTools Iris Investigate Guided Pivots Playbook - Given a domain, return Whois, MX, DNS, SSL and related indicators from Iris Investigate, highlighting, and automatically querying for related domains sharing an attribute with the one in the incident.DomainTools Iris Investigate Malicious Tags Playbook - Track the activities of malicious actors using the Iris Investigate UI, tagging domains of interest. Given a domain or set of domains associated with an incident, query Iris Investigate for information on those domains, and if a specified set of tags is observed, mark the incident as ΓÇ£severeΓÇ¥ in Sentinel and add a comment.DomainTools Iris Enrich Domain Playbook - This playbook uses the DomainTools Iris Enrich API, which we recommend over Iris Investigate for high-volume API lookup activities, up to 6,000 domains per minute. It is able to provide domain infrastructure information for a domain or set of domains associated with an incident. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return Whois, mailserver, DNS, SSL and related indicators from Iris Enrich for a given domain or set of domains.DomainTools Iris Investigate URL Playbook - Given a URL or set of URLs associated with an incident, return all DomainTools Iris Investigate data for the extracted domains from the URL as comments in the incident.DomainTools Iris Investigate With Farsight pDNS Playbook - Given a domain or set of domains associated with an incident, enrich the domain using the DomainTools Iris Investigate API, returning Whois and infrastructure details. Subsequently retrieve associated subdomains from passive DNS information seen in DNSDB. A separate Farsight DNSDB API subscription is requiredPre-requisitesYou will need the following:A Microsoft Power Apps or Power Automate plan with custom connector featureAn Azure subscriptionDomainTools API UsernameDomainTools API Key Provisioned for Iris Investigate and optionally Iris Enrich and Farsight DNSDB if using those playbooksHow to Get CredentialsContact sales@domaintools.comSupportFor all support requests and general inquiries you can contact enterprisesupport@domaintools.com DomainToolsFunctionApp AzureFunction Solution
Domain Enrichment - DomainTools Iris Enrich Playbook The DomainTools Iris Enrich API is more suited to high-volume API lookups than Iris Investigate and is able to provide domain infrastructure information for a domain or set of domains associated with an incident. Solution
Domain Enrichment - DomainTools Iris Investigate Playbook Given a domain or set of domains associated with an incident return all Iris Investigate data for those domains as comments in the incident. Solution
Domain Risk Score - DomainTools Iris Investigate Playbook Given a domain or set of domains associated with an incident return the risk scores and adjust the severity of the incident if a high risk domain is observed, adding the risk details in the comments of the incident. Solution
Guided Pivots - DomainTools Iris Investigate Playbook Given a domain return all the Iris Investigate data, highlighting fields where < 200 domains share an attribute to clue investigators in to retrieve more data via Iris Investigate UI (or further queries using the Iris Investigate API). Solution
Malicious Tags - DomainTools Iris Investigate Playbook Track the activities of malicious actors using the Iris Investigate UI, tagging domains of interest. Given a domain or set of domains associated with an incident, query Iris Investigate for information on those domains, and if a specified set of tags is observed, mark the incident as ΓÇ£severeΓÇ¥ Sentinel and add a comment. Solution
URL Enrichment- DomainTools Iris Investigate Playbook Given a URL or set of URLs associated with an incident return all Iris Investigate data for the extracted domains from the URL as comments in the incident. Solution
Domain Enrichment- DomainTools Iris Investigate With Farsight DNSDB Playbook Given a domain or set of domains associated with an incident, enrich the domain using the DomainTools Iris Investigate API, returning whois and infrastructure details. Subsequently retrieve associated subdomains from passive DNS information seen in FarsightΓÇÖs DNSDB. Solution
Dynatrace Software Intelligence Platform The Dynatrace with Microsoft Sentinel solution allows you to ingest detected Attacks, Vulnerabilities, Audit logs and problem events based on metrics, logs, and traces collected from monitored environments. In Microsoft Sentinel, SOC teams can then benefit from all the signals generated by the Dynatrace’s Davis AI without having to perform any of the heavy lifting. The solution also allows customers to combine alerts from best-in-class security solutions by enriching Attacks detected by the Dynatrace platform with these additional insights. Underlying Dynatrace Technologies used: Davis AI engine automatically and continuously delivers precise answers based on the current state of your environment. Davis® uses high-fidelity metrics, traces, logs, and user data mapped to a unified entity model to drive automation and deliver broader, deeper insights for modern cloud environments. Audit logs are crucial for tracking changes, compliance, and security-relevant events. Dynatrace can log such events so that you can review important changes: when the change was made, by whom, and what was changed. Runtime vulnerability analysis. Reduce the time and cost to find and fix application vulnerabilities. Leverage runtime context to precisely implement countermeasures and remediation. Runtime application protection. Reduce exposure to missed and zero-day vulnerabilities. Continuously detect and block common application attacks, such as SQL injection and command injection. Dynatrace Application Security - Attack detection AnalyticsRule Dynatrace has detected an ongoing attack in your environment. Solution
Dynatrace Application Security - Code-Level runtime vulnerability detection AnalyticsRule Detect Code-level runtime vulnerabilities in your environment insights by snyk Solution
Dynatrace - Problem detection AnalyticsRule Detect application & infrastructure problems in your environment Solution
Dynatrace Application Security - Third-Party runtime vulnerability detection AnalyticsRule Detect Third-Party runtime vulnerabilities in your environment insights by snyk Solution
Dynatrace Application Security - Non-critical runtime vulnerability detection AnalyticsRule Detect runtime vulnerabilities in your environment insights by snyk Solution
Dynatrace Attacks DataConnector This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics Solution
Dynatrace Audit Logs DataConnector This connector uses the Dynatrace Audit Logs REST API to ingest tenant audit logs into Microsoft Sentinel Log Analytics Solution
Dynatrace Problems DataConnector This connector uses the Dynatrace Problem REST API to ingest problem events into Microsoft Sentinel Log Analytics Solution
Dynatrace Runtime Vulnerabilities DataConnector This connector uses the Dynatrace Security Problem REST API to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics. Solution
DynatraceAttacks Parser Solution
DynatraceAuditLogs Parser Solution
DynatraceProblems Parser Solution
DynatraceSecurityProblems Parser Solution
Add Dynatrace Application Security Attack Source IP Address to Threat Intelligence Playbook This playbook will add an attackers source ip to Threat Intelligence when a new incident is opened in Microsoft Sentinel. Solution
Enrich Dynatrace Application Security Attack with related Microsoft Defender 365 insights Playbook This playbook will enrich Dynatrace Application Security Attack with related Microsoft Defender 365 insights. Solution
Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts Playbook This playbook will enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts. Solution
Enrich Dynatrace Application Security Attack Incident Playbook This playbook will enriche Dynatrace Application Security Attack Incidents with additional information when new incident is opened. Solution
Ingest Microsoft Defender 365 insights into Dynatrace Playbook This playbook will ingest Microsoft Defender 365 insights into Dynatrace. Solution
Ingest Microsoft Sentinel Security Alerts into Dynatrace Playbook This playbook will ingest Microsoft Sentinel Security Alerts into Dynatrace. Solution
Dynatrace Workbook This workbook brings together queries and visualizations to assist you in identifying potential threats surfaced by Dynatrace. Solution
ExtraHop Reveal(x) The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities. ExtraHop Reveal(x) DataConnector The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities. Solution
ExtraHop Workbook Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities. This workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants. Solution
F5 Advanced WAF Integration via Telemetry Streaming F5ΓÇÖs industry-leading BIG-IP Advanced Web Application Firewall (WAF) provides comprehensive application protection against threats and can be integrated with Microsoft Sentinel to analyze attack events and data in real-time.BIG-IP Advanced WAF leverages behavioral analytics, automated learning capabilities, and risk-based policies to secure your website, mobile apps, and APIsΓÇöwhether in a native or hybrid Azure environment. Core capabilities of BIG-IP Advanced WAF include:Proactive bot defense protects against automated malicious bots while maintaining access for the good bots that help your business.L7 DoS mitigation to thwart app-layer denial of service attacksOWASP Top 10 compliance dashboard to monitor prevention of OWASP Top 10 threats.API protocol security to secure REST/JSON, XML & GWT APIsBehavioral analytics and machine learning provide highly accurate application-layer DoS detection and mitigationIn-Browser data encryption protects against data-extracting malware and keyloggers.Virtual patching to mitigate code-level and common vulnerabilitiesReal-time reporting and telemetry streaming capabilities allow for fast analysis of attacks and exportation of data to 3 party analytics and visualization tools such as Azure SentinelIntegrating BIG-IP Advanced WAF with Microsoft Sentinel allows attack events and logs to be sent, visualized and analyzed in real-time within your Microsoft Sentinel workspace. Information can be transferred to Sentinel in two different ways; either through use of F5ΓÇÖs Telemetry Streaming extension or by sending information in Common Event Format (CEF). The information below pertains to using the F5 Telemetry Streaming method ΓÇô if you would like to use the CEF approach then please review this listing.F5ΓÇÖs Telemetry Streaming (TS) extension ΓÇô a component of F5ΓÇÖs completely free Automation Toolchain ΓÇô is used to aggregate and send data from BIG-IP Advanced WAF instances deployed on Azure, on-premises, or in any other environment to 3 party visualization or analytics tools. F5 Telemetry Streaming is compatible with BIG-IP versions 13.1 and later, making this a prerequisite to employing this integration. The resources below detail how to configure BIG-IP instances with Telemetry Streaming to permit data transfer to Azure Sentinel. Additional Resources ┬╖ Getting started with BIG-IP Advanced WAF and Microsoft Sentinel┬╖ F5 Telemetry Streaming Extension┬╖ Deploy BIG-IP Advanced WAF Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Best Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Advanced WAF (BYOL) from the Azure Marketplace F5 BIG-IP DataConnector The F5 firewall connector allows you to easily connect your F5 logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Solution
F5ΓÇÖs industry-leading BIG-IP Advanced Web Application Firewall (WAF) provides comprehensive application protection against threats and can be integrated with Microsoft Sentinel to analyze attack events and data in real-time.BIG-IP Advanced WAF leverages behavioral analytics, automated learning capabilities, and risk-based policies to secure your website, mobile apps, and APIsΓÇöwhether in a native or hybrid Azure environment. Core capabilities of BIG-IP Advanced WAF include:Proactive bot defense protects against automated malicious bots while maintaining access for the good bots that help your business.L7 DoS mitigation to thwart app-layer denial of service attacksOWASP Top 10 compliance dashboard to monitor prevention of OWASP Top 10 threats.API protocol security to secure REST/JSON, XML & GWT APIsBehavioral analytics and machine learning provide highly accurate application-layer DoS detection and mitigationIn-Browser data encryption protects against data-extracting malware and keyloggers.Virtual patching to mitigate code-level and common vulnerabilitiesReal-time reporting and telemetry streaming capabilities allow for fast analysis of attacks and exportation of data to 3 party analytics and visualization tools such as Azure SentinelIntegrating BIG-IP Advanced WAF with Microsoft Sentinel allows attack events and logs to be sent, visualized and analyzed in real-time within your Microsoft Sentinel workspace. Information can be transferred to Sentinel in two different ways; either through use of F5ΓÇÖs Telemetry Streaming extension or by sending information in Common Event Format (CEF). The information below pertains to using the F5 Telemetry Streaming method ΓÇô if you would like to use the CEF approach then please review this listing.F5ΓÇÖs Telemetry Streaming (TS) extension ΓÇô a component of F5ΓÇÖs completely free Automation Toolchain ΓÇô is used to aggregate and send data from BIG-IP Advanced WAF instances deployed on Azure, on-premises, or in any other environment to 3 party visualization or analytics tools. F5 Telemetry Streaming is compatible with BIG-IP versions 13.1 and later, making this a prerequisite to employing this integration. The resources below detail how to configure BIG-IP instances with Telemetry Streaming to permit data transfer to Azure Sentinel. Additional Resources ┬╖ Getting started with BIG-IP Advanced WAF and Microsoft Sentinel┬╖ F5 Telemetry Streaming Extension┬╖ Deploy BIG-IP Advanced WAF Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Best Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Advanced WAF (BYOL) from the Azure Marketplace F5 BIG-IP System Metrics Workbook Gain insight into F5 BIG-IP health and performance. This workbook provides visibility of various metrics including CPU, memory, connectivity, throughput and disk utilization. Solution
F5ΓÇÖs industry-leading BIG-IP Advanced Web Application Firewall (WAF) provides comprehensive application protection against threats and can be integrated with Microsoft Sentinel to analyze attack events and data in real-time.BIG-IP Advanced WAF leverages behavioral analytics, automated learning capabilities, and risk-based policies to secure your website, mobile apps, and APIsΓÇöwhether in a native or hybrid Azure environment. Core capabilities of BIG-IP Advanced WAF include:Proactive bot defense protects against automated malicious bots while maintaining access for the good bots that help your business.L7 DoS mitigation to thwart app-layer denial of service attacksOWASP Top 10 compliance dashboard to monitor prevention of OWASP Top 10 threats.API protocol security to secure REST/JSON, XML & GWT APIsBehavioral analytics and machine learning provide highly accurate application-layer DoS detection and mitigationIn-Browser data encryption protects against data-extracting malware and keyloggers.Virtual patching to mitigate code-level and common vulnerabilitiesReal-time reporting and telemetry streaming capabilities allow for fast analysis of attacks and exportation of data to 3 party analytics and visualization tools such as Azure SentinelIntegrating BIG-IP Advanced WAF with Microsoft Sentinel allows attack events and logs to be sent, visualized and analyzed in real-time within your Microsoft Sentinel workspace. Information can be transferred to Sentinel in two different ways; either through use of F5ΓÇÖs Telemetry Streaming extension or by sending information in Common Event Format (CEF). The information below pertains to using the F5 Telemetry Streaming method ΓÇô if you would like to use the CEF approach then please review this listing.F5ΓÇÖs Telemetry Streaming (TS) extension ΓÇô a component of F5ΓÇÖs completely free Automation Toolchain ΓÇô is used to aggregate and send data from BIG-IP Advanced WAF instances deployed on Azure, on-premises, or in any other environment to 3 party visualization or analytics tools. F5 Telemetry Streaming is compatible with BIG-IP versions 13.1 and later, making this a prerequisite to employing this integration. The resources below detail how to configure BIG-IP instances with Telemetry Streaming to permit data transfer to Azure Sentinel. Additional Resources ┬╖ Getting started with BIG-IP Advanced WAF and Microsoft Sentinel┬╖ F5 Telemetry Streaming Extension┬╖ Deploy BIG-IP Advanced WAF Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Best Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Advanced WAF (BYOL) from the Azure Marketplace F5 BIG-IP ASM Workbook Gain insights into F5 BIG-IP Application Security Manager (ASM), by analyzing traffic and activities. This workbook provides insight into F5's web application firewall events and identifies attack traffic patterns across multiple ASM instances as well as overall BIG-IP health. Solution
F5 Advanced WAF Integration via Syslog/CEF F5ΓÇÖs industry-leading BIG-IP Advanced Web Application Firewall (WAF) provides comprehensive application protection against threats and can be integrated with Microsoft Sentinel to analyze attack events and data in real-time.BIG-IP Advanced WAF leverages behavioral analytics, automated learning capabilities, and risk-based policies to secure your website, mobile apps, and APIsΓÇöwhether in a native or hybrid Azure environment. Core capabilities of BIG-IP Advanced WAF include:Proactive bot defense protects against automated malicious bots while maintaining access for the good bots that help your business.L7 DoS mitigation to thwart app-layer denial of service attacksOWASP Top 10 compliance dashboard to monitor prevention of OWASP Top 10 threats.API protocol security to secure REST/JSON, XML & GWT APIsBehavioral analytics and machine learning provide highly accurate application-layer DoS detection and mitigationIn-Browser data encryption protects against data-extracting malware and keyloggers.Virtual patching to mitigate code-level and common vulnerabilitiesReal-time reporting and telemetry streaming capabilities allow for fast analysis of attacks and exportation of data to 3 party analytics and visualization tools such as Microsoft SentinelIntegrating BIG-IP Advanced WAF with Microsoft Sentinel allows attack events and logs to be sent, visualized and analyzed in real-time within your Microsoft Sentinel workspace. Information can be transferred to Microsoft Sentinel in two different ways; either through use of F5ΓÇÖs Telemetry Streaming extension or by sending information in Common Event Format (CEF). The information below pertains to using the CEF method ΓÇô if you would like to use F5ΓÇÖs Telemetry Streaming extension then please review this listing.Within BIG-IP Advanced WAF, security logging profiles can be configured to send attack events and data to Microsoft Sentinel in CEF format over Syslog, using F5ΓÇÖs technology partner Arcsight. In order to enable this capability BIG-IP must be running v11.6.x or later. The resources below detail how to set up security logging profiles with CEF to begin sending data to Microsoft Sentinel, and a variety of options for deploying BIG-IP Advanced WAF on Azure from the Marketplace. Additional Resources ┬╖ BIG-IP Advanced WAF Event Logging: Operations Guide " AskF5┬╖ Configuring Application Security Event Logging " AskF5┬╖ Deploy BIG-IP Advanced WAF Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Best Virtual Edition (PAYG) from the Azure Marketplace┬╖ Deploy BIG-IP Advanced WAF (BYOL) from the Azure Marketplace F5 Networks DataConnector
FalconForce FalconFriday Analytics The FalconFriday content is free to use and was developed by FalconForce. These rules are published together with blog posts explaining their focus and how to work with them.You can find these posts here: https://medium.com/falconforce.About FalconForceWant to take your companyΓÇÖs digital security to the next level? FalconForce was founded by by professionals with a wealth of experience in digital security. We bring a combination of offensive and defensive security together in order to provide our clients the highest quality services.One of our commercial service offerings is an Advanced Detection Content subscription, providing you with newly researched, developed and documented premium detection rules every month. Our content goes beyond what endpoint detection solutions detect out-of-the-box.More information about this and our other services is available on our website. Component Object Model Hijacking - Vault7 trick AnalyticsRule This detection looks for the very specific value of "Attribute" in the "ShellFolder" CLSID of a COM object. This value (0xf090013d) seems to only link back to this specific persistence method. The blog post linked here (https://www.ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse) provides more background on the meaning of this value. Solution
Disable or Modify Windows Defender AnalyticsRule This detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes. Note that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. See blogpost (https://medium.com/falconforce/falconfriday-av-manipulation-0xff0e-67ed4387f9ab?source=friends_link&sk=3c7c499797bbb4d74879e102ef3ecf8f) for more resilience considerations. The current approach can easily be bypassed by not using the powershell.exe executable. Consider adding more ways to detect this behavior. Solution
Detecting UAC bypass - elevated COM interface AnalyticsRule This query identifies processes spawned with high integrity from dllhost.exe with a command line that contains one of three specific CLSID GUIDs. Solution
Office ASR rule triggered from browser spawned office process. AnalyticsRule The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. This detection looks for Office ASR violations triggered by an Office document opened from a browser. Note: be aware that you need to have the proper ASR rules enabled for this detection to work. Solution
Hijack Execution Flow - DLL Side-Loading AnalyticsRule This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already. Solution
Rename System Utilities AnalyticsRule Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames. This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename. This query is really heavy on resources. Use it with care. Solution
Expired access credentials being used in Azure AnalyticsRule This query searches for logins with an expired access credential (for example an expired cookie). It then matches the IP address from which the expired credential access occurred with the IP addresses of successful logins. If there are logins with expired credentials, but no successful logins from an IP, this might indicate an attacker has copied the authentication cookie and is re-using it on another machine. Solution
Trusted Developer Utilities Proxy Execution AnalyticsRule This detection looks at process executions - in some cases with specific command line attributes to filter a lot of common noise. Solution
Suspicious parentprocess relationship - Office child processes. AnalyticsRule The attacker sends a spearphishing email to a user. The email contains a link, which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro spawns a new child process providing initial access. This detection looks for suspicious parent-process chains starting with a browser which spawns an Office application which spawns something else. Solution
Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains AnalyticsRule This query searches web proxy logs for a specific type of beaconing behavior by joining a number of sources together: - Traffic by actual web browsers - by looking at traffic generated by a UserAgent that looks like a browser and is used by multiple users to visit a large number of domains. - Users that make requests using one of these actual browsers, but only to a small set of domains, none of which are common domains. - The traffic is beacon-like; meaning that it occurs during many different hours of the day (i.e. periodic). Solution
Azure AD UserAgent OS Missmatch AnalyticsRule This query extracts the operating system from the UserAgent header and compares this to the DeviceDetail information present in Azure Active Directory. Solution
Detecting UAC bypass - ChangePK and SLUI registry tampering AnalyticsRule This query identifies setting a registry key under HKCU, launching slui.exe and then ChangePK.exe. Solution
Azure AD Rare UserAgent App Sign-in AnalyticsRule This query establishes a baseline of the type of UserAgent (i.e. browser, office application, etc) that is typically used for a particular application by looking back for a number of days. It then searches the current day for any deviations from this pattern, i.e. types of UserAgents not seen before in combination with this application. Solution
Certified Pre-Owned - backup of CA private key - rule 2 AnalyticsRule This query identifies someone that performs a backup of they CA key. Solution
Detecting UAC bypass - modify Windows Store settings AnalyticsRule This query identifies modification a specific registry key and then launching wsreset.exe that resets the Windows Store settings. Solution
Access Token Manipulation - Create Process with Token AnalyticsRule This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID. Solution
SMB/Windows Admin Shares AnalyticsRule This query is based on detecting incoming RPC/TCP on the SCM, followed by the start of a child process of services.exe. Remotely interacting with the SCM triggers the RPC/TCP traffic on services.exe, and the creation of the child processes is a result of starting the service. The query might look intimidating given its size. That's why we've commented the query per logic block to walk you through the details. Solution
Detect .NET runtime being loaded in JScript for code execution AnalyticsRule This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript. Solution
Suspicious Process Injection from Office application AnalyticsRule This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint) that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running. Solution
Certified Pre-Owned - backup of CA private key - rule 1 AnalyticsRule This query identifies someone that performs a read operation of they CA key from the file. Solution
Excessive share permissions AnalyticsRule The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note: this rule only checks for changed permissions, to prevent repeat alerts if for example a comment is changed, but the permissions are not altered. Solution
Certified Pre-Owned - TGTs requested with certificate authentication AnalyticsRule This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs). Solution
Remote Desktop Protocol - SharpRDP AnalyticsRule This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes. Solution
DCOM Lateral Movement AnalyticsRule This detection looks for cases of close-time proximity between incoming network traffic on RPC/TCP, followed by the creation of a DCOM object, followed by the creation of a child process of the DCOM object. The query first identifies incoming network traffic over RPC/TCP, followed by the creation of a DCOM object (process) within 2 seconds, followed by the creation of a child process of this DCOM object. Solution
Match Legitimate Name or Location - 2 AnalyticsRule Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts. Solution
Suspicious named pipes AnalyticsRule This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage. Solution
Password Spraying AnalyticsRule This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint. Solution
Oracle suspicious command execution AnalyticsRule The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database. Solution
ASR Bypassing Writing Executable Content AnalyticsRule The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs). Solution
Ingress Tool Transfer - Certutil AnalyticsRule This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accommodate for most detection evasion techniques, like commandline obfuscation and binary renaming. Solution
Flare Flare is the proactive digital footprint monitoring solution for organizations. Our AI-driven technology constantly scans the online world, including the dark, deep and clear web, to discover unknown events, automatically prioritize risks and deliver actionable intelligence you can use instantly to improve security.Request a Free Trial!How can Microsoft Sentinel accelerate Flare's capacity to detect vulnerabilities?Fast track analysis of trends in various dark web platforms by offering real-time analysis and raising alerts or open incidents when necessary. Out of the box analytics and automation rules can show you which platforms are worthy of your attention, and warn you if these change.Automate incidents creation and flow to resolve them, such as email warnings to employees when their credentials are compromised, and closing of the incident when password has been changed.Directly integrate your pre-existing systems and processes to Flare. Avoid having to integrate through API and save precious engineering time. Flare Leaked Credentials AnalyticsRule Searches for Flare Leaked Credentials Solution
Flare Cloud bucket result AnalyticsRule Results found on an publicly available cloud bucket Solution
Flare Darkweb result AnalyticsRule Result found on a darkweb platform Solution
Flare Google Dork result found AnalyticsRule Results using a dork on google was found Solution
Flare Host result AnalyticsRule Results found relating to IP, domain or host Solution
Flare Infected Device AnalyticsRule Infected Device found on darkweb or Telegram Solution
Flare Paste result AnalyticsRule Result found on code Snippet (paste) sharing platform Solution
Flare Source Code found AnalyticsRule Result found on Code Sharing platform Solution
Flare SSL Certificate result AnalyticsRule SSL Certificate registration found Solution
Flare DataConnector Flare connector allows you to receive data and intelligence from Flare on Microsoft Sentinel. Solution
credential-warning Playbook This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the API documentation. Solution
FlareSystemsFirework Workbook Select the time range for this Overview. Solution
Forescout eyeExtend Forescout delivers automated cybersecurity across the digital terrain, employing an innovative, agentless methodology to detect, identify and classify network devices. Forescout eyeExtend helps you improve your security posture, enforce compliance and increase Security Operations efficiency by automating security processes and response across products. By combining the Forescout platformΓÇÖs complete device visibility and insight with SentinelΓÇÖs data mining expertise, Forescout eyeExtend for Microsoft Sentinel allows security managers to achieve a broader understanding of their security posture, visualize key control metrics and respond more quickly to mitigate a range of security incidents. Organizations benefit by optimizing time to insight, achieving quicker incident response and realizing strengthened network security. Benefits include: Automated threat managementReduce your mean time to respond to threats with Microsoft SentinelΓÇÖs security incident workbook powered by ForescoutΓÇÖs Logic App to automate network response. Context enrichment for threats and detectionsEnrich Microsoft SentinelΓÇÖs threat with ForescoutΓÇÖs complete visibility including physical and logical network location of threats, compromised users or endpoints, and current real-time exposed risk surface. Visibility and trend analysisGain real time insights into risk and attack surface telemetry for all your IT, IoT, IoMT and OT devices by visualizing and analyzing data from increased insight to device properties, profiling and classification. Forescout-DNS_Sniff_Event_Monitor AnalyticsRule This rule creates an incident when more than certain number of Dnsniff events are generated from a host Solution
Forescout Host Property Monitor DataConnector The Forescout Host Property Monitor connector allows you to connect host properties from Forescout platform with Microsoft Sentinel, to view, create custom incidents, and improve investigation. This gives you more insight into your organization network and improves your security operation capabilities. Solution
HYAS Insight HYAS Insight is a threat investigation and attribution solution that uses exclusive data sources and non-traditional mechanisms to improve visibility and productivity for analysts, researchers, and investigators while increasing the accuracy of findings. HYAS Insight connects attack instances and campaigns to billions of indicators of compromise to deliver insights and visibility. With an easy-to-use user interface, transforms, and API access, HYAS Insight combines rich threat data into a powerful research and attribution solution. HYAS Insight is complemented by the HYAS Intelligence team that helps organizations to better understand the nature of the threats they face on a daily basis Insight-Domain-C2-Attribution Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-Domain-Current-WHOIS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with current WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
Insight-Domain-Historic-WHOIS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-Domain-Passive-DNS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with recent passive DNS records. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-Email-C2-Attribution Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with C2 Attribution information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-Email-Dynamic-DNS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with Dynamic DNS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-Email-Historic-WHOIS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IP-C2-Attribution Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IP-Dynamic-DNS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with recent Dynamic DNS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IP-Passive-DNS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with geolocation information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IP-Passive-Hash Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with Passive Hash information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IP-Sinkhole Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with Sinkhole information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IP-SSL-Certificate Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with SSL certificate information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IPv4-Device-Geo Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with geolocation information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-IPv6-Device-Geo Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with geolocation information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
Insight-Phone-Number-Historic-WHOIS Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
HYAS-Insight-SHA256-C2-Attribution Playbook This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the connector documentation or visit HYAS Insight to request a trial key. Solution
iboss Connector iboss Zero Trust Edge service provides a free Microsoft Sentinel application connector that ingests iboss log events into Sentinel in real-time. iboss contextual information about how every user accesses every application resource with JIT approval per transaction provides a high fidelity signal into Sentinel to streamline investigations for faster response. Realtime stream of iboss logs into Sentinel with parser functions.In addition, iboss integration with Sentinel provides custom workbooks to help analysts expedite tasks and response workflows. iboss DataConnector The iboss data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats. Solution
iboss Zero Trust Edge service provides a free Microsoft Sentinel application connector that ingests iboss log events into Sentinel in real-time. iboss contextual information about how every user accesses every application resource with JIT approval per transaction provides a high fidelity signal into Sentinel to streamline investigations for faster response. Realtime stream of iboss logs into Sentinel with parser functions.In addition, iboss integration with Sentinel provides custom workbooks to help analysts expedite tasks and response workflows. ibossUrlEvent Parser Solution
iboss Zero Trust Edge service provides a free Microsoft Sentinel application connector that ingests iboss log events into Sentinel in real-time. iboss contextual information about how every user accesses every application resource with JIT approval per transaction provides a high fidelity signal into Sentinel to streamline investigations for faster response. Realtime stream of iboss logs into Sentinel with parser functions.In addition, iboss integration with Sentinel provides custom workbooks to help analysts expedite tasks and response workflows. iboss Malware and C2 Workbook A workbook providing insights into malware and C2 activity detected by iboss. Solution
iboss Zero Trust Edge service provides a free Microsoft Sentinel application connector that ingests iboss log events into Sentinel in real-time. iboss contextual information about how every user accesses every application resource with JIT approval per transaction provides a high fidelity signal into Sentinel to streamline investigations for faster response. Realtime stream of iboss logs into Sentinel with parser functions.In addition, iboss integration with Sentinel provides custom workbooks to help analysts expedite tasks and response workflows. iboss Web Usage Workbook A workbook providing insights into web usage activity detected by iboss. Solution
Illusive Attack Surface Analysis and Incident Logs Attack surface reduction is a powerful, innovative technique to deprive cyber attackers of the means with which they commit crimes: privileged credentials and remnant network connections. On average, 19% of an organization's endpoints contain accessible privileged credentials, which attackers can easily seize and to infiltrate the network and move laterally towards crown jewels and high value assets.[1] Why leave privileged credentials and connections lying around... if you can clean them up? This important discovery and cleansing capability, created by Illusive, delivers immediate value to Microsoft customers seeking to protect their environments from nation-state attackers and insider threats. The Illusive data connector allows you to share IllusiveΓÇÖs attack surface analysis data and incident logs with Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organizationΓÇÖs attack surface risk (Microsoft Sentinel Spotlight Dashboard) and track unauthorized lateral movement in your organizationΓÇÖs network (Microsoft Sentinel Shadow Dashboard). With this capability, users of Microsoft Sentinel can monitor their attack surface credential and connection risk, and stop attackers in their network by leveraging high-fidelity Illusive alerts. [1] Source: Illusive Illusive Incidents Analytic Rule AnalyticsRule Create a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages. Solution
Attack surface reduction is a powerful, innovative technique to deprive cyber attackers of the means with which they commit crimes: privileged credentials and remnant network connections. On average, 19% of an organization's endpoints contain accessible privileged credentials, which attackers can easily seize and to infiltrate the network and move laterally towards crown jewels and high value assets.[1] Why leave privileged credentials and connections lying around... if you can clean them up? This important discovery and cleansing capability, created by Illusive, delivers immediate value to Microsoft customers seeking to protect their environments from nation-state attackers and insider threats. The Illusive data connector allows you to share IllusiveΓÇÖs attack surface analysis data and incident logs with Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organizationΓÇÖs attack surface risk (Microsoft Sentinel Spotlight Dashboard) and track unauthorized lateral movement in your organizationΓÇÖs network (Microsoft Sentinel Shadow Dashboard). With this capability, users of Microsoft Sentinel can monitor their attack surface credential and connection risk, and stop attackers in their network by leveraging high-fidelity Illusive alerts. [1] Source: Illusive Illusive Platform DataConnector The Illusive Platform Connector allows you to share Illusive's attack surface analysis data and incident logs with Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organization's attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization's network (ADS Dashboard). Solution
Attack surface reduction is a powerful, innovative technique to deprive cyber attackers of the means with which they commit crimes: privileged credentials and remnant network connections. On average, 19% of an organization's endpoints contain accessible privileged credentials, which attackers can easily seize and to infiltrate the network and move laterally towards crown jewels and high value assets.[1] Why leave privileged credentials and connections lying around... if you can clean them up? This important discovery and cleansing capability, created by Illusive, delivers immediate value to Microsoft customers seeking to protect their environments from nation-state attackers and insider threats. The Illusive data connector allows you to share IllusiveΓÇÖs attack surface analysis data and incident logs with Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organizationΓÇÖs attack surface risk (Microsoft Sentinel Spotlight Dashboard) and track unauthorized lateral movement in your organizationΓÇÖs network (Microsoft Sentinel Shadow Dashboard). With this capability, users of Microsoft Sentinel can monitor their attack surface credential and connection risk, and stop attackers in their network by leveraging high-fidelity Illusive alerts. [1] Source: Illusive Illusive ADS Dashboard Workbook Gain insights into unauthorized lateral movement in your organization's network. Illusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface. Solution
Attack surface reduction is a powerful, innovative technique to deprive cyber attackers of the means with which they commit crimes: privileged credentials and remnant network connections. On average, 19% of an organization's endpoints contain accessible privileged credentials, which attackers can easily seize and to infiltrate the network and move laterally towards crown jewels and high value assets.[1] Why leave privileged credentials and connections lying around... if you can clean them up? This important discovery and cleansing capability, created by Illusive, delivers immediate value to Microsoft customers seeking to protect their environments from nation-state attackers and insider threats. The Illusive data connector allows you to share IllusiveΓÇÖs attack surface analysis data and incident logs with Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organizationΓÇÖs attack surface risk (Microsoft Sentinel Spotlight Dashboard) and track unauthorized lateral movement in your organizationΓÇÖs network (Microsoft Sentinel Shadow Dashboard). With this capability, users of Microsoft Sentinel can monitor their attack surface credential and connection risk, and stop attackers in their network by leveraging high-fidelity Illusive alerts. [1] Source: Illusive Illusive ASM Dashboard Workbook Gain insights into your organization's Cyber Hygiene and Attack Surface risk. Illusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility. Solution
Infoblox Cloud This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Infoblox: Simplify and automate networking and security across a diverse multi-cloud infrastructure.BloxOne DDI is the industryΓÇÖs first DDI solution that enables you to centrally manage and automate DDI from the cloud to any and all locations with unprecedented cost efficiency. Built using cloud-native principles and available as a SaaS service, BloxOne DDI greatly simplifies network management by eliminating the complexity, bottlenecks and scalability limitations of traditional DDI implementations.BloxOne Threat Defense (TD) maximizes brand protection by working with your existing defenses to protect your network and automatically extend security to your digital imperatives, including SD-WAN, IoT and the cloud. It powers security orchestration, automation and response (SOAR) solutions, slashes the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.Network Identity Operating System (NIOS) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.Via the Infoblox CDC, you can send your logs to Microsoft Sentinel to be enriched with the out-of-box content that comes with this solution. The Infoblox Cloud Data Connector (CDC) is a device designed to be deployed anywhere to collect DNS query and response data, DHCP events, and security logs from your choice of Infoblox products (including DDI, TD and NIOS). It also gives you the ability to easily filter the data before sending it to your chosen locations (such as a SIEM like Microsoft Sentinel) so that you donΓÇÖt waste resources filling your SIEM platform with junk. This saves your organization steep costs of data retention and time needed to find ways to transfer the data out and into your own data pools.The CDC is a feature of BloxOne Threat Defense, and as such, requires an appropriate Threat Defense license and deployment.This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Instantly ingest your data into Microsoft Sentinel to be richly parsed, searched, visualized and monitored.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Infoblox - High Number of High Threat Level Queries Detected AnalyticsRule This creates an incident in the event a single host generates at least 200 high threat level RPZ queries (Threat Defense security hits) in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called InfobloxCDC. Solution
This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Infoblox: Simplify and automate networking and security across a diverse multi-cloud infrastructure.BloxOne DDI is the industryΓÇÖs first DDI solution that enables you to centrally manage and automate DDI from the cloud to any and all locations with unprecedented cost efficiency. Built using cloud-native principles and available as a SaaS service, BloxOne DDI greatly simplifies network management by eliminating the complexity, bottlenecks and scalability limitations of traditional DDI implementations.BloxOne Threat Defense (TD) maximizes brand protection by working with your existing defenses to protect your network and automatically extend security to your digital imperatives, including SD-WAN, IoT and the cloud. It powers security orchestration, automation and response (SOAR) solutions, slashes the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.Network Identity Operating System (NIOS) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.Via the Infoblox CDC, you can send your logs to Microsoft Sentinel to be enriched with the out-of-box content that comes with this solution. The Infoblox Cloud Data Connector (CDC) is a device designed to be deployed anywhere to collect DNS query and response data, DHCP events, and security logs from your choice of Infoblox products (including DDI, TD and NIOS). It also gives you the ability to easily filter the data before sending it to your chosen locations (such as a SIEM like Microsoft Sentinel) so that you donΓÇÖt waste resources filling your SIEM platform with junk. This saves your organization steep costs of data retention and time needed to find ways to transfer the data out and into your own data pools.The CDC is a feature of BloxOne Threat Defense, and as such, requires an appropriate Threat Defense license and deployment.This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Instantly ingest your data into Microsoft Sentinel to be richly parsed, searched, visualized and monitored.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Infoblox - High Number of NXDOMAIN DNS Responses Detected AnalyticsRule This creates an incident in the event a single host generates at least 200 DNS responses for non-existent domains in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called InfobloxCDC. Solution
This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Infoblox: Simplify and automate networking and security across a diverse multi-cloud infrastructure.BloxOne DDI is the industryΓÇÖs first DDI solution that enables you to centrally manage and automate DDI from the cloud to any and all locations with unprecedented cost efficiency. Built using cloud-native principles and available as a SaaS service, BloxOne DDI greatly simplifies network management by eliminating the complexity, bottlenecks and scalability limitations of traditional DDI implementations.BloxOne Threat Defense (TD) maximizes brand protection by working with your existing defenses to protect your network and automatically extend security to your digital imperatives, including SD-WAN, IoT and the cloud. It powers security orchestration, automation and response (SOAR) solutions, slashes the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.Network Identity Operating System (NIOS) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.Via the Infoblox CDC, you can send your logs to Microsoft Sentinel to be enriched with the out-of-box content that comes with this solution. The Infoblox Cloud Data Connector (CDC) is a device designed to be deployed anywhere to collect DNS query and response data, DHCP events, and security logs from your choice of Infoblox products (including DDI, TD and NIOS). It also gives you the ability to easily filter the data before sending it to your chosen locations (such as a SIEM like Microsoft Sentinel) so that you donΓÇÖt waste resources filling your SIEM platform with junk. This saves your organization steep costs of data retention and time needed to find ways to transfer the data out and into your own data pools.The CDC is a feature of BloxOne Threat Defense, and as such, requires an appropriate Threat Defense license and deployment.This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Instantly ingest your data into Microsoft Sentinel to be richly parsed, searched, visualized and monitored.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Infoblox - High Threat Level Query Not Blocked Detected AnalyticsRule This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called InfobloxCDC. Solution
This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Infoblox: Simplify and automate networking and security across a diverse multi-cloud infrastructure.BloxOne DDI is the industryΓÇÖs first DDI solution that enables you to centrally manage and automate DDI from the cloud to any and all locations with unprecedented cost efficiency. Built using cloud-native principles and available as a SaaS service, BloxOne DDI greatly simplifies network management by eliminating the complexity, bottlenecks and scalability limitations of traditional DDI implementations.BloxOne Threat Defense (TD) maximizes brand protection by working with your existing defenses to protect your network and automatically extend security to your digital imperatives, including SD-WAN, IoT and the cloud. It powers security orchestration, automation and response (SOAR) solutions, slashes the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.Network Identity Operating System (NIOS) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.Via the Infoblox CDC, you can send your logs to Microsoft Sentinel to be enriched with the out-of-box content that comes with this solution. The Infoblox Cloud Data Connector (CDC) is a device designed to be deployed anywhere to collect DNS query and response data, DHCP events, and security logs from your choice of Infoblox products (including DDI, TD and NIOS). It also gives you the ability to easily filter the data before sending it to your chosen locations (such as a SIEM like Microsoft Sentinel) so that you donΓÇÖt waste resources filling your SIEM platform with junk. This saves your organization steep costs of data retention and time needed to find ways to transfer the data out and into your own data pools.The CDC is a feature of BloxOne Threat Defense, and as such, requires an appropriate Threat Defense license and deployment.This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Instantly ingest your data into Microsoft Sentinel to be richly parsed, searched, visualized and monitored.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Infoblox Cloud Data Connector DataConnector The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. Solution
This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Infoblox: Simplify and automate networking and security across a diverse multi-cloud infrastructure.BloxOne DDI is the industryΓÇÖs first DDI solution that enables you to centrally manage and automate DDI from the cloud to any and all locations with unprecedented cost efficiency. Built using cloud-native principles and available as a SaaS service, BloxOne DDI greatly simplifies network management by eliminating the complexity, bottlenecks and scalability limitations of traditional DDI implementations.BloxOne Threat Defense (TD) maximizes brand protection by working with your existing defenses to protect your network and automatically extend security to your digital imperatives, including SD-WAN, IoT and the cloud. It powers security orchestration, automation and response (SOAR) solutions, slashes the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.Network Identity Operating System (NIOS) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.Via the Infoblox CDC, you can send your logs to Microsoft Sentinel to be enriched with the out-of-box content that comes with this solution. The Infoblox Cloud Data Connector (CDC) is a device designed to be deployed anywhere to collect DNS query and response data, DHCP events, and security logs from your choice of Infoblox products (including DDI, TD and NIOS). It also gives you the ability to easily filter the data before sending it to your chosen locations (such as a SIEM like Microsoft Sentinel) so that you donΓÇÖt waste resources filling your SIEM platform with junk. This saves your organization steep costs of data retention and time needed to find ways to transfer the data out and into your own data pools.The CDC is a feature of BloxOne Threat Defense, and as such, requires an appropriate Threat Defense license and deployment.This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Instantly ingest your data into Microsoft Sentinel to be richly parsed, searched, visualized and monitored.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Infoblox Cloud Data Connector Data Parser Parser Solution
This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Infoblox: Simplify and automate networking and security across a diverse multi-cloud infrastructure.BloxOne DDI is the industryΓÇÖs first DDI solution that enables you to centrally manage and automate DDI from the cloud to any and all locations with unprecedented cost efficiency. Built using cloud-native principles and available as a SaaS service, BloxOne DDI greatly simplifies network management by eliminating the complexity, bottlenecks and scalability limitations of traditional DDI implementations.BloxOne Threat Defense (TD) maximizes brand protection by working with your existing defenses to protect your network and automatically extend security to your digital imperatives, including SD-WAN, IoT and the cloud. It powers security orchestration, automation and response (SOAR) solutions, slashes the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.Network Identity Operating System (NIOS) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.Via the Infoblox CDC, you can send your logs to Microsoft Sentinel to be enriched with the out-of-box content that comes with this solution. The Infoblox Cloud Data Connector (CDC) is a device designed to be deployed anywhere to collect DNS query and response data, DHCP events, and security logs from your choice of Infoblox products (including DDI, TD and NIOS). It also gives you the ability to easily filter the data before sending it to your chosen locations (such as a SIEM like Microsoft Sentinel) so that you donΓÇÖt waste resources filling your SIEM platform with junk. This saves your organization steep costs of data retention and time needed to find ways to transfer the data out and into your own data pools.The CDC is a feature of BloxOne Threat Defense, and as such, requires an appropriate Threat Defense license and deployment.This solution allows you to easily connect Infoblox Cloud to Microsoft Sentinel.Instantly ingest your data into Microsoft Sentinel to be richly parsed, searched, visualized and monitored.Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 3Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. Infoblox Cloud Data Connector Workbook Sets the time name for analysis Solution
AgileSec Analytics Connector AgileSec Analytics automates the discovery and analysis of machines identities and cryptographic mechanisms deployed across a digital ecosystem. Cryptographic ChallengesOrganizations lack comprehensive visibility about their global reliance on cryptography. This blind spot can lead to substantial damages ranging from unpredictable system downtime, compliance or data breach. Main challenges include:How to verify that machines identities deployed across digital systems are all authorized, safe and compliant.How to very that cryptographic algorithms configured in systems are safe and compliant.How to verify that critical applications are using safe cryptographic libraries and cryptographic algorithms. How to prevent shadow IT from generating in-secure and non-compliant machines identities? How to avoid leakage of sensitive keying material into in-secure systems or applications. Core CapabilitiesThe AgileSec Analytics, deployed separately, enables organizations to build a complete inventory of their cryptographic assets and reinforce their cyber resilience. The solution provides the following core capabilities: Analyse Hosts, Applications and Networks for cryptography. Detect Machine Identities, including X.509 Certificates, Private and Public Keys, SSH Keys, Keystores and truststores present into hosts or embedded into applications.Detect cryptographic mechanisms, including Cryptographic Libraries and Cryptographic Algorithms embedded into applications.Assess cryptographic vulnerabilities and compliance gaps.Export findings from AgileSec Analytics directly to Azure Sentinel and performing advanced analysis.Target AudienceThe AgileSec Analytics solution is targeting the following user:IT Operations, looking to receive alerts when hosts monitored are identified with cryptographic vulnerabilities.DevOps, looking to receive alerts when applications monitored are identified with cryptographic vulnerabilities.Security Teams, looking to understand their current cryptographic situation. InfoSecGlobal Data Connector DataConnector Use this data connector to integrate with InfoSec Crypto Analytics and get data sent directly to Microsoft Sentinel. Solution
AgileSec Analytics automates the discovery and analysis of machines identities and cryptographic mechanisms deployed across a digital ecosystem. Cryptographic ChallengesOrganizations lack comprehensive visibility about their global reliance on cryptography. This blind spot can lead to substantial damages ranging from unpredictable system downtime, compliance or data breach. Main challenges include:How to verify that machines identities deployed across digital systems are all authorized, safe and compliant.How to very that cryptographic algorithms configured in systems are safe and compliant.How to verify that critical applications are using safe cryptographic libraries and cryptographic algorithms. How to prevent shadow IT from generating in-secure and non-compliant machines identities? How to avoid leakage of sensitive keying material into in-secure systems or applications. Core CapabilitiesThe AgileSec Analytics, deployed separately, enables organizations to build a complete inventory of their cryptographic assets and reinforce their cyber resilience. The solution provides the following core capabilities: Analyse Hosts, Applications and Networks for cryptography. Detect Machine Identities, including X.509 Certificates, Private and Public Keys, SSH Keys, Keystores and truststores present into hosts or embedded into applications.Detect cryptographic mechanisms, including Cryptographic Libraries and Cryptographic Algorithms embedded into applications.Assess cryptographic vulnerabilities and compliance gaps.Export findings from AgileSec Analytics directly to Azure Sentinel and performing advanced analysis.Target AudienceThe AgileSec Analytics solution is targeting the following user:IT Operations, looking to receive alerts when hosts monitored are identified with cryptographic vulnerabilities.DevOps, looking to receive alerts when applications monitored are identified with cryptographic vulnerabilities.Security Teams, looking to understand their current cryptographic situation. AgileSec Analytics Connector Workbook Sets the time name for analysis. Solution
Intel 471 Threat Intelligence The core of Intel 471 Malware Intelligence is the unique and patented Malware Emulation and Tracking System (METS). METS provides ongoing surveillance of malware activity at the command and control level, delivering near real-time insights and deep context in support of numerous cybersecurity and intelligence use cases, such as security operations (NOC/SOC), threat hunting, incident response, campaign tracking, and third-party supplier and vendor risk.This integration ingests malware indicators into Microsoft Graph Security so they can be used by tools such as Microsoft Sentinel or Microsoft Defender. Intel 471 Malware Intelligence Playbook This playbook ingests malware indicators from Intel 471's Titan API into ThreatIntelligenceIndicator table. Solution
IPQualityScore Fraud & Risk Scoring IPQS provides an advanced fraud & risk scoring suite. The playbooks included in this pack analyze threat details in real-time:Sophisticated threat hunting with automated analysis.IP address reputation risk analysis with connection details, Proxy & VPN detection, and bot identification.Detect invalid, abusive, high risk, and temporary or disposable email addresses.Phishing, malware, and suspicious URL or domain analysis.Parked domain detection, domain reputation, and domain age calculation.Easy risk scores to identify threat severity.Simply plug in your IPQS API key to enable real-time scoring. Instantly mitigate fraud & abuse and advanced attacks. Enrich-Sentinel-IPQualityScore-Email-Address-Reputation Playbook This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Email Addresses found in the Sentinel incidents. This Playbook Template provides the Reputation such as Critical, High Risk, Moderate Risk, Low Risk, Invalid, Clean based on Fraud Score of the IP Address. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key. Solution
Enrich-Sentinel-IPQualityScore-IP-Address-Reputation Playbook This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich IP Addresses found in the Sentinel incidents. This Playbook Template provides the Reputation such as Critical, High Risk, Moderate Risk, Suspicious, Clean based on Fraud Score. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key. Solution
Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation Playbook This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Phone Numbers found in the Sentinel incidents. This Playbook Template provides the Reputation such as High Risk, Moderate Risk, Low Risk, Suspicious, Clean based on Fraud Score. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key. Solution
Enrich-Sentinel-IPQualityScore-URL-Reputation Playbook This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich URL's found in the Sentinel incidents. This Playbook Template provides the Reputation such as Critical, High Risk, Moderate Risk, Low Risk, Suspicious, Clean based on Fraud Score. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key. Solution
Enrich_Sentinel_IPQualityScore_Domain_Reputation Playbook This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Domain's found in the Sentinel incidents. This Playbook Template provides the Reputation such as Critical, High Risk, Moderate Risk, Low Risk, Suspicious, Clean based on Risk Score. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key. Solution
Island Island, the Enterprise Browser is the ideal enterprise workplace, where work flows freely while remaining fundamentally secure. With the core needs of the enterprise naturally embedded in the browser itself, Island gives organizations complete control, visibility, and governance over the last mile, while delivering the same smooth Chromium-based browser experience users expect.The Island Solution for Microsoft Sentinel enables events from the Island Management Console to be automatically shared with Microsoft Sentinel for real-time analysis. This solution includes user and admin event collection capabilities that provide expanded context beyond your existing log sources, which help your security teams monitor and analyze the data and respond accordingly. Island Enterprise Browser Admin Audit (Polling CCP) DataConnector The Island Admin connector provides the capability to ingest Island Admin Audit logs into Microsoft Sentinel. Solution
Island Enterprise Browser User Activity (Polling CCP) DataConnector The Island connector provides the capability to ingest Island User Activity logs into Microsoft Sentinel. Solution
Jamf Protect The Jamf Protect for Microsoft Sentinel solution creates detailed event data from macOS endpoints into a Microsoft Sentinel workspace in a simple and easy workflow. The solution provides you with full visibility into Apple Endpoint Security by leveraging Workbooks and Analytic Rules containing Alert and Unified Logging events captured by Jamf Protect and the macOS built-in security events that occurred across the protected organisational endpoints. Jamf Protect - Network Threats AnalyticsRule Creates an incident based based on Jamf Protect's Network Threat Event Stream alerts. Solution
Jamf Protect - Alerts AnalyticsRule Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel Solution
Jamf Protect - Unified Logs AnalyticsRule Creates an informational incident based on Jamf Protect Unified Log data in Microsoft Sentinel Solution
Jamf Protect DataConnector The Jamf Protect connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel. Solution
Jamf Protect Workbook Workbook This Jamf Protect Workbook for Microsoft Sentinel enables you to ingest Jamf Protect events forwarded into Microsoft Sentinel. Providing reports into all alerts, device controls and Unfied Logs. Solution
Lookout Cloud Security Platform Lookout Cloud Security Platform that delivers SSE capability, gives actionable insights into the user's activities, violations, and anomalies across endpoints, apps, websites, and data. Lookout also provides all the telemetry data that is needed to detect threats and conduct forensic investigations of cyberattacks such as advanced persistent threats. The Lookout integration with Microsoft Sentinel extracts this information and pushes it into the Microsoft Sentinel system for centralized analysis and reporting of the organizationΓÇÖs security events. Lookout Cloud Security Platform delivers an integrated portfolio of cloud security products that deliver the SSE capability. The following are the products in the portfolio:Lookout Secure Cloud Access - delivers a cloud access security broker (CASB) solutionLookout Secure Internet Access - delivers a cloud-based secure web gateway (SWG) solutionLookout Secure Private Access - delivers a cloud-based zero trust network access (ZTNA) solutionEnhanced data loss protection (DLP) capabilitiesLookout Cloud Security Platform is a cloud-native unified platform that provides endpoint-to-cloud data protection from the managed and unmanaged BYO devices (mobile and non-mobile) to the corporate applications (private, internet, and SaaS). It provides a unified policy framework for centralized monitoring and management of the corporate IT environment. The platform delivers zero trust security to detect and mitigate risk, and protect the data from security threats like malware, ransomware, and malicious threat actors. Lookout Cloud Security for Microsoft Sentinel (using Azure Function) DataConnector This connector uses a Agari REST API connection to push data into Microsoft Sentinel Log Analytics. Solution
LookoutCSActivities Parser Solution
LookoutCSAnomalies Parser Solution
LookoutCSViolations Parser Solution
Lookout Mobile Threat Defense Enable enterprises to search for Lookout threat, device, and audit events, create custom dashboards, and create alerts in Microsoft Sentinel SIEM based on the health posture of Android, iOS and Chrome devices. Lookout - New Threat events found. AnalyticsRule Created to detect new Threat events from the data which is recently synced by Lookout Solution. Solution
Lookout (using Azure Function) DataConnector The Lookout data connector provides the capability to ingest Lookout events into Microsoft Sentinel through the Mobile Risk API. Refer to API documentation for more information. The Lookout data connector provides ability to get events which helps to examine potential security risks and more. Solution
Lookout Data Parser Parser Solution
Lookout Workbook Sets the time name for analysis Solution
Microsoft Sentinel - Continuous Threat Monitoring for GitHub The GitHub Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and Webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security. This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: Codeless Connector Platform (CCP) (used in GitHub Enterprise Audit Log data connector)Azure Functions (used in GitHub (using Webhooks) (Preview) GitHub - Repository was created AnalyticsRule Detect activities when a repository was created. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - Repository was destroyed AnalyticsRule Detect activities when a repository was destroyed. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - User was added to the organization AnalyticsRule Detect activities when a user was added to the organization. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - Oauth application - a client secret was removed AnalyticsRule Detect activities when a client secret was removed. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - pull request was merged AnalyticsRule Detect activities when a pull request was merged. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - pull request was created AnalyticsRule Detect activities when a pull request was created. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - User was blocked AnalyticsRule Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - User visibility Was changed AnalyticsRule Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium. Solution
(Preview) GitHub - User was invited to the repository AnalyticsRule Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium. Solution
GitHub Two Factor Auth Disable AnalyticsRule Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. Solution
GitHub Security Vulnerability in Repository AnalyticsRule This alerts when there is a new security vulnerability in a GitHub repository. Solution
NRT GitHub Two Factor Auth Disable AnalyticsRule Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. Solution
(Preview) GitHub - A payment method was removed AnalyticsRule Detect activities when a payment method was removed. This query runs every day and its severity is Medium. Solution
GitHub Activites from a New Country AnalyticsRule Detect activities from a location that was not recently or was never visited by the user or by any user in your organization. Solution
GitHub Enterprise Audit Log DataConnector The GitHub audit log connector provides the capability to ingest GitHub logs into Microsoft Sentinel. By connecting GitHub audit logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. Note: If you are intended to ingest GitHub subscribed events into Microsoft Sentinel , Please refer to GitHub (using Webhooks) Connector from "Data Connectors" gallery. Solution
GitHub (using Webhooks) (using Azure Functions) DataConnector The GitHub webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using GitHub webhook events. The connector provides ability to get events into Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Note: If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from "Data Connectors" gallery. Solution
GitHub OAuth App Restrictions Disabled HuntingQuery Solution
GitHub Mass Deletion of repos or projects HuntingQuery Solution
GitHub Repo switched from private to public HuntingQuery Solution
GitHub Inactive or New Account Access or Usage HuntingQuery Solution
GitHub First Time Repo Delete HuntingQuery Solution
GitHub Update Permissions HuntingQuery Solution
GitHub First Time Invite Member and Add Member to Repo HuntingQuery Solution
GitHub User Grants Access and Other User Grants Access HuntingQuery Solution
GitHubAuditData Parser Solution
GitHubCodeScanningData Parser Solution
GitHubDependabotData Parser Solution
GithubSecretScanningData Parser Solution
GithubWorkbook Workbook Gain insights to GitHub activities that may be interesting for security. Solution
GitHub Security Workbook Gain insights to GitHub activities that may be interesting for security. Solution
Microsoft Exchange Security for Exchange Online The Microsoft Exchange Security Audit and Configuration Insights solution analyzes Exchange online configuration and logs from a security lens to provide insights and alerts.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Custom logs ingestion via Data Collector REST APIData Connectors: 1, Parsers: 2, Workbooks: 2 Exchange Security Insights Online Collector (using Azure Functions) DataConnector Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis Solution
ExchangeConfiguration Parser Solution
ExchangeEnvironmentList Parser Solution
Microsoft Exchange Least Privilege with RBAC - Online Workbook This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Solution
Microsoft Exchange Security Review - Online Workbook This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols. Solution
Microsoft Exchange Security for Exchange On-Premises The Microsoft Exchange Security Audit and Configuration Insights solution analyzes Exchange on-premises configuration and logs from a security lens to provide insights and alerts.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Windows Event logs collection, including MS Exchange Management Event logsb. Custom logs ingestion via Data Collector REST APIData Connectors: 2, Parsers: 3, Workbooks: 4, Analytic Rules: 2 VIP Mailbox manipulation AnalyticsRule Alert if an high important Cmdlet is executed on a VIP Mailbox as those Cmdlets can be used for data exfiltration or mailbox access. Solution
Server Oriented Cmdlet And User Oriented Cmdlet used AnalyticsRule Detect if a server oriented Cmdlet and a user oriented cmdlet that are monitored are launched by a same user in a same server in a 10 minutes timeframe Solution
Microsoft Exchange Logs and Events DataConnector You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment Solution
Exchange Security Insights On-Premise Collector DataConnector Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis Solution
ExchangeAdminAuditLogs Parser Solution
Microsoft Exchange Least Privilege with RBAC Workbook This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Solution
Microsoft Exchange Search AdminAuditLog Workbook This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administratorsΓÇÖ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Solution
Microsoft Exchange Admin Activity Workbook This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Solution
Microsoft Exchange Security Review Workbook This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Solution
Forcepoint CASB The Forcepoint CASB (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.For more details about this solution refer to https://forcepoint.github.io/docs/casb_and_azure_sentinel/Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:a. Agent-based log collection (CEF over Syslog)Data Connectors: 1, Workbooks: 1 Forcepoint CASB DataConnector The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. Solution
Forcepoint Cloud Access Security Broker (CASB) Workbook Get insights on user risk with the Forcepoint CASB (Cloud Access Security Broker) workbook. Solution
Forcepoint CSG Forcepoint Cloud Security Gateway (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.For more details about this solution refer to https://forcepoint.github.io/docs/csg_and_sentinel/Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Agent-based log collection (CEF over Syslog)Data Connectors: 1, Workbooks: 1 Forcepoint CSG DataConnector Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway Solution
Forcepoint Cloud Security Gateway Workbook Workbook Use this report to understand query runs across your workspace. Solution
Forcepoint DLP The Forcepoint DLP (Data Loss Prevention) Solution for Microsoft Sentinel allows you to automatically export DLP incident data from Forcepoint DLP into Microsoft Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.For more details about this solution refer to integration documentationUnderlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Azure Monitor HTTP Data Collector APIData Connectors: 1, Workbooks: 1 Forcepoint DLP DataConnector The Forcepoint DLP (Data Loss Prevention) connector allows you to automatically export DLP incident data from Forcepoint DLP into Microsoft Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. Solution
Forcepoint Data Loss Prevention (DLP) Workbook Get insights on DLP incidents with the Forcepoint DLP (Data Loss Prevention) workbook. Solution
Forcepoint NGFW The Forcepoint NGFW (Next Generation Firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.For more details about this solution refer to integration documentationUnderlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:Agent-based log collection (CEF over Syslog)Data Connectors: 1, Workbooks: 2 Forcepoint NGFW DataConnector The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. Solution
Forcepoint Next Generation Firewall (NGFW) Advanced Workbook Workbook Gain threat intelligence correlated security and application insights on Forcepoint NGFW (Next Generation Firewall). Monitor Forcepoint logging servers health. Solution
Forcepoint Next Generation Firewall (NGFW) Workbook Get insights on firewall activities with the Forcepoint NGFW (Next Generation Firewall) workbook. Solution
KQL Training The KQL Training solution for Microsoft Sentinel contains resources that can help up ΓÇô skill on understanding the fundamentals and using KQL in advanced scenarios like authoring effective and optimized queries used in Sentinel Analytics, Hunting Queries, Workbooks, etc.All content packaged in this solution is built and supported by the Microsoft Sentinel community. For any support, please create an issue on the Microsoft Sentinel GitHub repository.Workbooks: 2 Advanced KQL for Microsoft Sentinel Workbook This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach. Solution
Intro to KQL Workbook Learn and practice the Kusto Query Language. This workbook introduces and provides 100 to 200 level content for new and existing users looking to learn KQL. This workbook will be updated with content over time. Solution
SOC Handbook The SOC Handbook solution for Microsoft Sentinel provides a collection of resources that enable and empower SOC Analysts to get better visibility and understanding of point-in-time security posture of organizational resources.All content packaged in this solution is built and supported by the Microsoft Sentinel community. For any support, please create an issue on the Microsoft Sentinel GitHub repository.Workbooks: 12 Analytics Efficiency Workbook Gain insights into the efficacy of your analytics rules. In this workbook you can analyze and monitor the analytics rules found in your workspace to achieve better performance by your SOC. Solution
AnomaliesVisulization Workbook A workbook that provides contextual information to a user for better insight on Anomalies and their impact. The workbook will help with investigation of anomalies as well as identify patterns that can lead to a threat. Solution
AnomalyData Workbook A workbook providing details, related Incident, and related Hunting Workbook for a specific Anomaly. Solution
Attack Surface Reduction Dashboard Workbook This workbook helps you implement the ASR rules of Windows/Defender, and to monitor them over time. The workbook can filter on ASR rules in Audit mode and Block mode. Solution
Microsoft Sentinel Cost Workbook This workbook provides an estimated cost across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer. Solution
Security Alerts Workbook Security Alerts dashboard for alerts in your Microsoft Sentinel environment. Solution
IntSights IOC Workbook Workbook This Microsoft Sentinel workbook provides an overview of Indicators of Compromise (IOCs) and their correlations allowing users to analyze and visualize indicators based on severity, type, and other parameters. Solution
Investigation Insights Workbook Help analysts gain insight into incident, bookmark and entity data through the Investigation Insights Workbook. This workbook provides common queries and detailed visualizations to help an analyst investigate suspicious activities quickly with an easy to use interface. Analysts can start their investigation from a Microsoft Sentinel incident, bookmark, or by simply entering the entity data into the workbook manually. Solution
MITRE ATT&CK Workbook Workbook Workbook to showcase MITRE ATT&CK Coverage for Microsoft Sentinel Solution
Security Status Workbook This workbook gives an overview of Security Settings for VMs and Azure Arc. Solution
Microsoft Sentinel Central Workbook Use this report to view Incident (and Alert data) across many workspaces, this works with Azure Lighthouse and across any subscription you have access to. Solution
Microsoft Windows SQL Server Database Audit The Microsoft Windows SQL Server Database Audit solution for Microsoft Sentinel enables security monitoring scenarios using Windows events. The contents of the solution allow hunting for unauthorized access and other abnormalities with SQL database identities.Hunting Queries: 9 New User created on SQL Server HuntingQuery Solution
User added to SQL Server SecurityAdmin Group HuntingQuery Solution
User removed from SQL Server Roles HuntingQuery Solution
Failed Logon on SQL Server from Same IPAddress in Short time Span HuntingQuery Solution
SQL User deleted from Database HuntingQuery Solution
User Role altered on SQL Server HuntingQuery Solution
Multiple Failed Logon on SQL Server in Short time Span HuntingQuery Solution
Failed Logon Attempts on SQL Server HuntingQuery Solution
User removed from SQL Server SecurityAdmin Group HuntingQuery Solution
Morphisec UTPP Morphisec threat logs contain information about threats stopped by Morphisec's moving target defense technology. In order to analyze the logs in Microsoft Sentinel and run advanced queries over that data, this product will add the new fields needed and will parse Morphisec logs automatically when received in Microsoft Sentinel.Audience and PrerequisiteThis parser is intended for Morphisec's customers only and will work after applying the integration between Morphisec Product and Microsoft Sentinel is set as a SIEM. Morphisec UTPP DataConnector Integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. Morphisec's Data Connector provides visibility into today's most advanced threats including sophisticated fileless attacks, in-memory exploits and zero days. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets Solution
Morphisec Parser Solution
Netskope Data Connector The Netskope Cloud Security Platform connector provides the capability to ingest Netskope logs and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform events and alerts in Microsoft Sentinel to improve monitoring and investigation capabilities. Netskope (using Azure Function) DataConnector The Netskope Cloud Security Platform connector provides the capability to ingest Netskope logs and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities. Solution
Netskope Parser Solution
Noname Security Noname Security for Microsoft Sentinel Machine Learning powered API Security threat intelligence (TI) alerts for Microsoft Sentinel Noname Security for Microsoft Sentinel DataConnector Noname Security solution to POST data into a Microsoft Sentinel SIEM workspace via the Azure Monitor REST API Solution
NC Protect Data Connector NC Protect from archTIS provides real-time data security that leverages attribute-based access control (ABAC) policies which take into consideration content and user context, to prevent both negligent and malicious data loss. It provides advanced information protect thatΓÇÖs simple, fast and scalable to protect sensitive information across the Microsoft collaboration stack. It also offers centralized reporting and management of sensitive data access. Report on the number of issues identified by classification level and allows policy officers to review the results and rescan, reclassify or reapply permissions if needed. Log and track user activities and actions such as producing, editing or deleting data, general access or even changes in settings and policies of NC Protect.You can also ingest NC ProtectΓÇÖs user activity and protection logs into Microsoft Sentinel for further analysis and downstream actions to build additional insights from the data and cross-correlate it with the rest of your ecosystem, streamline investigation, automate responses, and more.The NC Protect Data Connector for Microsoft Sentinel:Installs right from Microsoft Sentinel with simple configuration.Jump start threat investigation with just a few clicks using built-in workbooks.Create custom reports to analyze user activity and behavior.Get advanced auditing to help you understand whatΓÇÖs going on within your environment.Easily visualizes data.Trigger real-time alerts and workflows on suspicious user activity.Report on guest activity within SharePoint and Teams. NC Protect DataConnector NC Protect Data Connector (archtis.com) provides the capability to ingest user activity logs and events into Microsoft Sentinel. The connector provides visibility into NC Protect user activity logs and events in Microsoft Sentinel to improve monitoring and investigation capabilities Solution
NCProtect Workbook Sets the time name for analysis Solution
NXLog AIX Audit The solution provides data connectors and parsers for IBM AIX audit logs for use with Azure Sentinel.The audit logs from IBM AIX systems are collected with the NXLog Enterprise Edition agent through a dedicated module.For additional information on how to set up, configure and collect logs from your IBM AIX systems and send them to your Azure instance, refer to our guide on the following link: https://nxlog.co/documentation/nxlog-user-guide/sentinel.html#forwarding-aix-audit-events-to-azure-sentinel NXLog AIX Audit DataConnector The NXLog AIX Audit data connector uses the AIX Audit subsystem to read events directly from the kernel for capturing audit events on the AIX platform. This REST API connector can efficiently export AIX Audit events to Microsoft Sentinel in real time. Solution
The solution provides data connectors and parsers for IBM AIX audit logs for use with Azure Sentinel.The audit logs from IBM AIX systems are collected with the NXLog Enterprise Edition agent through a dedicated module.For additional information on how to set up, configure and collect logs from your IBM AIX systems and send them to your Azure instance, refer to our guide on the following link: https://nxlog.co/documentation/nxlog-user-guide/sentinel.html#forwarding-aix-audit-events-to-azure-sentinel NXLogAixAudit Data Parser Parser Solution
NXLog BSM macOS Collect and send macOS BSM events with NXLog Enterprise Edition to Microsoft Sentinel. https://docs.nxlog.co/userguide/integrate/microsoft-azure-sentinel.html#forwarding-bsm-audit-events-from-macos-to-azure-sentinel NXLog BSM macOS DataConnector The NXLog BSM macOS data connector uses Sun's Basic Security Module (BSM) Auditing API to read events directly from the kernel for capturing audit events on the macOS platform. This REST API connector can efficiently export macOS audit events to Azure Sentinel in real-time. Solution
NXLog DNS Logs Collect and send Windows DNS Server events with NXLog Enterprise Edition to Microsoft Sentinel. https://nxlog.co/documentation/nxlog-user-guide/sentinel.html#forwarding-windows-dns-server-events-to-azure-sentinel NXLog DNS Logs DataConnector The NXLog DNS Logs data connector uses Event Tracing for Windows (ETW) for collecting both Audit and Analytical DNS Server events. The NXLog im_etw module reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time. Solution
ASimDnsMicrosoftNXLog Parser Solution
NXLog LinuxAudit The solution provides data connectors and parsers for Linux Audit logs for use with Azure Sentinel.The audit logs from Linux systems are collected with the NXLog Enterprise Edition agent through a dedicated module.For additional information on how to set up, configure and collect logs from your Linux systems and send them to your Azure instance, refer to our guide on the following link: https://docs.nxlog.co/userguide/integrate/microsoft-azure-sentinel.html#forwarding-linux-audit-events-to-microsoft-sentinel NXLog LinuxAudit DataConnector The NXLog LinuxAudit data connector supports custom audit rules and collects logs without auditd or any other user-space software. IP addresses and group/user ids are resolved to their respective names making Linux audit logs more intelligible to security analysts. This REST API connector can efficiently export Linux security events to Azure Sentinel in real-time. Solution
Orca Security Alerts The Orca Security Alerts connector allows you to easily export Alerts logs to Azure Sentinel. Orca Security Alerts DataConnector The Orca Security Alerts connector allows you to easily export Alerts logs to Azure Sentinel. Solution
The Orca Security Alerts connector allows you to easily export Alerts logs to Azure Sentinel. Orca alerts overview Workbook A visualized overview of Orca security alerts. Explore, analize and learn about your security posture using Orca alerts Overview Solution
Perimeter 81 Perimeter 81 works hand-in-hand with our customers and partners to deliver holistic network security that is purpose-built for today's cloud-first, distributed workforce and securely enables any business, anywhere. The inability to see what is happening in your network is crippling. Providing a centralized location for visibility into all activity is a critical component to a successful, modern security strategy. When Perimeter 81 logs are shared with Microsoft Sentinel, administrators and IT manager are delivered intelligence, analytics and full insight into Perimeter 81 activity. Perimeter 81 Activity Logs DataConnector The Perimeter 81 Activity Logs connector allows you to easily connect your Perimeter 81 activity logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Solution
Perimeter 81 Overview Workbook Gain insights and comprehensive monitoring into your Perimeter 81 account by analyzing activities. Solution
AIShield - AI Security Monitoring AIShield is an AI-security product designed to protect AI-powered devices in the face of emerging security threats such as Model Extraction, Evasion, Data Poisoning, and Model Inference attacks. AIShield provides automated hacker-level vulnerability analysis and endpoint protection to harden the systems against emerging AI-security threats. AIShield provided Threat Informed Endpoint Defense integrates with Microsoft Sentinel to deliver enhanced real-time monitoring capabilities to security teams for their AI assets, giving them insights into AI security incidents. Features Users can leverage AIShield-provided Threat Informed Endpoint Defense that integrates with Microsoft Sentinel to create dynamic Dashboards, Workbooks, Notebooks, and tailored Alerts. Improve investigation capabilities and thwart attacks on AI systems Pre-requisite Users will have to leverage AIShield product to scan their AI model for vulnerabilities and generate Threat Informed Endpoint Defense capable of integrating with Microsoft Sentinel. To complete this step, please get in touch with AIShield.Contact@bosch.com AIShield - Tabular classification model extraction vulnerability detection AnalyticsRule This alert creates an incident when Tabular classification model extraction vulnerability detected from the AIShield. Solution
AIShield - Natural language processing model extraction vulnerability detection AnalyticsRule This alert creates an incident when Natural language processing model extraction vulnerability detected from the AIShield. Solution
AIShield - Image classification model extraction vulnerability detection AnalyticsRule This alert creates an incident when Image classification model extraction vulnerability detected from the AIShield. Solution
AIShield - Image classification model evasion vulnerability detection AnalyticsRule This alert creates an incident when Image classification model evasion vulnerability detected from the AIShield. Solution
AIShield - TimeSeries Forecasting model extraction vulnerability detection AnalyticsRule This alert creates an incident when TimeSeries Forecasting model extraction vulnerability detected from the AIShield. Solution
AIShield DataConnector AIShield connector allows users to connect with AIShield custom defense mechanism logs with Microsoft Sentinel, allowing the creation of dynamic Dashboards, Workbooks, Notebooks and tailored Alerts to improve investigation and thwart attacks on AI systems. It gives users more insight into their organization's AI assets security posturing and improves their AI systems security operation capabilities. Solution
AIShield Parser Solution
Recorded Future Intelligence Recorded FutureΓÇÖs unprecedented intelligence reduces security risk by automatically positioning threat intelligence data in your Microsoft Sentinel environment. This data is delivered to Microsoft Sentinel to provide context and empower analysts to identify and triage alerts faster, proactively block threats, and reduce time spent on false positives to improve analyst efficiency.Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step. The Recorded Future Intelligence for Microsoft Sentinel solution makes it simple to position threat intelligence in your Azure environment. The Recorded Future Intelligence for Microsoft Sentinel solution includes: Workbooks: 2, Playbooks: 7, Analytic Rules: 6 Detection of Malware C2 IPs in DNS Events AnalyticsRule Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist. Solution
Detection of Specific Hashes in CommonSecurityLog AnalyticsRule Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList. Solution
Detection of Malware C2 IPs in Azure Act. Events AnalyticsRule Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist. Solution
Detection of Malicious URLs in Syslog Events AnalyticsRule Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group. Solution
Detection of Malware C2 Domains in DNS Events AnalyticsRule Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist. Solution
Detection of Malware C2 Domains in Syslog Events AnalyticsRule Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist. Solution
RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor Playbook This playbook leverages the Recorded Future API and automatically imports the C&C DNS Name Domain RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel. This playbook depends on RecordedFuture-ImportToSentinel that need to be installed manually before installing current playbook. Solution
RecordedFuture-HASH-Obs_in_Underground-TIProcessor Playbook This playbook leverages the Recorded Future API and automatically imports the Observed in Underground Virus Testing Sites Hash RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel. This playbook depends on RecordedFuture-ImportToSentinel that need to be installed manually before installing current playbook. Solution
RecordedFuture-ImportToSentinel Playbook This playbook is purposed to listen (via batching mechanism provided by Microsoft Azure) for incoming messages from the IndicatorProcessor Playbooks and create submit the indicators for creation Solution
RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash Playbook This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Sentinel incident . Solution
RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor Playbook This playbook leverages the Recorded Future API and automatically imports the Actively Communicating C&C Server IP RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel. This playbook depends on RecordedFuture-ImportToSentinel that need to be installed manually before installing current playbook. Solution
RecordedFuture-Sandbox_Enrichment-Url Playbook This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment. Solution
RecordedFuture-Ukraine-IndicatorProcessor Playbook This playbook leverages the Recorded Future API and automatically imports the Ukraine RiskLists, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel. This playbook depends on RecordedFuture-ImportToSentinel that need to be installed manually before installing current playbook. Solution
RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor Playbook This playbook leverages the Recorded Future API and automatically imports the Recently Reported by Insikt Group URL RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel. This playbook depends on RecordedFuture-ImportToSentinel that need to be installed manually before installing current playbook. Solution
Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting Workbook Sets the time name for DNS Events and Threat Intelligence Time Range Solution
Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting Workbook Sets the time name for DNS Events and Threat Intelligence Time Range Solution
ReversingLabs Content Pack OVERVIEW The ReversingLabs Content Pack solution for Microsoft Sentinel provides a collection of content for ReversingLabs users. The solution contains a sample playbook that will automatically enrich your incidents with file hash reputation information from TitaniumCloud, enabling faster and more accurate incident triage. The solution also includes a workbook that you can use to visualize the value provided by our Azure-focused products. Features Compare your threat intelligence feeds based on indicator quality categories, including indicator age and number of tags.Understand how threat intelligence augments your detections by looking at incident creation and closing classification metrics.See how ReversingLabs automation saves you time and money with estimates using your operations data. If you're a SOC Manager, the included workbook will provide valuable oversight of your threat intelligence implementation. If you're a SOC Analyst, you'll love the enrichment data provided from the ReversingLabs-FileEnrichment playbook. ABOUT REVERSINGLABS ReversingLabs empowers modern software development and security operations center teams to protect their software releases and organizations from sophisticated software supply chain security attacks, malware, ransomware, and other threats. The ReversingLabs Titanium Platform analyzes any file, binary, or object that can evade traditional security solutions. ItΓÇÖs a hybrid-cloud privacy-centric platform that unifies Dev and SOC teams with transparent and human-readable threat analysis, arming developers, DevSecOps, SOC analysts, and threat hunters to respond to software tampering and security incidents confidently. ReversingLabs data is used by more than sixty-five of the worldΓÇÖs most advanced security vendors and their tens of thousands of security professionals. ReversingLabs enterprise customers span all industries, leveraging integrations with popular DevSecOps and SOC platforms that enable teams to access the analysis they need to make quick security verdicts, eliminate threats, and release software with confidence. GETTING STARTED To get started, please see the documentation and media below. Playbooks: 2, Workbooks: 1 ReversingLabs-CheckQuota Playbook This playbook will check your ReversingLabs TitaniumCloud API quota and provide usage details. To be used in conjunction with the ReversingLabs-CapabilitiesOverview workbook. Solution
ReversingLabs-EnrichFileHash Playbook This playbook will enrich a Sentinel Incident with file hash information from ReversingLabs TitaniumCloud. A comment will be added to the incident with details about the file. Solution
ReversingLabs-CapabilitiesOverview Workbook The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations. Solution
Rubrik Integration with Sentinel for Ransomware Protection Rubrik secures data, wherever it lives, across enterprise, cloud, and SaaS. With RubrikΓÇÖs integration with Microsoft Sentinel, customers can better manage risk of business disruption & financial impact of ransomware. We complement MicrosoftΓÇÖs perimeter and cloud security and detection tools with comprehensive data security that safeguards data so it can always be available for recovery. With Rubrik, customers can bridge the gap between Sec and IT Ops for rapid and granular recovery in case of a ransomware attack.Conduct deeper and faster investigations to help understand the scope and root cause of an attack. Detect and receive alerts to anomalous activity in the data such as unusual deletions, modifications, downloads and encryptions. Calculate blast radius, identify initial point, scope, and time of infectionEasily identify last known ΓÇ£clean backupΓÇ¥ and prevent malware reinfection. Quickly restore individual files, full mailboxes, or entire SharePoint sites to any destination. Easily locate your data with global predictive, file-level search to quickly recover from data loss and ensure business continuity. Fast recovery, right from Microsoft Sentinel, with prebuilt workflows and blueprints and better IT/SecOps collaboration. Trigger a recovery workflow directly from the Microsoft Sentinel dashboard using automated playbooks. Eliminate manual, time-consuming job scheduling and streamline policy management across thousands of users with RubrikΓÇÖs SLA policy engine. Rubrik Security Cloud data connector (using Azure Function) DataConnector The Rubrik Security Cloud data connector enables security operations teams to integrate insights from RubrikΓÇÖs Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents. Solution
LogicAppsCustomConnector Solution
Rubrik Anomaly Analysis Playbook This playbook queries Rubrik Security Cloud to enrich the Anomaly event with additional information regarding the Ransomware analysis, results from sensitive data scans, (to aid in incident prioritization), and additional information about the Rubrik cluster. Solution
Rubrik Anomaly Incident Response Playbook This playbook provides an end to end example of the collection of Ransomware Anomaly information from Rubrik, its enrichment with Data Classification insights (to aid in incident prioritization), and the options to optionally perform various recovery operations. It uses several other playbooks defined in this solution to perform these tasks. Solution
Rubrik Data Object Discovery Playbook This playbook queries Rubrik Security Cloud to enrich the incoming event with additional information from Rubrik about the object and it's snapshots that the event refers to. Solution
Rubrik Fileset Ransomware Discovery Playbook This playbook queries Rubrik Security Cloud to enrich the incoming event with additional information from Rubrik about the fileset object and perform an IOC scan against the fileset. Solution
Rubrik IOC Scan Playbook This playbook interacts with Rubrik Security Cloud to scan backups for specified IOCs. This playbook is used by other playbooks that leverage this capability. Solution
Rubrik Poll Async Result Playbook This playbook is used by other playbooks to poll for results from some of the asynchronous API calls that are invoked by other playbooks. Solution
Rubrik Ransomware Discovery and File Recovery Playbook This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting file level recovery. Solution
Rubrik Ransomware Discovery and VM Recovery Playbook This playbook interacts with Rubrik Security Cloud to (1) optionally preserve evidence by creating an on-demand snapshot of the object, (2) identify a potential recovery point by scanning backups for specified IOCs, and (3) supporting VM image level recovery. Solution
SailPoint The solution will pull all the IdentityNow event data into Azure tables so that security analysts can query the data for potential security related events. Event data comes from the public IdentityNow APIs. The solution also makes it possible for security analyst's in Microsoft Sentinel to query the IdentityNow public APIs to get additional information about an Identity or Account that might be involved in a security related alert. Those analysts can also remediate security events in Microsoft Sentinel by again calling our APIs to disable an account or revoke access. SailPointIdentityNowAlertForTriggers AnalyticsRule Create alerts for SailPoint IdentityNow Event Trigger Service. Solution
SailPointIdentityNowFailedEventsBasedOnTime AnalyticsRule Detects failed events based on created time. Solution
SailPointIdentityNowEventTypeTechnicalName AnalyticsRule Created to detect new threat events from the data in SailPointIDN_Events. Solution
SailPointIdentityNowUserWithFailedEvent AnalyticsRule Detects any failed event for a particular user. Solution
SailPointIdentityNowEventType AnalyticsRule Created to detect failed events of particular type from SailPointIDN_Events. Solution
SailPointIdentityNowFailedEvents AnalyticsRule Detects all events with status failed. Solution
SailPoint IdentityNow (using Azure Function) DataConnector The SailPoint IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Microsoft Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It is intended to make it even easier to bring IdentityNow user activity and governance events into Microsoft Sentinel to improve insights from your security incident and event monitoring solution. Solution
LogicAppsCustomConnector Solution
MailRisk data connector The MailRisk data connector by Secure Practice will ingest data from suspicious emails analyzed by end-users, into Microsoft Sentinel, including enriched email metadata and risk assessment updates. Access to the Secure Practice API for successfully configuring this data connector requires an existing subscription with Secure Practice, and access to an administrator account.Secure Practice is happy to offer this out-of-the-box integration for IT administrators and security analysts who want to include MailRisk data into an integrated workflow with search and alerting features available in Microsoft Sentinel. This may apply if your organization uses the MailRisk add-in for Microsoft Outlook or Google Workspace. to allow end-users access to live analysis of suspicious emails.Correlating security events across data sources is fundamental to efficient threat identification and incident response. Having access to live data collected from end-users who analyze and report suspicious emails, will provide Microsoft Sentinel customer with a highly valuable source of potential indicators of compromise (IOCs) having already been found by suspicious users in your own organizations. To obtain a subscription with Secure Practice for access to MailRisk, please visit our website. MailRisk by Secure Practice (using Azure Functions) DataConnector Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics. Solution
SecurityBridge App SecurityBridge's Security Application Layer installs and resides within the SAP ABAP stack, so no additional hardware is required. The Platform provides Real-time vulnerability monitoring and intrusion detection scanning and monitoring for SAP© ABAP, JAVA, HANA, and cloud-based SAP systems. It comes preconfigured with hundreds of SAP-specific attack and vulnerability detection patterns. Once unboxed, SecurityBridge is easily activated and put into production without a lengthy implementation phase.SecurityBridge not only evaluates the SAP Security Audit Log, it continuously scans and correlates all log sources, which may impact the security posture of your SAP landscape. Intelligence is applied at machine speed to alert on critical events and discard the false positives.Real-time intrusion detectionThe SecurityBridge Intrusion Detection System (IDS) runs continuously, scanning all log and audit sources within the SAP instance for SAP-specific attack patterns and zero-day vulnerabilities.Events are created by the SecurityBridge correlation engine, which also applies user behavior analysis. False positives can be eliminated using filter settings, which are configured directly on the Controller system, and are distributed to the Agents with a single click. The result is a high-quality and accurate threat assessment on duty 24/7.Core featuresInstant SIEM connectivity. Seamlessly connect SAP with Splunk, ArcSight, LogRhythm, QRadar, Microsoft Sentinel, and many other SIEM providers.Event Monitor Fiori® App for Monitoring and InvestigationAn event timeline feature that simplifies investigations in Fiori®Advanced filter and whitelist configurationAn updated standard configuration catalog for 80+ Listeners, covering hundreds of identification patterns and signaturesRule-based Response FrameworkReal-time Code Vulnerability ScannerThe SecurityBridge Microsoft Sentinel App helps your central SoC to get a better insight into the situation on the SAP side. It integrates the Fiori Event Monitor dashboard into the company's main Microsoft Sentinel dashboard.With more than 350.000 clients in more than 180 countries, SAP© provides business-critical software solutions to about every important area of the society we live in. Not only water, food, and energy suppliers but also pharma, healthcare and engineering companies must protect their assets. SecurityBridge: A critical event occured AnalyticsRule This rule alerts if there is any critical event occured in the SAP system Solution
SecurityBridge Threat Detection for SAP DataConnector SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clientsΓÇÖ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring. Solution
SecurityBridge Threat Detection for SAP Data Parser Parser Solution
SecurityBridge App Workbook Sets the time name for analysis Solution
SecurityScorecard Ratings SecurityScorecard Ratings uses non-intrusive and proprietary data collection methods, as well as trusted commercial and open-source threat feeds, to quantitatively evaluate the cybersecurity posture of any organization. We continuously monitor 10 risk factor groups and instantly deliver an easy-to-understand A-F rating, empowering organizations to quickly find and fix vulnerabilities and issues.We continue to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. SecurityScorecard is one solution that supports many use cases including: enterprise cyber risk management (self-monitoring), executive-level reporting, third-party risk management and cyber due diligence. SecurityScorecard Factor (using Azure Function) DataConnector SecurityScorecard is the leader in cybersecurity risk ratings. The SecurityScorecard Factors data connector provides the ability for Sentinel to import SecurityScorecard factor ratings as logs. SecurityScorecard provides ratings for over 12 million companies and domains using countless data points from across the internet. Maintain full awareness of any company's security posture and be able to receive timely updates when factor scores change or drop. SecurityScorecard factor ratings are updated daily based on evidence collected across the web. Solution
SecurityScorecard Issue (using Azure Function) DataConnector SecurityScorecard is the leader in cybersecurity risk ratings. The SecurityScorecard Issues data connector provides the ability for Sentinel to import SecurityScorecard issue data as logs. SecurityScorecard provides ratings for over 12 million companies and domains using countless data points from across the internet. Maintain full awareness of any company's security posture and be able to receive timely updates when new cybersecurity issues are discovered. Solution
SecurityScorecard Cybersecurity Ratings (using Azure Function) DataConnector SecurityScorecard is the leader in cybersecurity risk ratings. The SecurityScorecard data connector provides the ability for Sentinel to import SecurityScorecard ratings as logs. SecurityScorecard provides ratings for over 12 million companies and domains using countless data points from across the internet. Maintain full awareness of any company's security posture and be able to receive timely updates when scores change or drop. SecurityScorecard ratings are updated daily based on evidence collected across the web. Solution
SecurityScorecard Workbook This Workbook provides immediate insight into the data coming from SecurityScorecardΓÇÖs three Sentinel data connectors: SecurityScorecard Cybersecurity Ratings, SecurityScorecard Cybersecurity Ratings - Factors, and SecurityScorecard Cybersecurity Ratings - Issues. Solution
Semperis Directory Services Protector If your hybrid AD isn't secure, nothing is. Business applications on-premises and in the cloud rely on Active Directory and Azure Active Directory, making it a critical piece of your IT infrastructure. But securing Active Directory is difficult given its constant flux, sheer number of settings, and increasingly sophisticated threat landscape. Securing a hybrid system brings additional challenges as many attacks start on-premises and move to the cloud. Semperis Directory Services Protector (DSP) continuously monitors Active Directory and Azure Active Directory for indicators of exposure and provides a single view of activities on-prem and in the cloud. Proactively protect AD and Azure AD from cyberattacks with Semperis Directory Services Protector Catch AD and Azure AD vulnerabilities before attackers do -- attackers are getting better by the minute at targeting soft spots in your hybrid AD system, exploiting weaknesses in on-premises AD to enter the environment, then moving online to Azure AD. DSP continuously monitors for indicators of exposure and compromiseΓÇöuncovered by the Semperis threat research teamΓÇö that threaten AD and Azure AD. Eliminate blind spots in hybrid Active Directory security ΓÇô Attackers use powerful hacking and discovery tools to create backdoors and establish persistent access inside of hybrid Active DirectoryΓÇöavoiding detection by traditional SIEM solutions. DSP uses multiple data sourcesΓÇöincluding the AD replication streamΓÇöto capture changes that evade agent-based or log-based detection. The DSP solution for Microsoft Sentinel expands the sight of Microsoft Sentinel to include previously hidden AD security data. Enable rapid recovery ΓÇô Intruders and rogue administrators can rapidly wreak havoc across your systems on a scale that is difficult to monitor and remediate effectively with human intervention. Semperis DSP provides a unified dashboard that shows malicious changes in your on-prem Active Directory and Azure Active Directory so you can close security gaps before attackers strike. Additional features include: ┬╖ Vulnerability assessment ┬╖ Automated remediation and rollback ┬╖ Forensic analysis ┬╖ Powerful reporting and notifications Semperis DSP Failed Logons AnalyticsRule Alerts when there are failed logons in the DSP system. Solution
Semperis DSP Mimikatz's DCShadow Alert AnalyticsRule Mimikatz's DCShadow switch allows a user who has compromised an AD domain, to inject arbitrary changes into AD using a "fake" domain controller. These changes bypass the security event log and can't be spotted using normal AD tools. This rule looks for evidence that a machine has been used in this capacity. Solution
Semperis DSP Recent sIDHistory changes on AD objects AnalyticsRule This indicator detects any recent changes to sIDHistory on AD objects, including changes to non-privileged accounts where privileged SIDs are added. Solution
Semperis DSP Zerologon vulnerability AnalyticsRule This indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain. Solution
Semperis DSP Operations Critical Notifications AnalyticsRule Alerts when there are critical notifications fired in the DSP system. Solution
Semperis DSP Kerberos krbtgt account with old password AnalyticsRule The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days. Solution
Semperis DSP Well-known privileged SIDs in sIDHistory AnalyticsRule This indicator looks for security principals that contain specific SIDs of accounts from built-in privileged groups within their sIDHistory attribute. This would allow those security principals to have the same privileges as those privileged accounts, but in a way that is not obvious to monitor (e.g. through group membership). Solution
Semperis DSP RBAC Changes AnalyticsRule Alerts when there are RBAC changes in the DSP system. Solution
Semperis Directory Services Protector DataConnector Semperis Directory Services Protector data connector allows for the export of its Windows event logs (i.e. Indicators of Exposure and Indicators of Compromise) to Microsoft Sentinel in real time. It provides a data parser to manipulate the Windows event logs more easily. The different workbooks ease your Active Directory security monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks. Solution
dsp_parser Parser Solution
Semperis DSP AD Changes Workbook View change data related to the Semperis DSP system. Solution
Semperis DSP Notifications Workbook View notification data related to the Semperis DSP system. Solution
Semperis DSP Quickview Dashboard Workbook View data related to the Semperis DSP system. Solution
Semperis DSP Security Indicators Workbook View security indicator data related to the Semperis DSP system. Solution
Senserva Offer Senserva integrates with Microsoft Sentinel to provide automated, detailed insights about user and application security for enriched correlation of high-risk events. The Cloud is inherently complex, dynamic and disjointed making it challenging to secure. To help the industry meet this challenge, Senserva’s cloud-native technology automates security governance associated with Azure and Azure Active Directory, by monitoring and aggregating intricate security data, helping to enable a zero-trust environment. This automation within Microsoft Sentinel accelerates the protection of your organization's Azure environment against entitlement breaches, highly sophisticated and otherwise undetectable attacks as well as helping companies ensure they meet compliance requirements. See our new Senserva security ebook!"The integration of Microsoft Sentinel with the Senserva's award-winning Cloud Management Solutions allows us to work together to enhance customers' security posture with less complexity" - Eric Burkholder, PM Microsoft Sentinel at Microsoft Corp.“…Senserva provides a great amount of innovation in the Microsoft security world …", said Rich Lilly, Partner, Director of Security at Netrix LLC. "The Senserva team was great to work with, responsive and focused on meeting our needs."Prioritize, simplify, and automate the collection of complex data that is spread across your customer’s environment and enhance your managed security services with Senserva and Microsoft Sentinel within minutes after automated installation Cloud Security is Complex. Senserva Makes it Simple: Find the needle in the haystack. Working with Sentinel you do it every day, auditing, hunting, responding to incidents. As a Microsoft MISA partner, the Senserva team and our partners, along with the Senserva Prologue Bot and PyServa, work side-by-side with you to build the best solutions possible on the Microsoft Sentinel platform. Helping you find all those needles in all your haystacks, making it simple. Stay One Step Ahead and Lower Your Costs: Use the automated Senserva Bot to continuously monitor and detect priority-based risks to eliminate threats before they happen. The Bot Sends a continuous stream of high value, easy to use analytics to Sentinel, complementing and building on what Microsoft already provides. Senserva also has a rich open source tool kit for easy integration and extensions within Sentinel including in depth examples such as for Azure Active Directory Application Security to help you quickly create your own solutions. All leading to improved security and lower costs. Leverage What you Already Have: From people new to Sentinel to advanced Sentinel users, Senserva seamlessly integrates and enhances your Microsoft focused security solutions. Senserva works exclusively with Partners to achieve joint success.Senserva delivers a high-value solution to help fix undetected problems surrounding identity and access and is fully integrated with Microsoft Sentinel. In addition, Senserva has a customization team to meet specific customer requirements if needed.Works with the Senserva User Interface and the Senserva security engine. Both of which have a strong MSSP focus. Azure Secure Score Self Service Password Reset AnalyticsRule This query searches for requires you to setup Azure AD Connect. Azure AD Connect is free with all Azure Subscriptions Solution
Azure secure score user risk policy AnalyticsRule This query searches for an active Azure Premium P2 license is required to use and edit this policy. You will be required to have setup the MFA Policy before activating this policy Solution
UserAccountDisabled AnalyticsRule This query searches for account is Disabled. Does not effect score as its easily enabled. Solution
Azure secure score sign in risk policy AnalyticsRule This query searches for an active Azure Premium P2 license is required to use and edit this policy. You will be required to have setup the MFA Policy before activating this policy Solution
SenservaPro AD Applications Not Using Client Credentials AnalyticsRule Searches for logs of AD Applications without Client Credentials (Key or Secret) Solution
Stale last password change AnalyticsRule This query searches for stale last password change Solution
Azure secure score PW age policy new AnalyticsRule This query searches for having found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire. Solution
Azure secure score role overlap AnalyticsRule This query searches for accounts that have been assigned Global Administrator do not need other roles assigned. Global Administrators have access to all aspects of Azure Solution
Azure secure score MFA registration V2 AnalyticsRule This query searches for multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. Solution
Azure secure score admin MFA AnalyticsRule This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, critical devices and data is open to attack. Solution
Non-admin guest AnalyticsRule This query searches for guest is not an admin in Azure Solution
Third party integrated apps AnalyticsRule This query searches for your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. Solution
Azure secure score block legacy authentication AnalyticsRule This query searches for most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 do not support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multi-factor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols. Solution
Service principal not using client credentials AnalyticsRule This query searches for an service principal is not using a client certificate or secret is not secure. It is recommended that you review your needs and use an Authentication method for sign-in. Solution
Azure secure score one admin AnalyticsRule This query searches for having 1 Global Administrator reduces the surface area of attack for your Azure tenant, but sets up a single point of failure for the whole tenant. Global Administrators have access to all aspects of Azure Solution
SenservaPro (Preview) DataConnector The SenservaPro data connector provides a viewing experience for your SenservaPro scanning logs. View dashboards of your data, use queries to hunt & explore, and create custom alerts. Solution
Azure secure score integrated apps HuntingQuery Solution
Application not using client credentials HuntingQuery Solution
Azure secure score one admin HuntingQuery Solution
Azure secure score sign in risk policy HuntingQuery Solution
Stale last password change HuntingQuery Solution
UserAccountDisabled HuntingQuery Solution
Azure secure score PW age policy new HuntingQuery Solution
Azure secure score MFA registration V2 HuntingQuery Solution
Azure secure score admin MFA V2 HuntingQuery Solution
Azure secure score role overlap HuntingQuery Solution
Service principal not using client credentials HuntingQuery Solution
Azure secure score user risk policy HuntingQuery Solution
Azure secure score block legacy authentication HuntingQuery Solution
Azure Secure Score Self Service Password Reset HuntingQuery Solution
SenservaProAnalytics Workbook Sets the time name for analysis Solution
SenservaProMultipleWorkspace Workbook Sets the time name for analysis Solution
SenservaProSecureScoreMultiTenant Workbook Sets the time name for analysis Solution
Azure Firewall The Azure Firewall solution for Microsoft Sentinel enables ingestion of DNS Proxy, Application Rule and Network Rule logs from Azure Firewalls.Underlying Microsoft Technologies used:This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costsa. Azure Monitor Resource DiagnosticsData Connectors: 1, Workbooks: 1, Analytic Rules: 6, Hunting Queries: 5, Custom Azure Logic Apps Connectors: 1, Playbooks: 3More info on deployment can be found here:New Detections, Hunting Queries and Response Automation in Azure Firewall Solution for Azure Sentinel (microsoft.com)Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks (microsoft.com) Multiple Sources Affected by the Same TI Destination AnalyticsRule Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group. Configurable Parameters: - Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5. - Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated. Solution
Port Sweep AnalyticsRule Identifies a source IP scanning same open ports on the Azure Firewall IPs. This can indicate malicious scanning of port by an attacker, trying to reveal IPs with specific ports open in the organization. The ports can be compromised by attackers for initial access, most often by exploiting vulnerability. Configurable Parameters: - Port sweep time - the time range to look for multiple hosts scanned. Default is set to 30 seconds. - Minimum different hosts threshold - alert only if more than this number of hosts scanned. Default is set to 200. Solution
Abnormal Port to Protocol AnalyticsRule Identifies communication for well known protocol over a non-standard port based on learning period activity. This can indicate malicious communication (C2) or exfiltration by attackers trying to communicate over known ports (22:SSH, 80:HTTP) but dont use the known protocol headers to match the port number. Configurable Parameters: - Learning period time - learning period for protocol learning in days. Default is set to 7. Solution
Port Scan AnalyticsRule Identifies a source IP scanning multiple open ports on Azure Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. Configurable Parameters: - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. Solution
Abnormal Deny Rate for Source IP AnalyticsRule Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules. Configurable Parameters: - Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3. - Learning period time - learning period for threshold calculation in days. Default is set to 5. - Bin time - learning buckets time in hours. Default is set to 1 hour. - Minimum threshold - minimum threshold for alert. Default is set to 5. - Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5. Solution
Several deny actions registered AnalyticsRule Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall. Solution
Azure Firewall DataConnector Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information, see the Microsoft Sentinel documentation. Solution
Uncommon Port to IP HuntingQuery Solution
Uncommon Port for Organization HuntingQuery Solution
First Time Source IP to Destination Using Port HuntingQuery Solution
Source IP Abnormally Connects to Multiple Destinations HuntingQuery Solution
First Time Source IP to Destination HuntingQuery Solution
LogicAppsCustomConnector Solution
Azure Firewall - Add IP Address to Threat Intel Allow list Playbook This playbook allows the SOC to automatically response to Microsoft Sentinel incidents which includes IPs, by adding the IPs to the TI Allow list in Azure Firewall Policy. Solution
BlockIP-Azure Firewall New Rule Playbook This playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collection based on the Microsoft Sentinel Incident Solution
Block IP - Azure Firewall IP groups Playbook This playbook allows blocking/allowing IPs in Azure Firewall. It allows to make changes on IP groups, which are attached to rules, instead of make direct changes on Azure Firewall. It also allows using the same IP group for multiple firewalls. Learn more about IP Groups in Azure Firewall Solution
Azure Firewall Structured Logs Workbook Gain insights into Azure Firewall events using the new Structured Logs for Azure Firewall. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces. Solution
Azure Firewall Workbook Gain insights into Azure Firewall events. You can learn about your application and network rules, see metrics for firewall activities across URLs, ports, and addresses across multiple workspaces. Solution
Dynamics 365 Finance and Operations Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.The Sentinel solution for Dynamics 365 Finance and Operations collects audits and activity logs from the Dynamics 365 Finance and Operations environments, and detects threats, suspicious activities, illegitimate activities, and more.The solution includes:A Dynamics 365 F&O data connector, which allows to ingest Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel. Built-in analytics rules to detect suspicious activity in your Dynamics 365 Finance and Operations environment, like changes in bank account details, multiple user account updates or deletions, suspicious sign-in events, changes to workload identities, and more.ImportantThe Microsoft Sentinel Solution for D365 F&O is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.This solution is a premium offering. Pricing information will be available before the solution becomes generally available. F&O - Reverted bank account number modifications AnalyticsRule Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. Solution
F&O - Mass update or deletion of user records AnalyticsRule Identifies large delete or update operations on Finance & Operations user records based on predefined thresholds. Solution
F&O - Non-interactive account mapped to self or sensitive privileged user AnalyticsRule Identifies changes to Azure AD Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account. Solution
F&O - Unusual sign-in activity using single factor authentication AnalyticsRule Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from an Azure AD trusted network location, or from geolocations seen previously in the last 14 days are excluded. Solution
F&O - Bank account change following network alias reassignment AnalyticsRule Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number. Solution
Dynamics 365 F&O (using Azure Functions) DataConnector Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance. The Dynamics 365 F&O data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel. Solution
Dynamics 365 - Connector Only The Dynamics 365 Dataverse Activity logs connector provides insight into admin and user activities. By connecting Dynamics 365 Dataverse logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.This solution includes only the data connector. For a full Sentinel solution for Dynamics 365 CE Apps (including out of the box workbook, analytics rules and threat hunting queries) refer to the D365 CE Apps solution here. Dynamics365 DataConnector The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. Solution
Dynamics 365 CE Apps The Microsoft Sentinel solution for Dynamics 365 CE apps provides you with ability to collect Dynamics 365 CE Apps logs, gain visibility of activities and analyze them to detect threats and malicious activities.The solution includes four elements:Data connector*: The Dynamics 365 data connector provides insight into Dataverse audits and activities (CRUD - Create, Read, Update, Delete). By connecting Dynamics 365 CE apps logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. Analytic rules detecting:Audit logs data and settings manipulation detectionDetection of monitored Security and user configuration changesSuspicious logins and sign-ins to Dynamics 365Detection of new permissions granted to an application identityMass export of Dynamics 365 records to ExcelMass deletion of Dynamics 365 recordsBulk retrieval of data outside of normal activity hoursSuspicious changes to Dynamics 365 encryption settingsNew user agents accessing Dynamics 365Workbook dashboard providing visibility into:Record retrieval eventsRecord deletion eventsRecord export eventsEmail eventsOther eventsThreat hunting queries providing insights into:Dynamics 365 activities after Azure AD alerts Dynamics 365 activity after failed logons * The data connector is located in the data connectors gallery and should be enabled from there D365 - Mass export of records to Excel AnalyticsRule The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Solution
D365 - User bulk retrieval outside normal activity AnalyticsRule This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365. Solution
D365 - New Office user agent detected AnalyticsRule Identifies users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps. Solution
D365 - New user agent detected AnalyticsRule Identifies users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used. Solution
D365 - Encryption settings changed AnalyticsRule This query looks for changes to the Data Encryption settings for Dynamics 365. Reference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365' Solution
D365 - Sign-in from an unauthorized domain AnalyticsRule This query identifies user authentication events originating from a user domain that is not found on an allow list. Common internal Dynamics 365 system names are excluded. Solution
D365 - Dormant admin or previously non-admin user conducting admin activity AnalyticsRule Monitors and detects dormant admins or previously non-admin users currently conducting admin activities in Dynamics 365. Solution
D365 - Login from IP in the block list AnalyticsRule Identifies logons from IPv4 address maintained on a block list. The block list is maintained within the query as well as using the built in NetworkAddresses watchlist template using "D365 Block" tag. Solution
D365 - Permissions granted to an application identity AnalyticsRule This query identifies API level permission grants, either via the delegated permissions of an Azure AD Application or direct assignment within Dynamics 365 as an application user. Solution
D365 - Monitored User configuration changed AnalyticsRule Identifies User configuration changes made done in the D365 like Add/Removing Business Units, Teams, Enable/Disable Users, Change the Access Mode field for any user in the "D365-UserConfig" watchlist. The watchlist deployed as part of the Dynamics 355 Continuous Threat Montioring Solution contains common security configuration related changes and can be modified to tune which events generate an alert. Solution
D365 - Mass deletion of records AnalyticsRule This query identifies large scale delete operations where the number of delete entries exceeds a query defined threshold within the last period. The scheduling of bulk delete jobs in Dynamics 365 is also detected. Solution
D365 - Login from IP not in the allow list AnalyticsRule Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. The allow list is maintained within the query as well as using the built in NetworkAddresses watchlist template using "D365 Allow" tag. Solution
D365 - Audit log configuration change AnalyticsRule Identifies change in Security Audit Configuration Source Action: Checking or un-checking below options on Entity level in CRM. - Single record auditing. - Multiple record auditing. - Log all records displayed on an opened page. Solution
D365 - Audit log data deletion AnalyticsRule Identifies audit log data deletion activity in Dynamics 365. Source Action: - Deletion of Audit Logs from Audit Summary View. - Deleting Audit History on Record from Related Tab Data. Solution
D365 - Login by a sensitive privileged user AnalyticsRule This query identifies users tagged ["D365 Sensitive"] using the built-in VIP Users watchlist template and searches Dynamics 365 logs for any corresponding authentication events. Solution
D365 - Monitored Security configuration changed AnalyticsRule Identifies security configuration changes in Dynamics 365 based on a watchlist. The watchlist deployed as part of the Dynamics 355 Continuous Threat Montioring Solution contains common security configuration related changes and can be modified to tune which events generate an alert. Solution
Dynamics 365 Activity After Failed Logons HuntingQuery Solution
Dynamics 365 Activity After Azure AD Alerts HuntingQuery Solution
Dynamics 365 Activity Workbook This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. Solution
SAP BTP SAP® Business Technology Platform (BTP) is an infrastructure that allows SAP® customers to build no-code/low-code custom apps integrating to SAP® and third-party applications and datasets in order to achieve better business value by streamlining user's activities and interactions with the organization’s business applications. The BTP Solution for Microsoft Sentinel collects audit and activity logs from the BTP environment, detects threats, suspicious activities, illegitimate activities, and more. BTP - Malware detected in BAS dev space AnalyticsRule Identifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces. Solution
BTP - User added to sensitive privileged role collection AnalyticsRule Identifies identity management actions whereby a user is added to a set of monitored privileged role collections. Solution
BTP - Trust and authorization Identity Provider monitor AnalyticsRule Identifies CRUD operations on Identity Provider settings within a sub account. Solution
BTP - Mass user deletion in a sub account AnalyticsRule Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold. Solution
BTP - Failed access attempts across multiple BAS subaccounts AnalyticsRule Identifies failed Business Application Studio access attempts over a predefined number of subaccounts. Solution
SAP BTP (using Azure Functions) DataConnector SAP Business Technology Platform (SAP BTP) brings together data management, analytics, artificial intelligence, application development, automation, and integration in one, unified environment. Solution
SAP BTP Activity Workbook This workbook contains visualizations and insights in the SAP BTP environment. Solution
Azure SQL Database The Azure SQL Database Solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.Data Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 8 Firewall rule manipulation attempts stateful anomaly on database AnalyticsRule This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate firewall rules (e.g. for allowing malicious access to the database). Solution
Firewall errors stateful anomaly on database AnalyticsRule This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When attacker attempts to scan or gain access to server protected by firewall, he will be blocked by firewall and fail with error code 40615. Thus, if we see a large number of logins with such error codes, this could indicate attempts to gain access. Solution
Drop attempts stateful anomaly on database AnalyticsRule This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to drop tables or databases (e.g. for data vandalism). Solution
Affected rows stateful anomaly on database AnalyticsRule Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies). Solution
Execution attempts stateful anomaly on database AnalyticsRule This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to execute shell commands (e.g. for running illegitimate code). Solution
Response rows stateful anomaly on database AnalyticsRule Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies). Solution
Outgoing connection attempts stateful anomaly on database AnalyticsRule This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to access external sites or resources (e.g. for downloading malicious content). Solution
Syntax errors stateful anomaly on database AnalyticsRule This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When blind type of attacks are performed (such as SQL injection of fuzzying), the attempted queries are often malformed and fail on wrong syntax (error 102) or wrong escaping (error 105). Thus, if a large number of different queries fail on such errors in a short amount of time, this might indicate attempted attack. Solution
Credential errors stateful anomaly on database AnalyticsRule This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When Brute Force attacks are attempted, majority of logins will use wrong credentials, thus will fail with error code 18456. Thus, if we see a large number of logins with such error codes, this could indicate Brute Force attack. Solution
OLE object manipulation attempts stateful anomaly on database AnalyticsRule This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate OLE objects (e.g. for running malicious commands). Solution
Azure SQL Databases DataConnector Azure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without necessitating user involvement. This connector lets you stream your Azure SQL databases audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. Solution
Response rows stateful anomaly on database - hunting query HuntingQuery Solution
Prevalence Based SQL Query Size Anomaly HuntingQuery Solution
Boolean Blind SQL Injection HuntingQuery Solution
Anomalous Query Execution Time HuntingQuery Solution
Affected rows stateful anomaly on database - hunting query HuntingQuery Solution
Anomalous Query Execution Time HuntingQuery Solution
Suspicious SQL Stored Procedures HuntingQuery Solution
Time Based SQL Query Size Anomaly HuntingQuery Solution
Azure SQL Database Workbook Workbook Sets the time window in days to search around the alert Solution
Teams Microsoft Sentinel solution for Teams provides Teams security logs visibility and threat protection for communication and data sharing in the Microsoft 365 Cloud via Microsoft Teams. In order to get the logs, you should connect to the Microsoft 365 connector and choose the Teams application.Please refer to this guide. By connecting Teams activity logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.This article focuses on collecting Teams activity logs in Microsoft Sentinel.Workbooks: 1, Playbooks: 2 Advanced SNOW Teams Integration Playbook Playbook This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident. Solution
Microsoft Teams Workbook This workbook is intended to identify the activities on Microrsoft Teams. Solution
Cognni Cognni autonomously maps your previously unidentified critical information assets and detects undiagnosed incidents. This allows you to recognize risks to your critical information, triage the severity of the incidents, and compiles the details you need to remediate, fast enough to make a difference. Cognni for Microsoft Sentinel covers files shared through Microsoft Exchange Online, SharePoint Online, OneDrive, and Teams.Unparalleled ClassificationCognni leverages a unique approach to classifying critical business information. It brings visibility to your most critical business assets and shifts the approach to data classification from "What does this file contain?" to "What does this file mean?". Cognni provides upwards of 10x more breadth of coverage, while offering unparalleled depth.Traditional Classification - Credit Cards, Passports, National IDs, etc.Cognni's Classification - Financial Reports, Board Meeting Minutes, Employee Terminations, etc.Unprecedented Risk DetectionBy leveraging unique classification, Cognni identifies otherwise unidentified risks. Knowing what information exists and where it flows allows Cognni to analyze share patterns with the entire context of how information is used. That allows Cognni to produce a dynamic baseline of which information is shared, by who, with whom, and whether there are risks inherent to the share activity.Workbooks - Leverage out-of-the-box risk detection to easily navigate between live risk updates.Analytics - Creates information sensitive analytics rules to cut through the noise and uncover only your most pressing risks.Entity Behavior - Connects the dots between users, events, and information to hone in on the greatest risk creators and riskiest share patterns. Cognni Incidents for Highly Sensitive Governance Information AnalyticsRule Display incidents in which highly sensitive governance information was placed at risk by user sharing. Solution
Cognni Incidents for Medium Sensitivity Business Information AnalyticsRule Display incidents in which medium sensitivity business information was placed at risk by user sharing. Solution
Cognni Incidents for Highly Sensitive Business Information AnalyticsRule Display incidents in which highly sensitive business information was placed at risk by user sharing. Solution
Cognni Incidents for Highly Sensitive Legal Information AnalyticsRule Display incidents in which highly sensitive legal information was placed at risk by user sharing. Solution
Cognni Incidents for Medium Sensitivity HR Information AnalyticsRule Display incidents in which medium sensitivity HR information was placed at risk by user sharing. Solution
Cognni Incidents for Low Sensitivity Financial Information AnalyticsRule Display incidents in which low sensitivity financial information was placed at risk by user sharing. Solution
Cognni Incidents for Highly Sensitive Financial Information AnalyticsRule Display incidents in which highly sensitive financial information was placed at risk by user sharing. Solution
Cognni Incidents for Low Sensitivity Legal Information AnalyticsRule Display incidents in which low sensitivity legal information was placed at risk by user sharing. Solution
Cognni Incidents for Low Sensitivity Business Information AnalyticsRule Display incidents in which low sensitivity business information] was placed at risk by user sharing. Solution
Cognni Incidents for Medium Sensitivity Governance Information AnalyticsRule Display incidents in which medium sensitivity governance information was placed at risk by user sharing. Solution
Cognni Incidents for Medium Sensitivity Financial Information AnalyticsRule Display incidents in which medium sensitive financial information was placed at risk by user sharing. Solution
Cognni Incidents for Low Sensitivity Governance Information AnalyticsRule Display incidents in which low sensitivity governance information] was placed at risk by user sharing. Solution
Cognni Incidents for Medium Sensitivity Legal Information AnalyticsRule Display incidents in which medium sensitivity legal information was placed at risk by user sharing. Solution
Cognni Incidents for Low Sensitivity HR Information AnalyticsRule Display incidents in which low sensitive HR information was placed at risk by user sharing. Solution
Cognni Incidents for Highly Sensitive HR Information AnalyticsRule Display incidents in which highly sensitive HR information was placed at risk by user sharing. Solution
Cognni DataConnector The Cognni connector offers a quick and simple integration with Microsoft Sentinel. You can use Cognni to autonomously map your previously unclassified important information and detect related incidents. This allows you to recognize risks to your important information, understand the severity of the incidents, and investigate the details you need to remediate, fast enough to make a difference. Solution
Cognni Important Information Incidents Workbook Gain intelligent insights into the risks to your important financial, legal, HR, and governance information. This workbook lets you monitor your at-risk information to determine when and why incidents occurred, as well as who was involved. These incidents are broken into high, medium, and low risk incidents for each information category. Solution
SonicWall Network Security Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in userΓÇÖs workspace with a single deployment step. SonicWall Firewall data connector provides the capability to ingest SonicWall access logs(in syslog format) into Microsoft Sentinel. SOC administrators who need to direct and orchestrate their organizationsΓÇÖ response to major security threats based on analyzing the logs in real-time. Users require a birds-eye view across their network alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution timeframes. SonicWall Firewall DataConnector Common Event Format (CEF) is an industry standard format on top of Syslog messages, used by SonicWall to allow event interoperability among different platforms. By connecting your CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. Solution
Sonrai Security The Sonrai Dig Platform allows customers to: (1) Get to Least Privilege and stay there. Eliminate all identified risks in your cloud - Dig maps every single trust relationship, inherited permission, and policy, for every entity in your cloud. Identify all excessive privilege, escalation, and separation of duty risks across 1000's of roles and compute instances across 100's of cloud accounts; all mapped continuously. (2) Discover, classify, lockdown, and monitor crown jewel data - Dig relentlessly monitors your critical data sitting inside object stores and database services. Suspicious access activity or undesirable changes in access rights are flagged. (3) Shift left by integrating teams - via organized analysis, alerts, and actions that align with how your organizations use the public cloud. Dig allows customized monitoring and views for development, staging, or production workloads and an API architecture that can be integrated into a CI/CD process. (4) Prevent. Escalate. Remediate - remediation bots fix the problems found. But, how about preventing those problems from happening in the first place? Sonrai Dig does both! It also puts prevention rules in place across your cloud and makes sure they stay there. As people try to move workloads to production, checks are in place, and promotion only happens if your risk policies are followed.Please contact azureteam@sonraisecurity.com for additional information or free trial Sonrai Ticket Risk Accepted AnalyticsRule Checks if Sonrai tickets have had their risk accepted. It uses the action type to check if a ticket has had it's risk accepted Solution
Sonrai Ticket Escalation Executed AnalyticsRule Checks if Sonrai tickets have had a comment added. It uses the action type to check if a ticket has had a comment added Solution
Sonrai Ticket Snoozed AnalyticsRule Checks if Sonrai tickets have been snoozed. It uses the action type to check if a ticket has been snoozed Solution
Sonrai Ticket Assigned AnalyticsRule Checks if Sonrai tickets have been assigned. It uses the action type to check if a ticket has been assigned Solution
Sonrai Ticket Escalation Executed AnalyticsRule Checks if Sonrai tickets have had an escalation executed. It uses the action type to check if a ticket has had an escalation executed Solution
Sonrai Ticket Updated AnalyticsRule Checks if Sonrai tickets have been updated. It uses the action type to check if a ticket has been updated Solution
Sonrai Ticket Reopened AnalyticsRule Checks if Sonrai tickets have been reopened. It uses the action type to check if a ticket has been reopened Solution
New Sonrai Ticket AnalyticsRule Checks for new Sonrai tickets. It uses the action type to check if a ticket has been created Solution
Sonrai Ticket Closed AnalyticsRule Checks if Sonrai tickets have been closed. It uses the action type to check if a ticket has been closed Solution
Sonrai Data Connector DataConnector Use this data connector to integrate with Sonrai Security and get Sonrai tickets sent directly to Microsoft Sentinel. Solution
Sonrai Workbook Sets the time name for analysis Solution
Sophos Cloud Optix Sophos Cloud Optix protects organizations from the next generation of public cloud cyberattacks and compliance penalties. The agentless SaaS solution provides security, operations, development, and compliance teams with a focused console, automatically identifying potential security gaps before they are exploited, and active threats within public cloud environments. Protecting Kubernetes clusters, Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Infrastructure-as-Code environments, Cloud Optix augments data obtained via native cloud provider APIs and log information with artificial intelligence, analyzing these environments to identify a range of threats. Sophos Cloud Optix DataConnector The Sophos Cloud Optix connector allows you to easily connect your Sophos Cloud Optix logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's cloud security and compliance posture and improves your cloud security operation capabilities. Solution
Squadra Technologies secRMM Squadra Technologies security Removable Media Manager (secRMM) software is Windows security software that runs on your companyΓÇÖs workstations and servers. secRMM manages and monitors removable media. In this context, Removable media is defined as external hard disks, USB (flash) drives, smart phones, tablets, SD-Cards, CD-ROM and DVD. Generally, any storage device that supports Microsoft plug-and-play will be managed and monitored by secRMM. Such devices typically use the computers Universal Serial Bus (USB) ports to connect to the computer. Removable media devices are popular because they are very convenient when you want to copy files around or backup data. secRMM allows you to track all write activity to the removable media devices in your computer environment as well as giving you the ability to control (or authorize) who can write to the removable media devices. For more information, please visit http://www.squadratechnologies.com Squadra Technologies secRMM DataConnector Use the Squadra Technologies secRMM Data Connector to push USB removable storage security event data into Azure Sentinel Log Analytics. Solution
Squadra Technologies SecRMM - USB removable storage security Workbook This workbook gives an overview of security data for removable storage activity such as USB thumb drives and USB connected mobile devices. Solution
Talon Connector Talon Security collaborates closely with its customers and partners to provide comprehensive browser security solutions. A central location for monitoring all activity is a crucial element of a successful and contemporary security approach. By sharing Talon's logs with Microsoft Sentinel, administrators and IT managers can access intelligence, analytics, and a complete understanding of Talon's activities. Talon Insights DataConnector The Talon Security Logs connector allows you to easily connect your Talon events and audit logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Solution
Talon Insights Workbook This workbook provides Talon Security Insights on Log Analytics Query Logs Solution
Tanium Microsoft Sentinel Connector Important: This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.Sentinel bundle for TaniumMicrosoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automation in your workspace with a single deployment step.Data Connectors: 1, Workbooks: 1, Analytic Rules: 1, Playbooks: 6 Tanium Threat Response Alerts AnalyticsRule Alerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook Solution
Tanium-ComplyFindings Playbook This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for Comply Findings for those hosts, and then adds a comment to the incident with that information. Solution
Tanium-GeneralHostInfo Playbook This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for general endpoint information for those hosts, and then adds a comment to the incident with that information. Solution
Tanium-MSDefenderHealth Playbook This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for the Microsoft Defender Health for those hosts, and then adds a comment to the incident with that information. Solution
Tanium-QuarantineHosts Playbook This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, then directs Tanium to quarantine those hosts. The status of the quarantine operation is commented on the Sentinel incident. Solution
Tanium-ResolveThreatResponseAlert Playbook This playbook will resolve any Tanium Threat Response alerts associated with a Microsoft Sentinel incident. Solution
Tanium-SCCMClientHealth Playbook This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for the SCCM Client Health for those hosts, and then adds a comment to the incident with that information. Solution
Tanium-UnquarantineHosts Playbook This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, then directs Tanium to un-quarantine those hosts. The status of the un-quarantine operation is commented on the Sentinel incident. Solution
Tanium Workbook Workbook Visualize Tanium endpoint and module data Solution
Tenable App Powered by Nessus technology and delivered via the cloud, Tenable.io provides the industry's most comprehensive vulnerability management solution with the ability to predict which security issues to remediate first to reduce your cyber exposure. This integration combines Tenable's Cyber Exposure insights with Microsoft Sentinel's collection, detection, and investigation capabilities. This integration supports Tenable.io and exports asset and vulnerability data from Tenable.io directly to Microsoft Sentinel.Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content including data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.Learn more about TenableCore with NessusLearn more about Nessus and Microsoft Azure Tenable.io Vulnerability Management (using Azure Function) DataConnector The Tenable.io data connector provides the capability to ingest Asset and Vulnerability data into Microsoft Sentinel through the REST API from the Tenable.io platform (Managed in the cloud). Refer to API documentation for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more Solution
LogicAppsCustomConnector Solution
LogicAppsCustomConnector Solution
TenableIOAssets Parser Solution
TenableIOVulnerabilities Parser Solution
Tenable.io - Enrich incident with asset info Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset information by the IPs in Microsoft Sentinel. 3. Adds obtained information as a comment to the incident. Solution
Tenable.io - Enrich incident with vulnerability info Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset IDs by the IPs in Microsoft Sentinel. 3. Gets vulnerabilities information in Microsoft Sentinel. 4. Adds obtained information as a comment to the incident. Solution
Tenable.io - Launch Scan Playbook Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Launches scan by scan id provided during the playbook deployment. 2. Adds information about launched scan as a comment to the incident. Solution
Lastpass Enterprise Activity Monitoring LastPass Enterprise is an enterprise cloud based Password manager which allows organizations to securely store and share passwords and other credentials. This solution will provide insights into the activity within the application and alert for any potential security risks.By deploying this solution, you'll be able to monitor activity within LastPass and be alerted when potential security events arise. The solution consists out of the following resources:A codeless data connector to retrieve data from LastPass.One workbook to visualize some of the activity within LastPass.Hunting queries to look into potential security events.Analytic rules to generate alerts and incidents when potential malicious events happen.The source code and details of the rules can be found on the page. TI map IP entity to LastPass data AnalyticsRule Identifies a match in LastPass table from any IP IOC from TI Solution
Failed sign-ins into LastPass due to MFA AnalyticsRule This rule will check if a sign-in failed into LastPass due to MFA. An incident can indicate the potential brute forcing of a LastPass account. The use of MFA is identified by combining the sign-in logs, this rule assumes LastPass is federated to AAD. Solution
Employee account deleted AnalyticsRule This rule will monitor for any employee accounts being deleted. Deleting an employee account can have a big potential impact as all of the data for that user will be removed. Solution
Unusual Volume of Password Updated or Removed AnalyticsRule This rule will check if there is an unnormal activity of sites that are deleted or changed per user. The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created. Solution
Highly Sensitive Password Accessed AnalyticsRule This rule will monitor access to highly sensitive passwords. Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application). When an activity is observed against such password, an incident is created. Solution
LastPass Enterprise - Reporting (Polling CCP) DataConnector The LastPass Enterprise connector provides the capability to LastPass reporting (audit) logs into Microsoft Sentinel. The connector provides visibility into logins and activity within LastPass (such as reading and removing passwords). Solution
Failed sign-ins into LastPass due to MFA. HuntingQuery Solution
Login into LastPass from a previously unknown IP. HuntingQuery Solution
Password moved to shared folders HuntingQuery Solution
Lastpass Enterprise Activity Monitoring Workbook Sets the time name for analysis Solution
Theom - Data Cloud and Data Lakehouse Attack Detection OverviewTheom integrates with Microsoft Sentinel enabling customers to detect and stop active threats to data clouds and data lakehouses. Sentinel customers can seamlessly use TheomΓÇÖs unique AI threat intelligence while using their trusted environment for alerting and remediation.With the Theom and Microsoft Sentinel integration, our customers can now collect valuable threat intelligence content from inside data clouds and data lakehouses, detect attacks using the MITRE ATT&CK framework, ingest critical alerts into Microsoft Sentinel, and respond to incidents rapidly with built-in orchestration and automation. Theom runs inside the data cloud or data lakehouse to deliver unique intelligence on data assets and threats to sensitive dataΓÇôall with no agents, no proxies, or no impact on business applications.Integration benefitsTheom and Microsoft Sentinel help customers secure data clouds and data lakehouses with:Insider Threat Detection and PreventionDetect phished users and service accounts abusing data and suspend their accessQuarantine data at risk and apply egress controls to stop data leaksPrioritize data security incidents based on the $ value of data at riskData Access GovernanceDetect over-provisioned access to data and shrink-wrap permissions continuouslyGain visibility into who has access to what data; what they do with the dataEnsure detection and prevention controls follow the data through the data pipelineRansomware detection, prevention, recoveryDetect attacker progression and malicious access to data, using an AI-based detection engineTrack and capture attackerΓÇÖs encryption keys, even after attackers cover their tracksUnderlying Microsoft Technologies used:This solution has a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs. a. Azure Monitor HTTP Data Collector API Theom - Shadow DB with atypical accesses AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0036 (Theom has observed shadow or clone databases/tables. Additionally, it has observed atypical accesses to these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies) Solution
Theom - Healthcare data exposed AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0015 (Theom has observed healthcare data in a data store that is publicly exposed. As per this requirement, use this information to apply data access control lists or access permissions to secure your data) Solution
Theom - Financial data exposed AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0026 (Theom has observed financial data in a data store that is publicly exposed. As per this requirement, use this information to apply data access control lists or access permissions to secure your data) Solution
Theom - Critical data in API headers or body AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId's TRIS0007 to TRIS0010 and TRIS0014 Solution
Theom Medium Risks AnalyticsRule Creates Microsoft Sentinel incidents for medium risk Theom alerts. Solution
Theom - Dark Data with large fin value AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed data with a large financial value, but that has not been accessed recently. Use this information to enforce data retention policies) Solution
Theom - Dev secrets exposed AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0012 (Theom has observed developer secrets in a data store that is publicly exposed. As per this requirement, use this information to apply data access control lists or access permissions to secure your data) Solution
Theom - Least priv large value shadow DB AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies) Solution
Theom - Unencrypted public data stores AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0005 (Theom has observed data stores that are both unencrypted and publicly accessible. Review if the data store and the data within should be publicly accessible. Additionally, encrypt the data at rest to comply with these CIS requirements) Solution
Theom High Risks AnalyticsRule Creates Microsoft Sentinel incidents for high risk Theom alerts. Solution
Theom - Shadow DB large datastore value AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0035 (Theom has observed shadow (or clone) databases/tables with large financial value. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies) Solution
Theom - National IDs unencrypted AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0002 (National IDs have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement) Solution
Theom - Financial data unencrypted AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0003 (Financial data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement) Solution
Theom Critical Risks AnalyticsRule Creates Microsoft Sentinel incidents for critical risk Theom alerts. Solution
Theom Low Risks AnalyticsRule Creates Microsoft Sentinel incidents for low risk Theom alerts Solution
Theom Insights AnalyticsRule Creates Microsoft Sentinel incidents for Theom insight alerts. Solution
Theom - National IDs exposed AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0018 (Theom has observed National IDs in a data store that is publicly exposed. As per this requirement, use this information to apply data access control lists or access permissions to secure your data) Solution
Theom - Dev secrets unencrypted AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement) Solution
Theom - Healthcare data unencrypted AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0004 (Healthcare data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement) Solution
Theom - Overprovisioned Roles Shadow DB AnalyticsRule Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0034 (Theom has observed shadow (or clone) databases/tables. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies) Solution
Theom DataConnector Theom Data Connector enables organizations to connect their Theom environment to Microsoft Sentinel. This solution enables users to receive alerts on data security risks, create and enrich incidents, check statistics and trigger SOAR playbooks in Microsoft Sentinel Solution
Theom Workbook Theom Alert Statistics Solution
Trend Micro Deep Security Virtualization has already transformed the data center and now organizations are moving their workloads to cloud and container architectures. There are many advantages of hybrid cloud computing, however, it also comes with new risks and threats. Your organization must ensure compliance requirements are met and that you have security across all of your workloads, physical servers, virtual, cloud, or containers. Trend MicroΓäó Deep SecurityΓäó software provides comprehensive security in a single solution that is purpose-built for virtual, cloud, and container environments. Deep Security allows for consistent security regardless of the workload. It also provides a rich set of application programming interfaces (APIs) so security can be automated and wonΓÇÖt impact your teams. Key Use Cases: Automated Protections ΓÇô Save time and resources with automated policy across your hybrid environments, such as data center and cloud as you migrate or create new workloads. Unified Security ΓÇô Deploy and consolidate security across your physical, virtual, multi-cloud, and container environments with a single agent and platform. Security for the CI/CD Pipeline ΓÇô API-first, developer-friendly tools to help you ensure that security controls are baked into DevOps processes. Accelerate Compliance ΓÇô Demonstrate compliance with several regulatory requirements, including GDPR, PCI DSS, HiPAA, NIST, FedRAMP, and more. Note: This listing features the Trend Micro Deep Security connector. It allows you to easily connect your Deep Security logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation, giving you more insight into your organization's networks/systems and improving your security operation capabilities. Trend Micro Deep Security DataConnector The Trend Micro Deep Security connector allows you to easily connect your Deep Security logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities. Solution
TrendMicroDeepSecurity Parser Solution
Trend Micro Deep Security ATT&CK Related Activity Workbook Visualize and gain insights into the MITRE ATT&CK related activity detected by Trend Micro Deep Security. Solution
Trend Micro Deep Security Events Workbook Gain insights into your Trend Micro Deep Security security event data by visualizing your Deep Security Anti-Malware, Firewall, Integrity Monitoring, Intrusion Prevention, Log Inspection, and Web Reputation event data. Solution
Trend Micro TippingPoint Organizations today are in the constant shadow of evolving and sophisticated cyber threats. In some cases, these threats are not only more complex than those of the past, but they are also targeted and rely on newly discovered vulnerabilities or exploits. In other cases, threats take advantage of older vulnerabilities that you thought were long forgotten. Safeguarding your network assets and data from such risks involves detailed visibility into all your network layers and resources. It requires comprehensive, up-to-date security intelligence, and a dynamic approach that uses awareness and automation to adapt to new threats, new vulnerabilities, and everyday network changes. Trend MicroΓäó TippingPointΓäó Threat Protection System (TPS) is a powerful network security platform that offers comprehensive threat protection against known and undisclosed vulnerabilities with high accuracy. TippingPoint provides industry-leading coverage across different threat vectors from advanced threats, like malware and phishing, with extreme flexibility and high performance. TippingPoint uses a combination of technologies, including deep packet inspection, threat reputation, URL reputation, and advanced malware analysis on a flow-by-flow basisΓÇöto detect and prevent attacks on the network. TippingPoint enables enterprises to take a proactive approach to security, providing comprehensive contextual awareness and deeper analysis of network traffic. This complete contextual awareness, combined with the threat intelligence from Trend MicroΓäó TippingPointΓäó Digital Vaccine threat intelligence provides the visibility and agility necessary to keep pace with todayΓÇÖs dynamic, evolving enterprise and data center networks.Key Benefits: Pre-emptive Threat Prevention Threat Insight and Prioritization Real-time Enforcement and Remediation Operational Simplicity Note: This listing features the Trend Micro TippingPoint connector. It allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation, giving you more insight into your organization's networks/systems and improving your security operation capabilities. Trend Micro TippingPoint DataConnector The Trend Micro TippingPoint connector allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities. Solution
TrendMicroTippingPoint Parser Solution
Trend Vision One Detect, investigate, prioritize, and respond to threats quicker with a purpose-built threat defense platform that exceeds typical XDR solutions.With todayΓÇÖs ever-evolving threat landscape, you need capabilities in place to help you detect and respond rapidly to threats that may breach your defenses. Many organizations use multiple, separate security layers to detect threats across their email, endpoints, servers, cloud infrastructure, and networks, leading to siloed threat information and an overload of uncorrelated alerts. Investigating threats across all these disparate solutions makes for a very piecemeal and manual investigation process that can miss threats altogether due to lack of visibility and correlation. Trend Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layersΓÇöemail, endpoints, servers, cloud workloads, and networksΓÇöTrend Vision One prevents most attacks with automated protection. Key Benefits Prioritized view of threats across the organization.More effective analysis.Clearer contextual view of threats.Stops more attacks, quicker.Reduces time to detect and stop threats.Increased effectiveness and efficiency of threat investigation.Integration with third-party systems.Trend Vision One is ranked #1 in the protection category for ensuring early prevention in the attack lifecycle. See why.Note: This listing is for the Trend Vision One connector. It provides the capability to ingest workbench alerts from the Trend Vision One API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Create Incident for XDR Alerts AnalyticsRule This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. Solution
Trend Vision One (using Azure Function) DataConnector The Trend Vision One connector allows you to easily connect your Workbench alert data with Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. This gives you more insight into your organization's networks/systems and improves your security operation capabilities. The Trend Vision One connector is supported in Microsoft Sentinel in the following regions: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, East Asia, East US, East US 2, France Central, Japan East, Korea Central, North Central US, North Europe, Norway East, South Africa North, South Central US, Southeast Asia, Sweden Central, Switzerland North, UAE North, UK South, UK West, West Europe, West US, West US 2, West US 3. Solution
vArmour Application Controller vArmour Application Controller is an industry-leading solution for Application Relationship Management: a transformative way to visualize and secure your enterprise. When coupled with Microsoft Sentinel, the two seamlessly integrate to provide this enhanced visibility and automated security operations via Microsoft Sentinel.Digital-first businesses are built on millions of dynamic interconnections between users and applications across hybrid environments. Most of these interconnections canΓÇÖt be seen today. As environmental complexity grows, so does the risk to the organization.Application Controller is an easy to deploy solution that delivers comprehensive real-time visibility and control of your application relationships and dependencies, so you can improve operational decision-making, strengthen your security posture, and reduce business risk across your multi-cloud deployments, all without adding costly new agents or infrastructure. As a result, your applications will be more resilient and secure.Enterprises around the world rely on Application Controller for:Application Dependency & Relationship MappingOrchestrated SegmentationUser Access & Entitlement MonitoringIncident Response vArmour AppController - SMB Realm Traversal AnalyticsRule Detects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms Solution
vArmour Application Controller DataConnector vArmour reduces operational risk and increases cyber resiliency by visualizing and controlling application relationships across the enterprise. This vArmour connector enables streaming of Application Controller Violation Alerts into Microsoft Sentinel, so you can take advantage of search & correlation, alerting, & threat intelligence enrichment for each log. Solution
vArmour Application Controller Workbook Sets the time name for analysis Solution
Vectra Detect Vectra® is the leader in Security AI-driven cyber threat detection and response for hybrid cloud. Vectra’s patented Attack Signal Intelligence detects and prioritizes threats across public cloud, SaaS, identity, and networks in a single platform. Vectra’s Attack Signal Intelligence goes beyond simple anomaly detection to analyze and understand attacker behavior. The resulting high-fidelity signal and deep context enables security operations teams to prioritize, investigate and respond to cyber-attacks in progress sooner and faster. Organizations worldwide rely on the Vectra platform and MDR services to stay ahead of modern cyber-attacks.Vectra Detect for Microsoft Sentinel contains:Data Connector to ingest events generated by Vectra Detect (through OMS agent). Workbook: Dynamic dashboard view of Hosts and Accounts with associated detections.Analytics templates: Cover typical use cases when an incident and/or alert can be generated. Vectra AI Detect - Suspected Compromised Account AnalyticsRule Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical. Solution
Vectra Host's Behaviors AnalyticsRule This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host's detections. Solution
Vectra AI Detect - Detections with High Severity AnalyticsRule Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired. Solution
Vectra AI Detect - Suspected Compromised Host AnalyticsRule Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical. Solution
Vectra AI Detect - Suspicious Behaviors by Category AnalyticsRule Create an incident for each new malicious behavior detected by Vectra Detect for a specific Category. By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics. Solution
Vectra AI Detect - New Campaign Detected AnalyticsRule Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign. Solution
Vectra Account's Behaviors AnalyticsRule This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account's detections. Solution
Vectra AI Detect DataConnector The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities. Solution
Vectra AI Detect Workbook Start investigating network attacks surfaced by Vectra Detect directly from Microsoft Sentinel. View critical hosts, accounts, campaigns and detections. Also monitor Vectra system health and audit logs. Solution
Vectra AI Stream Vectra AI® protects businesses by detecting and stopping cyberattacks. As a leader in network detection and response (NDR), Vectra® AI protects your data, systems, and infrastructure. Vectra AI enables your SOC team to quickly discover and respond to attackers —before they act. Vectra AI rapidly identifies suspicious behavior and activity on your extended network, whether on-premises or in the cloud. Vectra will find it, flag it, and alert security personnel so they can respond immediately. Vectra AI is Security that thinks®. It uses artificial intelligence to improve detection and response over time, eliminating false positives so you can focus on real threats.Vectra AI Stream solution for Microsoft Sentinel contains:Data Connector to ingest Network Metadata collected at scale by Vectra AI distributed sensors.Custom Parser.Threat Hunting queries.The list of supported network metadata and attributes is available here. AI Vectra Stream DataConnector The AI Vectra Stream connector allows to send Network Metadata collected by Vectra Sensors accross the Network and Cloud to Microsoft Sentinel Solution
Vectra AI - Suspicious Long DNS Queries HuntingQuery Solution
Vectra AI - Potential DCSync Attack HuntingQuery Solution
Vectra AI - Potential LLMNR/NBT-NS Poisoning and SMB Relay HuntingQuery Solution
Vectra AI - Suspicious Unsecured Credentials Group Policy Preferences HuntingQuery Solution
Vectra AI - Possible PoshC2 Tunnel HuntingQuery Solution
Vectra AI - Possible Kali Linux Detected HuntingQuery Solution
Vectra AI - Potential Exfiltration over DNS HuntingQuery Solution
Vectra AI - Beaconing Behaviors HuntingQuery Solution
Vectra AI - Suspicious number of sub-domains HuntingQuery Solution
Vectra AI - Malicious Tools File Copy HuntingQuery Solution
Vectra Data Parser Parser Solution
WatchGuard Firebox Microsoft Azure Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise and provides a single solution for alert detection, threat visibility, proactive hunting, and threat response. This package enables integration of Microsoft Azure Sentinel with your WatchGuard Firebox Cloud. WatchGuard Firebox DataConnector WatchGuard Firebox (https://www.watchguard.com/wgrd-products/firewall-appliances and https://www.watchguard.com/wgrd-products/cloud-and-virtual-firewalls) is security products/firewall-appliances. Watchguard Firebox will send syslog to Watchguard Firebox collector agent.The agent then sends the message to the workspace. Solution
WatchGuardFirebox Parser Solution
WireX Network Forensics Platform WireX Systems Incident Response Platform engages your entire security team to conduct dramatically faster, better investigations while chopping down data retention costs. Powered by Contextual Capture Γäó technology, the solutions continuously monitors the entire enterprise network stack and translates it into content and behavior-aware intelligence for immediate use, delivering months of in-depth visibility. Once a potential incident is identified, WireX visual interface makes it easy for any security operator to investigate ΓÇô even the less experienced ones. By up-leveling skills and creating powerful workflows for knowledge sharing, the WireX platform empowers the entire security team to handle more threats in significantly less time, thus maximizing security operations ROI. WireX Network Forensics Platform DataConnector The WireX Systems data connector allows security professional to integrate with Microsoft Sentinel to allow you to further enrich your forensics investigations; to not only encompass the contextual content offered by WireX but to analyze data from other sources, and to create custom dashboards to give the most complete picture during a forensic investigation and to create custom workflows. Solution
WithSecureΓäó Elements via Connector WithSecureΓäó Elements is the unified cloud-based cyber security platform designed to reduce risk, complexity, and inefficiency. Elevate your security from your endpoints to your cloud applications. Arm yourself against every type of cyber threat, from targeted attacks to zero-day ransomware. WithSecureΓäó Elements combines powerful predictive, preventive, and responsive security capabilities ΓÇô all managed and monitored through a single security center. Our modular structure and flexible pricing models give you the freedom to evolve. With our expertise and insight, youΓÇÖll always be empowered ΓÇô and youΓÇÖll never be alone. With Microsoft Sentinel integration, you can correlate security events data from the WithSecureΓäó Elements solution with data from other sources, enabling a rich overview of your entire environment and faster reaction to threats. For more information visit our website at: https://www.withsecure.com WithSecure Elements via Connector DataConnector WithSecure Elements is a unified cloud-based cyber security platform. By connecting WithSecure Elements via Connector to Microsoft Sentinel, security events can be received in Common Event Format (CEF) over syslog. It requires deploying "Elements Connector" either on-prem or in cloud. The Common Event Format (CEF) provides natively search & correlation, alerting and threat intelligence enrichment for each data log. Solution
Zero Networks Segment Zero Networks Segment is an MFA-based segmentation solution that automatically restricts network access to only what users and machines actually need. When a compromise occurs, attackers are boxed in and unable to move around the network and spread to additional hosts. In light of the continuous increase in attacksΓÇÖ sophistication and frequency, Zero Networks creates a military-grade network security posture to help prevent ransomware and attackers from successfully spreading and causing damage.The Audit Logs API is for monitoring the audit events happening in Zero Networks Segment to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise. Zero Networks Segment - Rare JIT Rule Creation AnalyticsRule Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days. JIT Rule creations are indicated by the Activity Type Id 20 Solution
Zero Networks Segment - New API Token created AnalyticsRule Detects when a api token has been created. Solution
Zero Networks Segement - Machine Removed from protection AnalyticsRule Detects when a machine is removed from protection. Solution
Zero Networks Segment Audit (Function) (using Azure Function) DataConnector The Zero Networks Segment Audit data connector provides the capability to ingest Audit events into Microsoft Sentinel through the REST API. Refer to API guide for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Solution
Zero Networks Segment Audit DataConnector The Zero Networks Segment Audit data connector provides the capability to ingest Zero Networks Audit events into Microsoft Sentinel through the REST API. This data connector uses Microsoft Sentinel native polling capability. Solution
Zero Networks Segment - Excessive access to a built-in group by user HuntingQuery Solution
Zero Networks Segment - Excessive access by user HuntingQuery Solution
Zero Networks Segment - Outbound Block Rules Deleted HuntingQuery Solution
Zero Networks Segment - Inbound Block Rules Deleted HuntingQuery Solution
LogicAppsCustomConnector Solution
ZNSegmentAudit Parser Solution
Add Asset to Protection - Zero Networks Segment Playbook This playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playbook is configured to add the machine to protection(learning). If you want to have it go straight to protection, remove the protectAt property in the action. Solution
Add Block Outbound Rule - Zero Networks Acccess Orchestrator Playbook This playbook allows blocking an IP outbound from protected assets in Zero Networks Segment. Solution
Enrich Incident - Zero Networks Acccess Orchestrator Playbook This playbook will take each Host entity and get its Asset status from Zero Network Segment. The playbook will then write a comment to the Microsoft Sentinel incident with a table of assets and protection statuses. Solution
Zero NetWork Workbook This workbook provides a summary of ZeroNetworks data. Solution
Zimperium MTD Today, enterprises focus their security and compliance efforts on traditional computing devices (e.g., servers, desktops, and laptops). Over half (60%) of enterprise endpoints are mobile, these devices contain a mixture of productivity and personal apps installed on each device, potentially exposing corporate data and increasing the risk and attack surface for any enterprise. Zimperium's Mobile Threat Defense connector gives you the ability to connect the Zimperium threat log with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. The unmatched forensics provided by zIPS prevent a compromised mobile device from turning into an outbreak and allow for better visibility and telemetry to make more informed security decisions. ZimperiumΓÇÖs Mobile Threat Defense (MTD) Benefits:Protects BYOD and managed mobile devices against network, device, phishing and malware attacksWhen integrated with a UEM, such as the Microsoft Endpoint Manager (Intune) solution, automatically remediates threats based on access policiesProvides visibility into the security posture of your organizationΓÇÖs mobile devicesIncludes detailed forensics of the threats and risks encounteredZimperiumΓÇÖs MTD Features:Machine learning-based detection enables the detection of zero-day mobile exploitsOn-device detection eliminates the delays and risks of cloud-based lookups and ensures the device is always protected, even when not connected a networkStrict privacy functionality with no user information sent to the cloudMost integrations with leading enterprise mobility management (EMM) and universal endpoint management (UEM) solutions, and the only one that enables multiple EMM/UEMs in a single console.The only MTD solution available on any cloud.Advanced integrations with security information and event management (SIEM) solutions.ZimperiumΓÇÖs MTD with Microsoft:Integration with Microsoft Endpoint Manager (Intune) solution enables conditional access to Microsoft 365 applications based on Intune MAM policies.Advanced Integration with Microsoft Defender ATP provides forensic level threat visibility and hunting.Zimperium is the only MTD solution integrated with Microsoft Azure Sentinel SIEM.Zimperium is the only MTD solution that is capable of running natively on Azure. Zimperium Mobile Threat Defense DataConnector Zimperium Mobile Threat Defense connector gives you the ability to connect the Zimperium threat log with Azure Sentinel to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities. Solution
Zimperium Mobile Threat Defense (MTD) Workbook This workbook provides insights on Zimperium Mobile Threat Defense (MTD) threats and mitigations. Solution
Zscaler Internet Access Use this offer to deploy ZIA logs into Microsoft Sentinel.Main users of this offer are IT teams that want to integrate ZIA logs into Microsoft Sentinel.This simplifies the deployment process and allows IT teams to be more agile and start to realize the benefit of correlating their Zscaler Internet Access (e.g. Web and Firewall logs) with other signals and use Microsoft Sentinel to maximize the benefits of attack detection, threat visibility, proactive hunting, and threat response. Discord CDN Risky File Download AnalyticsRule Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads Solution
Request for single resource on domain AnalyticsRule This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging. Solution
Zscaler DataConnector The Zscaler data connector allows you to easily connect your Zscaler Internet Access (ZIA) logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Using Zscaler on Microsoft Sentinel will provide you more insights into your organizationΓÇÖs Internet usage, and will enhance its security operation capabilities.ΓÇï Solution
ZScalerFW_Parser Parser Solution
ZScalerWeb_Parser Parser Solution
Zscaler Firewall Workbook Gain insights into your ZIA cloud firewall logs by connecting to Microsoft Sentinel. The Zscaler firewall overview workbook provides an overview and ability to drill down into all cloud firewall activity in your Zscaler instance including non-web related networking events, security events, firewall rules, and bandwidth consumption Solution
Zscaler Office365 Apps Workbook Gain insights into Office 365 use on your network. The Zscaler Office 365 overview workbook shows you the Microsoft apps running on your network and their individual bandwidth consumption. It also helps identify phishing attempts in which attackers disguised themselves as Microsoft services. Solution
Zscaler Threats Workbook Gain insights into threats blocked by Zscaler Internet access on your network. The Zscaler threat overview workbook shows your entire threat landscape including blocked malware, IPS/AV rules, and blocked cloud apps. Threats are displayed by threat categories, filetypes, inbound vs outbound threats, usernames, user location, and more. Solution
Zscaler Web Overview Workbook Gain insights into your ZIA web logs by connecting to Microsoft Sentinel. The Zscaler web overview workbook provides a bird's eye view and ability to drill down into all the security and networking events related to web transactions, types of devices, and bandwidth consumption. Solution
End-user consent stopped due to risk-based consent End-user consent stopped due to risk-based consent AnalyticsRule Standalone
Midnight Blizzard - Script payload stored in Registry Midnight Blizzard - Script payload stored in Registry AnalyticsRule Standalone
URL Added to Application from Unknown Domain URL Added to Application from Unknown Domain AnalyticsRule Standalone
Discord CDN Risky File Download (ASIM Web Session Schema) Discord CDN Risky File Download (ASIM Web Session Schema) AnalyticsRule Standalone
COM Event System Loading New DLL COM Event System Loading New DLL AnalyticsRule Standalone
Silk Typhoon Suspicious File Downloads. Silk Typhoon Suspicious File Downloads. AnalyticsRule Standalone
Privileged Account Permissions Changed Privileged Account Permissions Changed AnalyticsRule Standalone
Mass Export of Dynamics 365 Records to Excel Mass Export of Dynamics 365 Records to Excel AnalyticsRule Standalone
Silk Typhoon Suspicious UM Service Error Silk Typhoon Suspicious UM Service Error AnalyticsRule Standalone
Time series anomaly detection for total volume of traffic Time series anomaly detection for total volume of traffic AnalyticsRule Standalone
Azure AD Health Service Agents Registry Keys Access Azure AD Health Service Agents Registry Keys Access AnalyticsRule Standalone
Known Forest Blizzard group domains - July 2019 Known Forest Blizzard group domains - July 2019 AnalyticsRule Standalone
Failed logon attempts by valid accounts within 10 mins Failed logon attempts by valid accounts within 10 mins AnalyticsRule Standalone
A client made a web request to a potentially harmful file (ASIM Web Session schema) A client made a web request to a potentially harmful file (ASIM Web Session schema) AnalyticsRule Standalone
User login from different countries within 3 hours (Uses Authentication Normalization) User login from different countries within 3 hours (Uses Authentication Normalization) AnalyticsRule Standalone
Unusual identity creation using exchange powershell Unusual identity creation using exchange powershell AnalyticsRule Standalone
Multiple Password Reset by user Multiple Password Reset by user AnalyticsRule Standalone
Gain Code Execution on ADFS Server via Remote WMI Execution Gain Code Execution on ADFS Server via Remote WMI Execution AnalyticsRule Standalone
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) AnalyticsRule Standalone
Changes to PIM Settings Changes to PIM Settings AnalyticsRule Standalone
Solorigate Named Pipe Solorigate Named Pipe AnalyticsRule Standalone
Azure VM Run Command operation executed during suspicious login window Azure VM Run Command operation executed during suspicious login window AnalyticsRule Standalone
Suspicious link sharing pattern Suspicious link sharing pattern AnalyticsRule Standalone
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt AnalyticsRule Standalone
Potential Kerberoasting Potential Kerberoasting AnalyticsRule Standalone
Cisco - firewall block but success logon to Azure AD Cisco - firewall block but success logon to Azure AD AnalyticsRule Standalone
AV detections related to Europium actors AV detections related to Europium actors AnalyticsRule Standalone
ADFS DKM Master Key Export ADFS DKM Master Key Export AnalyticsRule Standalone
High count of failed attempts from same client IP High count of failed attempts from same client IP AnalyticsRule Standalone
Service Principal Authentication Attempt from New Country Service Principal Authentication Attempt from New Country AnalyticsRule Standalone
Failed host logons but success logon to AzureAD Failed host logons but success logon to AzureAD AnalyticsRule Standalone
Detect PIM Alert Disabling activity Detect PIM Alert Disabling activity AnalyticsRule Standalone
Star Blizzard C2 Domains August 2022 Star Blizzard C2 Domains August 2022 AnalyticsRule Standalone
Suspicious linking of existing user to external User Suspicious linking of existing user to external User AnalyticsRule Standalone
Silk Typhoon Suspicious Exchange Request Silk Typhoon Suspicious Exchange Request AnalyticsRule Standalone
Conditional Access Policy Modified by New User Conditional Access Policy Modified by New User AnalyticsRule Standalone
Wazuh - Large Number of Web errors from an IP Wazuh - Large Number of Web errors from an IP AnalyticsRule Standalone
Possible Resource-Based Constrained Delegation Abuse Possible Resource-Based Constrained Delegation Abuse AnalyticsRule Standalone
Dev-0228 File Path Hashes November 2021 (ASIM Version) Dev-0228 File Path Hashes November 2021 (ASIM Version) AnalyticsRule Standalone
User Added to Admin Role User Added to Admin Role AnalyticsRule Standalone
Anomalous login followed by Teams action Anomalous login followed by Teams action AnalyticsRule Standalone
Exchange Worker Process Making Remote Call Exchange Worker Process Making Remote Call AnalyticsRule Standalone
Email access via active sync Email access via active sync AnalyticsRule Standalone
Fortinet - Beacon pattern detected Fortinet - Beacon pattern detected AnalyticsRule Standalone
Dev-0228 File Path Hashes November 2021 Dev-0228 File Path Hashes November 2021 AnalyticsRule Standalone
OMI Vulnerability Exploitation OMI Vulnerability Exploitation AnalyticsRule Standalone
User account enabled and disabled within 10 mins User account enabled and disabled within 10 mins AnalyticsRule Standalone
A host is potentially running a hacking tool (ASIM Web Session schema) A host is potentially running a hacking tool (ASIM Web Session schema) AnalyticsRule Standalone
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) AnalyticsRule Standalone
High count of connections by client IP on many ports High count of connections by client IP on many ports AnalyticsRule Standalone
Probable AdFind Recon Tool Usage (Normalized Process Events) Probable AdFind Recon Tool Usage (Normalized Process Events) AnalyticsRule Standalone
Rare RDP Connections Rare RDP Connections AnalyticsRule Standalone
Security Service Registry ACL Modification Security Service Registry ACL Modification AnalyticsRule Standalone
Suspicious modification of Global Administrator user properties Suspicious modification of Global Administrator user properties AnalyticsRule Standalone
Changes to Application Logout URL Changes to Application Logout URL AnalyticsRule Standalone
Possible contact with a domain generated by a DGA Possible contact with a domain generated by a DGA AnalyticsRule Standalone
User account created and deleted within 10 mins User account created and deleted within 10 mins AnalyticsRule Standalone
Vulnerable Machines related to OMIGOD CVE-2021-38647 Vulnerable Machines related to OMIGOD CVE-2021-38647 AnalyticsRule Standalone
AV detections related to Hive Ransomware AV detections related to Hive Ransomware AnalyticsRule Standalone
Azure VM Run Command operations executing a unique PowerShell script Azure VM Run Command operations executing a unique PowerShell script AnalyticsRule Standalone
AdminSDHolder Modifications AdminSDHolder Modifications AnalyticsRule Standalone
Privileged User Logon from new ASN Privileged User Logon from new ASN AnalyticsRule Standalone
Guest Users Invited to Tenant by New Inviters Guest Users Invited to Tenant by New Inviters AnalyticsRule Standalone
New Office User Agent in Dynamics 365 New Office User Agent in Dynamics 365 AnalyticsRule Standalone
User joining Zoom meeting from suspicious timezone User joining Zoom meeting from suspicious timezone AnalyticsRule Standalone
Potential Build Process Compromise Potential Build Process Compromise AnalyticsRule Standalone
AV detections related to Dev-0530 actors AV detections related to Dev-0530 actors AnalyticsRule Standalone
Mass Download & copy to USB device by single user Mass Download & copy to USB device by single user AnalyticsRule Standalone
SUNBURST suspicious SolarWinds child processes (Normalized Process Events) SUNBURST suspicious SolarWinds child processes (Normalized Process Events) AnalyticsRule Standalone
Failed AzureAD logons but success logon to AWS Console Failed AzureAD logons but success logon to AWS Console AnalyticsRule Standalone
Audit policy manipulation using auditpol utility Audit policy manipulation using auditpol utility AnalyticsRule Standalone
Application Gateway WAF - SQLi Detection Application Gateway WAF - SQLi Detection AnalyticsRule Standalone
RDP Nesting RDP Nesting AnalyticsRule Standalone
Potential Password Spray Attack (Uses Authentication Normalization) Potential Password Spray Attack (Uses Authentication Normalization) AnalyticsRule Standalone
AD account with Don't Expire Password AD account with Don't Expire Password AnalyticsRule Standalone
Windows host username encoded in base64 web request Windows host username encoded in base64 web request AnalyticsRule Standalone
Azure Diagnostic settings removed from a resource Azure Diagnostic settings removed from a resource AnalyticsRule Standalone
Multiple RDP connections from Single System Multiple RDP connections from Single System AnalyticsRule Standalone
Account added and removed from privileged groups Account added and removed from privileged groups AnalyticsRule Standalone
Service Principal Assigned Privileged Role Service Principal Assigned Privileged Role AnalyticsRule Standalone
New High Severity Vulnerability Detected Across Multiple Hosts New High Severity Vulnerability Detected Across Multiple Hosts AnalyticsRule Standalone
Service Principal Name (SPN) Assigned to User Account Service Principal Name (SPN) Assigned to User Account AnalyticsRule Standalone
High count of failed logons by a user High count of failed logons by a user AnalyticsRule Standalone
Exchange Server Suspicious File Downloads. Exchange Server Suspicious File Downloads. AnalyticsRule Standalone
A host is potentially running a crypto miner (ASIM Web Session schema) A host is potentially running a crypto miner (ASIM Web Session schema) AnalyticsRule Standalone
Trust Monitor Event Trust Monitor Event AnalyticsRule Standalone
External User Access Enabled External User Access Enabled AnalyticsRule Standalone
New Dynamics 365 User Agent New Dynamics 365 User Agent AnalyticsRule Standalone
Failed AzureAD logons but success logon to host Failed AzureAD logons but success logon to host AnalyticsRule Standalone
Failed AWS Console logons but success logon to AzureAD Failed AWS Console logons but success logon to AzureAD AnalyticsRule Standalone
Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) AnalyticsRule Standalone
Dynamics 365 - User Bulk Retrieval Outside Normal Activity Dynamics 365 - User Bulk Retrieval Outside Normal Activity AnalyticsRule Standalone
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) AnalyticsRule Standalone
Silk Typhoon New UM Service Child Process Silk Typhoon New UM Service Child Process AnalyticsRule Standalone
Exchange SSRF Autodiscover ProxyShell - Detection Exchange SSRF Autodiscover ProxyShell - Detection AnalyticsRule Standalone
DSRM Account Abuse DSRM Account Abuse AnalyticsRule Standalone
Potential DGA detected (ASIM DNS Schema) Potential DGA detected (ASIM DNS Schema) AnalyticsRule Standalone
Account created from non-approved sources Account created from non-approved sources AnalyticsRule Standalone
AppServices AV Scan with Infected Files AppServices AV Scan with Infected Files AnalyticsRule Standalone
Europium - Hash and IP IOCs - September 2022 Europium - Hash and IP IOCs - September 2022 AnalyticsRule Standalone
Application ID URI Changed Application ID URI Changed AnalyticsRule Standalone
User State changed from Guest to Member User State changed from Guest to Member AnalyticsRule Standalone
Application Redirect URL Update Application Redirect URL Update AnalyticsRule Standalone
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) AnalyticsRule Standalone
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory AnalyticsRule Standalone
Malformed user agent Malformed user agent AnalyticsRule Standalone
User account added to built in domain local or global group User account added to built in domain local or global group AnalyticsRule Standalone
IP address of Windows host encoded in web request IP address of Windows host encoded in web request AnalyticsRule Standalone
Workspace deletion activity from an infected device Workspace deletion activity from an infected device AnalyticsRule Standalone
Brute force attack against user credentials (Uses Authentication Normalization) Brute force attack against user credentials (Uses Authentication Normalization) AnalyticsRule Standalone
Group created then added to built in domain local or global group Group created then added to built in domain local or global group AnalyticsRule Standalone
New user created and added to the built-in administrators group New user created and added to the built-in administrators group AnalyticsRule Standalone
Potential Fodhelper UAC Bypass (ASIM Version) Potential Fodhelper UAC Bypass (ASIM Version) AnalyticsRule Standalone
Mercury - Domain, Hash and IP IOCs - August 2022 Mercury - Domain, Hash and IP IOCs - August 2022 AnalyticsRule Standalone
Authentications of Privileged Accounts Outside of Expected Controls Authentications of Privileged Accounts Outside of Expected Controls AnalyticsRule Standalone
Dynamics Encryption Settings Changed Dynamics Encryption Settings Changed AnalyticsRule Standalone
CreepyDrive URLs CreepyDrive URLs AnalyticsRule Standalone
Missing Domain Controller Heartbeat Missing Domain Controller Heartbeat AnalyticsRule Standalone
IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN AnalyticsRule Standalone
RunningRAT request parameters RunningRAT request parameters AnalyticsRule Standalone
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) AnalyticsRule Standalone
Prestige ransomware IOCs Oct 2022 Prestige ransomware IOCs Oct 2022 AnalyticsRule Standalone
High Number of Urgent Vulnerabilities Detected High Number of Urgent Vulnerabilities Detected AnalyticsRule Standalone
Account Elevated to New Role Account Elevated to New Role AnalyticsRule Standalone
Fake computer account created Fake computer account created AnalyticsRule Standalone
AppServices AV Scan Failure AppServices AV Scan Failure AnalyticsRule Standalone
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) AnalyticsRule Standalone
Changes to Application Ownership Changes to Application Ownership AnalyticsRule Standalone
Identify Mango Sandstorm powershell commands Identify Mango Sandstorm powershell commands AnalyticsRule Standalone
AD FS Abnormal EKU object identifier attribute AD FS Abnormal EKU object identifier attribute AnalyticsRule Standalone
Unusual Anomaly Unusual Anomaly AnalyticsRule Standalone
PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack AnalyticsRule Standalone
Application Gateway WAF - XSS Detection Application Gateway WAF - XSS Detection AnalyticsRule Standalone
Modification of Accessibility Features Modification of Accessibility Features AnalyticsRule Standalone
Addition of a Temporary Access Pass to a Privileged Account Addition of a Temporary Access Pass to a Privileged Account AnalyticsRule Standalone
Midnight Blizzard - suspicious rundll32.exe execution of vbscript Midnight Blizzard - suspicious rundll32.exe execution of vbscript AnalyticsRule Standalone
Dev-0530 File Extension Rename Dev-0530 File Extension Rename AnalyticsRule Standalone
User account created without expected attributes defined User account created without expected attributes defined AnalyticsRule Standalone
Service Principal Assigned App Role With Sensitive Access Service Principal Assigned App Role With Sensitive Access AnalyticsRule Standalone
Suspicious Login from deleted guest account Suspicious Login from deleted guest account AnalyticsRule Standalone
New Dynamics 365 Admin Activity New Dynamics 365 Admin Activity AnalyticsRule Standalone
Zoom E2E Encryption Disabled Zoom E2E Encryption Disabled AnalyticsRule Standalone
Solorigate Defender Detections Solorigate Defender Detections AnalyticsRule Standalone
COM Registry Key Modified to Point to File in Color Profile Folder COM Registry Key Modified to Point to File in Color Profile Folder AnalyticsRule Standalone
CreepyDrive request URL sequence CreepyDrive request URL sequence AnalyticsRule Standalone
User Account Created Using Incorrect Naming Format User Account Created Using Incorrect Naming Format AnalyticsRule Standalone
Authentication Attempt from New Country Authentication Attempt from New Country AnalyticsRule Standalone
Time series anomaly for data size transferred to public internet Time series anomaly for data size transferred to public internet AnalyticsRule Standalone
PE file dropped in Color Profile Folder PE file dropped in Color Profile Folder AnalyticsRule Standalone
Anomolous Single Factor Signin Anomolous Single Factor Signin AnalyticsRule Standalone
Users searching for VIP user activity Users searching for VIP user activity AnalyticsRule Standalone
Azure AD Health Monitoring Agent Registry Keys Access Azure AD Health Monitoring Agent Registry Keys Access AnalyticsRule Standalone
Anomalous User Agent connection attempt Anomalous User Agent connection attempt AnalyticsRule Standalone
Authentication Method Changed for Privileged Account Authentication Method Changed for Privileged Account AnalyticsRule Standalone
RareDNSLookupWithDataTransfer RareDNSLookupWithDataTransfer HuntingQuery Standalone
User Login IP Address Teleportation User Login IP Address Teleportation HuntingQuery Standalone
Alerts related to IP Alerts related to IP HuntingQuery Standalone
User Granted Access and associated audit activity User Granted Access and associated audit activity HuntingQuery Standalone
S3 Bucket outbound Data transfer anomaly S3 Bucket outbound Data transfer anomaly HuntingQuery Standalone
Alerts related to File Alerts related to File HuntingQuery Standalone
New client running queries New client running queries HuntingQuery Standalone
Failed service logon attempt by user account with available AuditData Failed service logon attempt by user account with available AuditData HuntingQuery Standalone
New domain added to Whitelist New domain added to Whitelist HuntingQuery Standalone
Query looking for secrets Query looking for secrets HuntingQuery Standalone
External IP address in Command Line External IP address in Command Line HuntingQuery Standalone
Discord download invoked from cmd line (ASIM Version) Discord download invoked from cmd line (ASIM Version) HuntingQuery Standalone
Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic HuntingQuery Standalone
Rare User Agent strings Rare User Agent strings HuntingQuery Standalone
Azure Active Directory signins from new locations Azure Active Directory signins from new locations HuntingQuery Standalone
Azure CloudShell Usage Azure CloudShell Usage HuntingQuery Standalone
Tracking Privileged Account Rare Activity Tracking Privileged Account Rare Activity HuntingQuery Standalone
GitHub OAuth App Restrictions Disabled GitHub OAuth App Restrictions Disabled HuntingQuery Standalone
Permutations on logon attempts by UserPrincipalNames indicating potential brute force Permutations on logon attempts by UserPrincipalNames indicating potential brute force HuntingQuery Standalone
Signin Logs with expanded Conditional Access Policies Signin Logs with expanded Conditional Access Policies HuntingQuery Standalone
Same IP address with multiple csUserAgent Same IP address with multiple csUserAgent HuntingQuery Standalone
Login spike with increase failure rate Login spike with increase failure rate HuntingQuery Standalone
Failed Login Attempt by Expired account Failed Login Attempt by Expired account HuntingQuery Standalone
Rare Audit activity initiated by App Rare Audit activity initiated by App HuntingQuery Standalone
New time zone observed New time zone observed HuntingQuery Standalone
Alerts On Host Alerts On Host HuntingQuery Standalone
Suspicious Data Access to S3 Bucket from Unknown IP Suspicious Data Access to S3 Bucket from Unknown IP HuntingQuery Standalone
Check critical ports opened to the entire internet Check critical ports opened to the entire internet HuntingQuery Standalone
Rare domains seen in Cloud Logs Rare domains seen in Cloud Logs HuntingQuery Standalone
Crash dump disabled on host (ASIM Version) Crash dump disabled on host (ASIM Version) HuntingQuery Standalone
Anomalous Azure Active Directory apps based on authentication location Anomalous Azure Active Directory apps based on authentication location HuntingQuery Standalone
Azure Active Directory sign-in burst from multiple locations Azure Active Directory sign-in burst from multiple locations HuntingQuery Standalone
Login attempt by Blocked MFA user Login attempt by Blocked MFA user HuntingQuery Standalone
Zoom room high CPU alerts Zoom room high CPU alerts HuntingQuery Standalone
Anomalous sign-in location by user account and authenticating application - with sign-in details Anomalous sign-in location by user account and authenticating application - with sign-in details HuntingQuery Standalone
Anomalous sign-in location by user account and authenticating application Anomalous sign-in location by user account and authenticating application HuntingQuery Standalone
Inactive or new account signins Inactive or new account signins HuntingQuery Standalone
User returning more data than daily average User returning more data than daily average HuntingQuery Standalone
New users running queries New users running queries HuntingQuery Standalone
Cross workspace query anomolies Cross workspace query anomolies HuntingQuery Standalone
Potential IIS brute force Potential IIS brute force HuntingQuery Standalone
Disabled accounts using Squid proxy Disabled accounts using Squid proxy HuntingQuery Standalone
Potential IIS code injection attempt Potential IIS code injection attempt HuntingQuery Standalone
Query data volume anomolies Query data volume anomolies HuntingQuery Standalone
New ServicePrincipal running queries New ServicePrincipal running queries HuntingQuery Standalone
User running multiple queries that fail User running multiple queries that fail HuntingQuery Standalone
Suspect Mailbox Export on IIS/OWA Suspect Mailbox Export on IIS/OWA HuntingQuery Standalone
URI requests from single client URI requests from single client HuntingQuery Standalone
Anomalous Resource Creation and related Network Activity Anomalous Resource Creation and related Network Activity HuntingQuery Standalone
Consent to Application discovery Consent to Application discovery HuntingQuery Standalone
User Granted Access and created resources User Granted Access and created resources HuntingQuery Standalone
Login attempts using Legacy Auth Login attempts using Legacy Auth HuntingQuery Standalone
Tracking Password Changes Tracking Password Changes HuntingQuery Standalone
Same User - Successful logon for a given App and failure on another App within 1m and low distribution Same User - Successful logon for a given App and failure on another App within 1m and low distribution HuntingQuery Standalone
GitHub Repo Clone - Time Series Anomly GitHub Repo Clone - Time Series Anomly HuntingQuery Standalone
Multiple large queries made by user Multiple large queries made by user HuntingQuery Standalone
Failed attempt to access Azure Portal Failed attempt to access Azure Portal HuntingQuery Standalone
Web shell file alert enrichment Web shell file alert enrichment HuntingQuery Standalone
Web shell command alert enrichment Web shell command alert enrichment HuntingQuery Standalone
User denied multiple registration events successfully registering User denied multiple registration events successfully registering HuntingQuery Standalone
Rare Audit activity initiated by User Rare Audit activity initiated by User HuntingQuery Standalone
Add IP Entity To Named Location Add IP Entity To Named Location Playbook This playbook will execute using an incident based trigger and add the IP entities to a Conditional Access Named Location Standalone
Create-AzureDevOpsTask-alert-trigger Create-AzureDevOpsTask-alert-trigger Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Standalone
Create-AzureDevOpsTask-incident-trigger Create-AzureDevOpsTask-incident-trigger Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Standalone
Create Zendesk ticket Create Zendesk ticket Playbook This playbook will create a Zendesk ticket when a new incident is created in Microsoft Sentinel. Standalone
Enrich multiple entities - AlienVault-OTX Enrich multiple entities - AlienVault-OTX Playbook This playbook will enrich a Sentinel Incident with pulse information from AlienVault OTX. If any pulses are found the Incident will also be tagged and the severity raised to High. Standalone
ACSC Essential 8 ACSC Essential 8 Workbook This workbook provides insights on the health state of Azure resources against requirements by the ACSC Essential 8. Standalone
Advanced Workbook Concepts Advanced Workbook Concepts Workbook Use this workbook to view and learn advanced concepts for workbooks in Azure Monitor and Microsoft Sentinel. Examples are provided in order to teach users how the concepts look, work, and are built. Standalone
ADXvsLA ADXvsLA Workbook This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown. Standalone
AMA migration tracker AMA migration tracker Workbook See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces. Standalone
Analytics Health & Audit Analytics Health & Audit Workbook This workbook provides visibility on the health and audit of your analytics rules. You will be able to find out whether an analytics rule is running as expected and get a list of changes made to an analytic rule. Standalone
Archiving, Basic Logs, and Retention Archiving, Basic Logs, and Retention Workbook This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables. Standalone
ASC Compliance and Protection ASC Compliance and Protection Workbook Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data. Standalone
AWS S3 Workbook AWS S3 Workbook Workbook This workbook shows quick summary of AWS S3 data (AWSCloudTrail, AWSGuardDuty, AWSVPCFlow). To visulaize the data, make sure you configure AWS S3 connector and data geting ingested into Sentinel Standalone
Azure AD Audit, Activity and Sign-in logs Azure AD Audit, Activity and Sign-in logs Workbook Gain insights into Azure Active Directory Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators. Standalone
Azure Log Coverage Azure Log Coverage Workbook This Workbook pulls the current Azure inventory via Azure Resource Graph explorer and compares it with data written to one or more selected Log Analytics workspaces to determine which resources are sending data and which ones are not. This can be used to expose gaps in your logging coverage and/or identify inactive resources. Standalone
Azure Network Watcher Azure Network Watcher Workbook Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. You can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. This workbook also helps you protect your network by identifying weak NSG rules. Standalone
Azure SensitiveOperations Review Workbook Azure SensitiveOperations Review Workbook Workbook Monitor Sesnitive Operations in Azure Activity using Azure Threat Research Matrix Standalone
Cisco Firepower Cisco Firepower Workbook Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs. Standalone
Conditional Access Trends and Changes Conditional Access Trends and Changes Workbook Gain insights into Conditional Access Trends and Changes. Standalone
Data collection health monitoring Data collection health monitoring Workbook Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspaceΓÇÖs data collection health. Standalone
Data Collection Rule Toolkit Data Collection Rule Toolkit Workbook Use this workbook solution to create, review, and modify data collection rules for Microsoft Sentinel. This workbook provides a click-through experience that centralizes key components from Microsoft Sentinel, Azure Log Analytics, and Azure Monitor to enable users to create new DCRs, modify existing DCRs, and review all DCRs in the environment. Standalone
Data Security - Sensitive Data Impact Assessment Data Security - Sensitive Data Impact Assessment Workbook Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more. Standalone
Dynamics365Workbooks Dynamics365Workbooks Workbook This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. Standalone
Eset Security Management Center Overview Eset Security Management Center Overview Workbook Visualize events and threats from Eset Security Management Center. Standalone
Exchange Compromise Hunting Exchange Compromise Hunting Workbook This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns Standalone
Insecure Protocols Insecure Protocols Workbook Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products. You can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1. You will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security. Standalone
Azure Defender for IoT Alerts Azure Defender for IoT Alerts Workbook Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats. Standalone
IoT Asset Discovery IoT Asset Discovery Workbook IoT Devices asset discovery from Firewall logs By Azure Defender for IoT Standalone
Log4j Post Compromise Hunting Log4j Post Compromise Hunting Workbook This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021. Standalone
Log Analytics Query Analysis Log Analytics Query Analysis Workbook This workbook provides an analysis on Log Analytics Query Logs. Standalone
Log Sources & Analytic Rules Coverage Log Sources & Analytic Rules Coverage Workbook This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general. Standalone
Incident Management with Microsoft Sentinel Manual Creation of Incidents Workbook Incident Management with Microsoft Sentinel Manual Creation of Incidents Workbook Workbook This workbook gives the ability for efficient incident management by enabling manual creation of Microsoft Sentinel incidents directly from within the workbook. Standalone
Microsoft 365 Security Posture Microsoft 365 Security Posture Workbook This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in. Standalone
Microsoft Sentinel Cost (EUR) Microsoft Sentinel Cost (EUR) Workbook This workbook provides an estimated cost in EUR (Γé¼) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer. Standalone
Microsoft Sentinel Cost (GBP) Microsoft Sentinel Cost (GBP) Workbook This workbook provides an estimated cost in GBP (£) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer. Standalone
Microsoft Sentinel Deployment and Migration Tracker Microsoft Sentinel Deployment and Migration Tracker Workbook Use this workbook as a tool to define, track, and complete key deployment/migraiton tasks for Microsoft Sentinel. This workbook serves as a central hub for monitoring and configuring key areas of the product without having to leave the workbook and start over. Standalone
Normalized network events Normalized network events Workbook See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs Standalone
One Identity One Identity Workbook This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device. Standalone
pfsense pfsense Workbook Gain insights into pfsense logs from both filterlog and nginx. Standalone
Playbooks health monitoring (preview) Playbooks health monitoring (preview) Workbook The workbook will provide you with deeper insights regarding the status, activity, and billing of each playbook. You can use the workbook's logic to monitor the general health of the playbooks. Standalone
ProofPoint Threat Dashboard ProofPoint Threat Dashboard Workbook Provides an overview of email threat activity based on log data provided by ProofPoint Standalone
Sentinel Costs Sentinel Costs Workbook A workbook to demonstrate insights into the costs of Sentinel environment. Standalone
Sentinel Health Sentinel Health Workbook A workbook to show data fo Sentinel Health. Standalone
Sentinel Workspace Recon Tools Sentinel Workspace Recon Tools Workbook A workbook providing investigation tools for key tables. Good for incident response, tuning, and cost optimizaiton. An attempt to bring the Windows EventViewer experience to the cloud. Standalone
SolarWinds Post Compromise Hunting SolarWinds Post Compromise Hunting Workbook This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020 Standalone
Syslog Overview Syslog Overview Workbook A workbook designed to show an overview about the data ingested through Syslog. Standalone
Sysmon Threat Hunting Sysmon Threat Hunting Workbook Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events. Please note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel Standalone
Unifi Security Gateway - NetFlow Unifi Security Gateway - NetFlow Workbook Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow. Standalone
Unifi Security Gateway Unifi Security Gateway Workbook Gain insights into Unifi Security Gateways analyzing traffic and activities. Standalone
User And Entity Behavior Analytics User And Entity Behavior Analytics Workbook Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns Standalone
User Map information User Map information Workbook This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information. Standalone
VM insights VM insights Workbook Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. You will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. Identify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across. Standalone
Visualizations Demo Visualizations Demo Workbook Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks Standalone
Workspace audit Workspace audit Workbook Workspace auditing report Use this report to understand query runs across your workspace. Standalone
Workspace Usage Report Workspace Usage Report Workbook Gain insights into your workspace's usage. In this workbook, you can view your workspaceΓÇÖs data consumption, latency, recommended tasks and Cost and Usage statistics. Standalone
End-user consent stopped due to risk-based consent End-user consent stopped due to risk-based consent AnalyticsRule Standalone
Midnight Blizzard - Script payload stored in Registry Midnight Blizzard - Script payload stored in Registry AnalyticsRule Standalone
URL Added to Application from Unknown Domain URL Added to Application from Unknown Domain AnalyticsRule Standalone
Discord CDN Risky File Download (ASIM Web Session Schema) Discord CDN Risky File Download (ASIM Web Session Schema) AnalyticsRule Standalone
COM Event System Loading New DLL COM Event System Loading New DLL AnalyticsRule Standalone
Silk Typhoon Suspicious File Downloads. Silk Typhoon Suspicious File Downloads. AnalyticsRule Standalone
Privileged Account Permissions Changed Privileged Account Permissions Changed AnalyticsRule Standalone
Mass Export of Dynamics 365 Records to Excel Mass Export of Dynamics 365 Records to Excel AnalyticsRule Standalone
Silk Typhoon Suspicious UM Service Error Silk Typhoon Suspicious UM Service Error AnalyticsRule Standalone
Time series anomaly detection for total volume of traffic Time series anomaly detection for total volume of traffic AnalyticsRule Standalone
Azure AD Health Service Agents Registry Keys Access Azure AD Health Service Agents Registry Keys Access AnalyticsRule Standalone
Known Forest Blizzard group domains - July 2019 Known Forest Blizzard group domains - July 2019 AnalyticsRule Standalone
Failed logon attempts by valid accounts within 10 mins Failed logon attempts by valid accounts within 10 mins AnalyticsRule Standalone
A client made a web request to a potentially harmful file (ASIM Web Session schema) A client made a web request to a potentially harmful file (ASIM Web Session schema) AnalyticsRule Standalone
User login from different countries within 3 hours (Uses Authentication Normalization) User login from different countries within 3 hours (Uses Authentication Normalization) AnalyticsRule Standalone
Unusual identity creation using exchange powershell Unusual identity creation using exchange powershell AnalyticsRule Standalone
Multiple Password Reset by user Multiple Password Reset by user AnalyticsRule Standalone
Gain Code Execution on ADFS Server via Remote WMI Execution Gain Code Execution on ADFS Server via Remote WMI Execution AnalyticsRule Standalone
New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) AnalyticsRule Standalone
Changes to PIM Settings Changes to PIM Settings AnalyticsRule Standalone
Solorigate Named Pipe Solorigate Named Pipe AnalyticsRule Standalone
Azure VM Run Command operation executed during suspicious login window Azure VM Run Command operation executed during suspicious login window AnalyticsRule Standalone
Suspicious link sharing pattern Suspicious link sharing pattern AnalyticsRule Standalone
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt AnalyticsRule Standalone
Potential Kerberoasting Potential Kerberoasting AnalyticsRule Standalone
Cisco - firewall block but success logon to Azure AD Cisco - firewall block but success logon to Azure AD AnalyticsRule Standalone
AV detections related to Europium actors AV detections related to Europium actors AnalyticsRule Standalone
ADFS DKM Master Key Export ADFS DKM Master Key Export AnalyticsRule Standalone
High count of failed attempts from same client IP High count of failed attempts from same client IP AnalyticsRule Standalone
Service Principal Authentication Attempt from New Country Service Principal Authentication Attempt from New Country AnalyticsRule Standalone
Failed host logons but success logon to AzureAD Failed host logons but success logon to AzureAD AnalyticsRule Standalone
Detect PIM Alert Disabling activity Detect PIM Alert Disabling activity AnalyticsRule Standalone
Star Blizzard C2 Domains August 2022 Star Blizzard C2 Domains August 2022 AnalyticsRule Standalone
Suspicious linking of existing user to external User Suspicious linking of existing user to external User AnalyticsRule Standalone
Silk Typhoon Suspicious Exchange Request Silk Typhoon Suspicious Exchange Request AnalyticsRule Standalone
Conditional Access Policy Modified by New User Conditional Access Policy Modified by New User AnalyticsRule Standalone
Wazuh - Large Number of Web errors from an IP Wazuh - Large Number of Web errors from an IP AnalyticsRule Standalone
Possible Resource-Based Constrained Delegation Abuse Possible Resource-Based Constrained Delegation Abuse AnalyticsRule Standalone
Dev-0228 File Path Hashes November 2021 (ASIM Version) Dev-0228 File Path Hashes November 2021 (ASIM Version) AnalyticsRule Standalone
User Added to Admin Role User Added to Admin Role AnalyticsRule Standalone
Anomalous login followed by Teams action Anomalous login followed by Teams action AnalyticsRule Standalone
Exchange Worker Process Making Remote Call Exchange Worker Process Making Remote Call AnalyticsRule Standalone
Email access via active sync Email access via active sync AnalyticsRule Standalone
Fortinet - Beacon pattern detected Fortinet - Beacon pattern detected AnalyticsRule Standalone
Dev-0228 File Path Hashes November 2021 Dev-0228 File Path Hashes November 2021 AnalyticsRule Standalone
OMI Vulnerability Exploitation OMI Vulnerability Exploitation AnalyticsRule Standalone
User account enabled and disabled within 10 mins User account enabled and disabled within 10 mins AnalyticsRule Standalone
A host is potentially running a hacking tool (ASIM Web Session schema) A host is potentially running a hacking tool (ASIM Web Session schema) AnalyticsRule Standalone
A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) AnalyticsRule Standalone
High count of connections by client IP on many ports High count of connections by client IP on many ports AnalyticsRule Standalone
Probable AdFind Recon Tool Usage (Normalized Process Events) Probable AdFind Recon Tool Usage (Normalized Process Events) AnalyticsRule Standalone
Rare RDP Connections Rare RDP Connections AnalyticsRule Standalone
Security Service Registry ACL Modification Security Service Registry ACL Modification AnalyticsRule Standalone
Suspicious modification of Global Administrator user properties Suspicious modification of Global Administrator user properties AnalyticsRule Standalone
Changes to Application Logout URL Changes to Application Logout URL AnalyticsRule Standalone
Possible contact with a domain generated by a DGA Possible contact with a domain generated by a DGA AnalyticsRule Standalone
User account created and deleted within 10 mins User account created and deleted within 10 mins AnalyticsRule Standalone
Vulnerable Machines related to OMIGOD CVE-2021-38647 Vulnerable Machines related to OMIGOD CVE-2021-38647 AnalyticsRule Standalone
AV detections related to Hive Ransomware AV detections related to Hive Ransomware AnalyticsRule Standalone
Azure VM Run Command operations executing a unique PowerShell script Azure VM Run Command operations executing a unique PowerShell script AnalyticsRule Standalone
AdminSDHolder Modifications AdminSDHolder Modifications AnalyticsRule Standalone
Privileged User Logon from new ASN Privileged User Logon from new ASN AnalyticsRule Standalone
Guest Users Invited to Tenant by New Inviters Guest Users Invited to Tenant by New Inviters AnalyticsRule Standalone
New Office User Agent in Dynamics 365 New Office User Agent in Dynamics 365 AnalyticsRule Standalone
User joining Zoom meeting from suspicious timezone User joining Zoom meeting from suspicious timezone AnalyticsRule Standalone
Potential Build Process Compromise Potential Build Process Compromise AnalyticsRule Standalone
AV detections related to Dev-0530 actors AV detections related to Dev-0530 actors AnalyticsRule Standalone
Mass Download & copy to USB device by single user Mass Download & copy to USB device by single user AnalyticsRule Standalone
SUNBURST suspicious SolarWinds child processes (Normalized Process Events) SUNBURST suspicious SolarWinds child processes (Normalized Process Events) AnalyticsRule Standalone
Failed AzureAD logons but success logon to AWS Console Failed AzureAD logons but success logon to AWS Console AnalyticsRule Standalone
Audit policy manipulation using auditpol utility Audit policy manipulation using auditpol utility AnalyticsRule Standalone
Application Gateway WAF - SQLi Detection Application Gateway WAF - SQLi Detection AnalyticsRule Standalone
RDP Nesting RDP Nesting AnalyticsRule Standalone
Potential Password Spray Attack (Uses Authentication Normalization) Potential Password Spray Attack (Uses Authentication Normalization) AnalyticsRule Standalone
AD account with Don't Expire Password AD account with Don't Expire Password AnalyticsRule Standalone
Windows host username encoded in base64 web request Windows host username encoded in base64 web request AnalyticsRule Standalone
Azure Diagnostic settings removed from a resource Azure Diagnostic settings removed from a resource AnalyticsRule Standalone
Multiple RDP connections from Single System Multiple RDP connections from Single System AnalyticsRule Standalone
Account added and removed from privileged groups Account added and removed from privileged groups AnalyticsRule Standalone
Service Principal Assigned Privileged Role Service Principal Assigned Privileged Role AnalyticsRule Standalone
New High Severity Vulnerability Detected Across Multiple Hosts New High Severity Vulnerability Detected Across Multiple Hosts AnalyticsRule Standalone
Service Principal Name (SPN) Assigned to User Account Service Principal Name (SPN) Assigned to User Account AnalyticsRule Standalone
High count of failed logons by a user High count of failed logons by a user AnalyticsRule Standalone
Exchange Server Suspicious File Downloads. Exchange Server Suspicious File Downloads. AnalyticsRule Standalone
A host is potentially running a crypto miner (ASIM Web Session schema) A host is potentially running a crypto miner (ASIM Web Session schema) AnalyticsRule Standalone
Trust Monitor Event Trust Monitor Event AnalyticsRule Standalone
External User Access Enabled External User Access Enabled AnalyticsRule Standalone
New Dynamics 365 User Agent New Dynamics 365 User Agent AnalyticsRule Standalone
Failed AzureAD logons but success logon to host Failed AzureAD logons but success logon to host AnalyticsRule Standalone
Failed AWS Console logons but success logon to AzureAD Failed AWS Console logons but success logon to AzureAD AnalyticsRule Standalone
Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema) AnalyticsRule Standalone
Dynamics 365 - User Bulk Retrieval Outside Normal Activity Dynamics 365 - User Bulk Retrieval Outside Normal Activity AnalyticsRule Standalone
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) AnalyticsRule Standalone
Silk Typhoon New UM Service Child Process Silk Typhoon New UM Service Child Process AnalyticsRule Standalone
Exchange SSRF Autodiscover ProxyShell - Detection Exchange SSRF Autodiscover ProxyShell - Detection AnalyticsRule Standalone
DSRM Account Abuse DSRM Account Abuse AnalyticsRule Standalone
Potential DGA detected (ASIM DNS Schema) Potential DGA detected (ASIM DNS Schema) AnalyticsRule Standalone
Account created from non-approved sources Account created from non-approved sources AnalyticsRule Standalone
AppServices AV Scan with Infected Files AppServices AV Scan with Infected Files AnalyticsRule Standalone
Europium - Hash and IP IOCs - September 2022 Europium - Hash and IP IOCs - September 2022 AnalyticsRule Standalone
Application ID URI Changed Application ID URI Changed AnalyticsRule Standalone
User State changed from Guest to Member User State changed from Guest to Member AnalyticsRule Standalone
Application Redirect URL Update Application Redirect URL Update AnalyticsRule Standalone
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) AnalyticsRule Standalone
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory AnalyticsRule Standalone
Malformed user agent Malformed user agent AnalyticsRule Standalone
User account added to built in domain local or global group User account added to built in domain local or global group AnalyticsRule Standalone
IP address of Windows host encoded in web request IP address of Windows host encoded in web request AnalyticsRule Standalone
Workspace deletion activity from an infected device Workspace deletion activity from an infected device AnalyticsRule Standalone
Brute force attack against user credentials (Uses Authentication Normalization) Brute force attack against user credentials (Uses Authentication Normalization) AnalyticsRule Standalone
Group created then added to built in domain local or global group Group created then added to built in domain local or global group AnalyticsRule Standalone
New user created and added to the built-in administrators group New user created and added to the built-in administrators group AnalyticsRule Standalone
Potential Fodhelper UAC Bypass (ASIM Version) Potential Fodhelper UAC Bypass (ASIM Version) AnalyticsRule Standalone
Mercury - Domain, Hash and IP IOCs - August 2022 Mercury - Domain, Hash and IP IOCs - August 2022 AnalyticsRule Standalone
Authentications of Privileged Accounts Outside of Expected Controls Authentications of Privileged Accounts Outside of Expected Controls AnalyticsRule Standalone
Dynamics Encryption Settings Changed Dynamics Encryption Settings Changed AnalyticsRule Standalone
CreepyDrive URLs CreepyDrive URLs AnalyticsRule Standalone
Missing Domain Controller Heartbeat Missing Domain Controller Heartbeat AnalyticsRule Standalone
IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN AnalyticsRule Standalone
RunningRAT request parameters RunningRAT request parameters AnalyticsRule Standalone
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) AnalyticsRule Standalone
Prestige ransomware IOCs Oct 2022 Prestige ransomware IOCs Oct 2022 AnalyticsRule Standalone
High Number of Urgent Vulnerabilities Detected High Number of Urgent Vulnerabilities Detected AnalyticsRule Standalone
Account Elevated to New Role Account Elevated to New Role AnalyticsRule Standalone
Fake computer account created Fake computer account created AnalyticsRule Standalone
AppServices AV Scan Failure AppServices AV Scan Failure AnalyticsRule Standalone
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) AnalyticsRule Standalone
Changes to Application Ownership Changes to Application Ownership AnalyticsRule Standalone
Identify Mango Sandstorm powershell commands Identify Mango Sandstorm powershell commands AnalyticsRule Standalone
AD FS Abnormal EKU object identifier attribute AD FS Abnormal EKU object identifier attribute AnalyticsRule Standalone
Unusual Anomaly Unusual Anomaly AnalyticsRule Standalone
PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack AnalyticsRule Standalone
Application Gateway WAF - XSS Detection Application Gateway WAF - XSS Detection AnalyticsRule Standalone
Modification of Accessibility Features Modification of Accessibility Features AnalyticsRule Standalone
Addition of a Temporary Access Pass to a Privileged Account Addition of a Temporary Access Pass to a Privileged Account AnalyticsRule Standalone
Midnight Blizzard - suspicious rundll32.exe execution of vbscript Midnight Blizzard - suspicious rundll32.exe execution of vbscript AnalyticsRule Standalone
Dev-0530 File Extension Rename Dev-0530 File Extension Rename AnalyticsRule Standalone
User account created without expected attributes defined User account created without expected attributes defined AnalyticsRule Standalone
Service Principal Assigned App Role With Sensitive Access Service Principal Assigned App Role With Sensitive Access AnalyticsRule Standalone
Suspicious Login from deleted guest account Suspicious Login from deleted guest account AnalyticsRule Standalone
New Dynamics 365 Admin Activity New Dynamics 365 Admin Activity AnalyticsRule Standalone
Zoom E2E Encryption Disabled Zoom E2E Encryption Disabled AnalyticsRule Standalone
Solorigate Defender Detections Solorigate Defender Detections AnalyticsRule Standalone
COM Registry Key Modified to Point to File in Color Profile Folder COM Registry Key Modified to Point to File in Color Profile Folder AnalyticsRule Standalone
CreepyDrive request URL sequence CreepyDrive request URL sequence AnalyticsRule Standalone
User Account Created Using Incorrect Naming Format User Account Created Using Incorrect Naming Format AnalyticsRule Standalone
Authentication Attempt from New Country Authentication Attempt from New Country AnalyticsRule Standalone
Time series anomaly for data size transferred to public internet Time series anomaly for data size transferred to public internet AnalyticsRule Standalone
PE file dropped in Color Profile Folder PE file dropped in Color Profile Folder AnalyticsRule Standalone
Anomolous Single Factor Signin Anomolous Single Factor Signin AnalyticsRule Standalone
Users searching for VIP user activity Users searching for VIP user activity AnalyticsRule Standalone
Azure AD Health Monitoring Agent Registry Keys Access Azure AD Health Monitoring Agent Registry Keys Access AnalyticsRule Standalone
Anomalous User Agent connection attempt Anomalous User Agent connection attempt AnalyticsRule Standalone
Authentication Method Changed for Privileged Account Authentication Method Changed for Privileged Account AnalyticsRule Standalone
RareDNSLookupWithDataTransfer RareDNSLookupWithDataTransfer HuntingQuery Standalone
User Login IP Address Teleportation User Login IP Address Teleportation HuntingQuery Standalone
Alerts related to IP Alerts related to IP HuntingQuery Standalone
User Granted Access and associated audit activity User Granted Access and associated audit activity HuntingQuery Standalone
S3 Bucket outbound Data transfer anomaly S3 Bucket outbound Data transfer anomaly HuntingQuery Standalone
Alerts related to File Alerts related to File HuntingQuery Standalone
New client running queries New client running queries HuntingQuery Standalone
Failed service logon attempt by user account with available AuditData Failed service logon attempt by user account with available AuditData HuntingQuery Standalone
New domain added to Whitelist New domain added to Whitelist HuntingQuery Standalone
Query looking for secrets Query looking for secrets HuntingQuery Standalone
External IP address in Command Line External IP address in Command Line HuntingQuery Standalone
Discord download invoked from cmd line (ASIM Version) Discord download invoked from cmd line (ASIM Version) HuntingQuery Standalone
Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic Detect beacon like pattern based on repetitive time intervals in Wire Data Traffic HuntingQuery Standalone
Rare User Agent strings Rare User Agent strings HuntingQuery Standalone
Azure Active Directory signins from new locations Azure Active Directory signins from new locations HuntingQuery Standalone
Azure CloudShell Usage Azure CloudShell Usage HuntingQuery Standalone
Tracking Privileged Account Rare Activity Tracking Privileged Account Rare Activity HuntingQuery Standalone
GitHub OAuth App Restrictions Disabled GitHub OAuth App Restrictions Disabled HuntingQuery Standalone
Permutations on logon attempts by UserPrincipalNames indicating potential brute force Permutations on logon attempts by UserPrincipalNames indicating potential brute force HuntingQuery Standalone
Signin Logs with expanded Conditional Access Policies Signin Logs with expanded Conditional Access Policies HuntingQuery Standalone
Same IP address with multiple csUserAgent Same IP address with multiple csUserAgent HuntingQuery Standalone
Login spike with increase failure rate Login spike with increase failure rate HuntingQuery Standalone
Failed Login Attempt by Expired account Failed Login Attempt by Expired account HuntingQuery Standalone
Rare Audit activity initiated by App Rare Audit activity initiated by App HuntingQuery Standalone
New time zone observed New time zone observed HuntingQuery Standalone
Alerts On Host Alerts On Host HuntingQuery Standalone
Suspicious Data Access to S3 Bucket from Unknown IP Suspicious Data Access to S3 Bucket from Unknown IP HuntingQuery Standalone
Check critical ports opened to the entire internet Check critical ports opened to the entire internet HuntingQuery Standalone
Rare domains seen in Cloud Logs Rare domains seen in Cloud Logs HuntingQuery Standalone
Crash dump disabled on host (ASIM Version) Crash dump disabled on host (ASIM Version) HuntingQuery Standalone
Anomalous Azure Active Directory apps based on authentication location Anomalous Azure Active Directory apps based on authentication location HuntingQuery Standalone
Azure Active Directory sign-in burst from multiple locations Azure Active Directory sign-in burst from multiple locations HuntingQuery Standalone
Login attempt by Blocked MFA user Login attempt by Blocked MFA user HuntingQuery Standalone
Zoom room high CPU alerts Zoom room high CPU alerts HuntingQuery Standalone
Anomalous sign-in location by user account and authenticating application - with sign-in details Anomalous sign-in location by user account and authenticating application - with sign-in details HuntingQuery Standalone
Anomalous sign-in location by user account and authenticating application Anomalous sign-in location by user account and authenticating application HuntingQuery Standalone
Inactive or new account signins Inactive or new account signins HuntingQuery Standalone
User returning more data than daily average User returning more data than daily average HuntingQuery Standalone
New users running queries New users running queries HuntingQuery Standalone
Cross workspace query anomolies Cross workspace query anomolies HuntingQuery Standalone
Potential IIS brute force Potential IIS brute force HuntingQuery Standalone
Disabled accounts using Squid proxy Disabled accounts using Squid proxy HuntingQuery Standalone
Potential IIS code injection attempt Potential IIS code injection attempt HuntingQuery Standalone
Query data volume anomolies Query data volume anomolies HuntingQuery Standalone
New ServicePrincipal running queries New ServicePrincipal running queries HuntingQuery Standalone
User running multiple queries that fail User running multiple queries that fail HuntingQuery Standalone
Suspect Mailbox Export on IIS/OWA Suspect Mailbox Export on IIS/OWA HuntingQuery Standalone
URI requests from single client URI requests from single client HuntingQuery Standalone
Anomalous Resource Creation and related Network Activity Anomalous Resource Creation and related Network Activity HuntingQuery Standalone
Consent to Application discovery Consent to Application discovery HuntingQuery Standalone
User Granted Access and created resources User Granted Access and created resources HuntingQuery Standalone
Login attempts using Legacy Auth Login attempts using Legacy Auth HuntingQuery Standalone
Tracking Password Changes Tracking Password Changes HuntingQuery Standalone
Same User - Successful logon for a given App and failure on another App within 1m and low distribution Same User - Successful logon for a given App and failure on another App within 1m and low distribution HuntingQuery Standalone
GitHub Repo Clone - Time Series Anomly GitHub Repo Clone - Time Series Anomly HuntingQuery Standalone
Multiple large queries made by user Multiple large queries made by user HuntingQuery Standalone
Failed attempt to access Azure Portal Failed attempt to access Azure Portal HuntingQuery Standalone
Web shell file alert enrichment Web shell file alert enrichment HuntingQuery Standalone
Web shell command alert enrichment Web shell command alert enrichment HuntingQuery Standalone
User denied multiple registration events successfully registering User denied multiple registration events successfully registering HuntingQuery Standalone
Rare Audit activity initiated by User Rare Audit activity initiated by User HuntingQuery Standalone
Add IP Entity To Named Location Add IP Entity To Named Location Playbook This playbook will execute using an incident based trigger and add the IP entities to a Conditional Access Named Location Standalone
Create-AzureDevOpsTask-alert-trigger Create-AzureDevOpsTask-alert-trigger Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Standalone
Create-AzureDevOpsTask-incident-trigger Create-AzureDevOpsTask-incident-trigger Playbook This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details. Standalone
Create Zendesk ticket Create Zendesk ticket Playbook This playbook will create a Zendesk ticket when a new incident is created in Microsoft Sentinel. Standalone
Enrich multiple entities - AlienVault-OTX Enrich multiple entities - AlienVault-OTX Playbook This playbook will enrich a Sentinel Incident with pulse information from AlienVault OTX. If any pulses are found the Incident will also be tagged and the severity raised to High. Standalone
ACSC Essential 8 ACSC Essential 8 Workbook This workbook provides insights on the health state of Azure resources against requirements by the ACSC Essential 8. Standalone
Advanced Workbook Concepts Advanced Workbook Concepts Workbook Use this workbook to view and learn advanced concepts for workbooks in Azure Monitor and Microsoft Sentinel. Examples are provided in order to teach users how the concepts look, work, and are built. Standalone
ADXvsLA ADXvsLA Workbook This workbook shows the tables from Microsoft Sentinel which are backed up in ADX. It also provides a comparison between the entries in the Microsoft Sentinel tables and the ADX tables. Lastly some general information about the queries and ingestion on ADX is shown. Standalone
AMA migration tracker AMA migration tracker Workbook See what Azure and Azure Arc servers have Log Analytics agent or Azure Monitor agent installed. Review what DCR (data collection rules) apply to your machines and whether you are collecting logs from those machines into your selected workspaces. Standalone
Analytics Health & Audit Analytics Health & Audit Workbook This workbook provides visibility on the health and audit of your analytics rules. You will be able to find out whether an analytics rule is running as expected and get a list of changes made to an analytic rule. Standalone
Archiving, Basic Logs, and Retention Archiving, Basic Logs, and Retention Workbook This workbooks shows workspace and table retention periods, basic logs, and search & restore tables. It also allows you to update table retention periods, plans, and delete search or restore tables. Standalone
ASC Compliance and Protection ASC Compliance and Protection Workbook Gain insight into regulatory compliance, alert trends, security posture, and more with this workbook based on Azure Security Center data. Standalone
AWS S3 Workbook AWS S3 Workbook Workbook This workbook shows quick summary of AWS S3 data (AWSCloudTrail, AWSGuardDuty, AWSVPCFlow). To visulaize the data, make sure you configure AWS S3 connector and data geting ingested into Sentinel Standalone
Azure AD Audit, Activity and Sign-in logs Azure AD Audit, Activity and Sign-in logs Workbook Gain insights into Azure Active Directory Audit, Activity and Signins with one workbook. This workbook can be used by Security and Azure administrators. Standalone
Azure Log Coverage Azure Log Coverage Workbook This Workbook pulls the current Azure inventory via Azure Resource Graph explorer and compares it with data written to one or more selected Log Analytics workspaces to determine which resources are sending data and which ones are not. This can be used to expose gaps in your logging coverage and/or identify inactive resources. Standalone
Azure Network Watcher Azure Network Watcher Workbook Gain deeper understanding of your organization's Azure network traffic by analyzing, and correlating Network Security Group flow logs. You can trace malicious traffic flows, and drill down into their protocols, source and destination IP addresses, machines, countries, and subnets. This workbook also helps you protect your network by identifying weak NSG rules. Standalone
Azure SensitiveOperations Review Workbook Azure SensitiveOperations Review Workbook Workbook Monitor Sesnitive Operations in Azure Activity using Azure Threat Research Matrix Standalone
Cisco Firepower Cisco Firepower Workbook Gain insights into your Cisco Firepower firewalls. This workbook analyzes Cisco Firepower device logs. Standalone
Conditional Access Trends and Changes Conditional Access Trends and Changes Workbook Gain insights into Conditional Access Trends and Changes. Standalone
Data collection health monitoring Data collection health monitoring Workbook Gain insights into your workspace's data ingestion status. In this workbook, you can view additional monitors and detect anomalies that will help you determine your workspaceΓÇÖs data collection health. Standalone
Data Collection Rule Toolkit Data Collection Rule Toolkit Workbook Use this workbook solution to create, review, and modify data collection rules for Microsoft Sentinel. This workbook provides a click-through experience that centralizes key components from Microsoft Sentinel, Azure Log Analytics, and Azure Monitor to enable users to create new DCRs, modify existing DCRs, and review all DCRs in the environment. Standalone
Data Security - Sensitive Data Impact Assessment Data Security - Sensitive Data Impact Assessment Workbook Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists(VIPUsers, TerminatedEmployees and HighValueAssets), Threat Intelligence feed, UEBA baselines and much more. Standalone
Dynamics365Workbooks Dynamics365Workbooks Workbook This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. Standalone
Eset Security Management Center Overview Eset Security Management Center Overview Workbook Visualize events and threats from Eset Security Management Center. Standalone
Exchange Compromise Hunting Exchange Compromise Hunting Workbook This workbook is intended to help defenders in responding to the Exchange Server vulnerabilities disclosed in March 2021, as well as hunting for potential compromise activity. More details on these vulnearbilities can be found at: https://aka.ms/exchangevulns Standalone
Insecure Protocols Insecure Protocols Workbook Gain insights into insecure protocol traffic by collecting and analyzing security events from Microsoft products. You can view analytics and quickly identify use of weak authentication as well as sources of legacy protocol traffic, like NTLM and SMBv1. You will also have the ability to monitor use of weak ciphers, allowing you to find weak spots in your organization's security. Standalone
Azure Defender for IoT Alerts Azure Defender for IoT Alerts Workbook Gain insights into your IoT data workloads from Azure IoT Hub managed deployments, monitor alerts across all your IoT Hub deployments, detect devices at risk and act upon potential threats. Standalone
IoT Asset Discovery IoT Asset Discovery Workbook IoT Devices asset discovery from Firewall logs By Azure Defender for IoT Standalone
Log4j Post Compromise Hunting Log4j Post Compromise Hunting Workbook This hunting workbook is intended to help identify activity related to the Log4j compromise discovered in December 2021. Standalone
Log Analytics Query Analysis Log Analytics Query Analysis Workbook This workbook provides an analysis on Log Analytics Query Logs. Standalone
Log Sources & Analytic Rules Coverage Log Sources & Analytic Rules Coverage Workbook This workbook is intended to show how the different tables in a Log Analytics workspace are being used by the different Microsoft Sentinel features, like analytics, hunting queries, playbooks and queries in general. Standalone
Incident Management with Microsoft Sentinel Manual Creation of Incidents Workbook Incident Management with Microsoft Sentinel Manual Creation of Incidents Workbook Workbook This workbook gives the ability for efficient incident management by enabling manual creation of Microsoft Sentinel incidents directly from within the workbook. Standalone
Microsoft 365 Security Posture Microsoft 365 Security Posture Workbook This workbook presents security posture data collected from Azure Security Center, M365 Defender, Defender for Endpoint, and Microsoft Cloud App Security. This workbook relies on the M365 Security Posture Playbook in order to bring the data in. Standalone
Microsoft Sentinel Cost (EUR) Microsoft Sentinel Cost (EUR) Workbook This workbook provides an estimated cost in EUR (Γé¼) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer. Standalone
Microsoft Sentinel Cost (GBP) Microsoft Sentinel Cost (GBP) Workbook This workbook provides an estimated cost in GBP (£) across the main billed items in Microsoft Sentinel: ingestion, retention and automation. It also provides insight about the possible impact of the Microsoft 365 E5 offer. Standalone
Microsoft Sentinel Deployment and Migration Tracker Microsoft Sentinel Deployment and Migration Tracker Workbook Use this workbook as a tool to define, track, and complete key deployment/migraiton tasks for Microsoft Sentinel. This workbook serves as a central hub for monitoring and configuring key areas of the product without having to leave the workbook and start over. Standalone
Normalized network events Normalized network events Workbook See insights on multiple networking appliances and other network sessions, that have been parsed or mapped to the normalized networking sessions table. Note this requires enabling parsers for the different products - to learn more, visit https://aka.ms/sentinelnormalizationdocs Standalone
One Identity One Identity Workbook This simple workbook gives an overview of sessions going through your SafeGuard for Privileged Sessions device. Standalone
pfsense pfsense Workbook Gain insights into pfsense logs from both filterlog and nginx. Standalone
Playbooks health monitoring (preview) Playbooks health monitoring (preview) Workbook The workbook will provide you with deeper insights regarding the status, activity, and billing of each playbook. You can use the workbook's logic to monitor the general health of the playbooks. Standalone
ProofPoint Threat Dashboard ProofPoint Threat Dashboard Workbook Provides an overview of email threat activity based on log data provided by ProofPoint Standalone
Sentinel Costs Sentinel Costs Workbook A workbook to demonstrate insights into the costs of Sentinel environment. Standalone
Sentinel Health Sentinel Health Workbook A workbook to show data fo Sentinel Health. Standalone
Sentinel Workspace Recon Tools Sentinel Workspace Recon Tools Workbook A workbook providing investigation tools for key tables. Good for incident response, tuning, and cost optimizaiton. An attempt to bring the Windows EventViewer experience to the cloud. Standalone
SolarWinds Post Compromise Hunting SolarWinds Post Compromise Hunting Workbook This hunting workbook is intended to help identify activity related to the Solorigate compromise and subsequent attacks discovered in December 2020 Standalone
Syslog Overview Syslog Overview Workbook A workbook designed to show an overview about the data ingested through Syslog. Standalone
Sysmon Threat Hunting Sysmon Threat Hunting Workbook Simplify your threat hunts using Sysmon data mapped to MITRE ATT&CK data. This workbook gives you the ability to drilldown into system activity based on known ATT&CK techniques as well as other threat hunting entry points such as user activity, network connections or virtual machine Sysmon events. Please note that for this workbook to work you must have deployed Sysmon on your virtual machines in line with the instructions at https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel Standalone
Unifi Security Gateway - NetFlow Unifi Security Gateway - NetFlow Workbook Gain insights into Unifi Security Gateways analyzing traffic and activities using Netflow. Standalone
Unifi Security Gateway Unifi Security Gateway Workbook Gain insights into Unifi Security Gateways analyzing traffic and activities. Standalone
User And Entity Behavior Analytics User And Entity Behavior Analytics Workbook Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns Standalone
User Map information User Map information Workbook This Workbook shows MaliciousIP, User SigninLog Data (this shows user Signin Locations and distance between as well as order visited) and WAF information. Standalone
VM insights VM insights Workbook Gain rich insight into your organization's virtual machines from Azure Monitor, which analyzes and correlates data in your VM network. You will get visibility on your VM parameters and behavior, and will be able to trace sent and received data. Identify malicious attackers and their targets, and drill down into the protocols, source and destination IP addresses, countries, and ports the attacks occur across. Standalone
Visualizations Demo Visualizations Demo Workbook Learn and explore the many ways of displaying information within Microsoft Sentinel workbooks Standalone
Workspace audit Workspace audit Workbook Workspace auditing report Use this report to understand query runs across your workspace. Standalone
Workspace Usage Report Workspace Usage Report Workbook Gain insights into your workspace's usage. In this workbook, you can view your workspaceΓÇÖs data consumption, latency, recommended tasks and Cost and Usage statistics. Standalone