Azure
/
ausgovcaf-cloudsoe
зеркало из https://github.com/Azure/ausgovcaf-cloudsoe.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #45 from Azure/optimize-event-collection 

Optimize event collection
This commit is contained in:
Nick Price 2022-02-07 14:18:48 +11:00 коммит произвёл GitHub
Родитель f9de3acd33 6156c6a7a0
Коммит b13996864c
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
14 изменённых файлов: 1569 добавлений и 180 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

513
arm-cloudsoe-la-solutions.json
Просмотреть файл

@ -6,7 +6,11 @@
"type": "string",
"metadata": {
"description": "The region that log analytics is deployed to."
}
},
"allowedValues": [
"australiaeast",
"australiasoutheast"
]
},
"workspaceResourceId": {
"type": "string",
@ -132,167 +136,6 @@
},
"kind": "ChangeTrackingDefaultRegistry"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-NTLM/Operational'))]",
"properties": {
"eventLogName": "Microsoft-Windows-NTLM/Operational",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-CodeIntegrity/Operational'))]",
"properties": {
"eventLogName": "Microsoft-Windows-CodeIntegrity/Operational",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-AppLocker/MSI and Script'))]",
"properties": {
"eventLogName": "Microsoft-Windows-AppLocker/MSI and Script",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Security-Mitigations/KernelMode'))]",
"properties": {
"eventLogName": "Microsoft-Windows-Security-Mitigations/KernelMode",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Windows Defender/Operational'))]",
"properties": {
"eventLogName": "Microsoft-Windows-Windows Defender/Operational",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Security-Mitigations/UserMode'))]",
"properties": {
"eventLogName": "Microsoft-Windows-Security-Mitigations/UserMode",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Win32k/Operational'))]",
"properties": {
"eventLogName": "Microsoft-Windows-Win32k/Operational",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Windows Defender/WHC'))]",
"properties": {
"eventLogName": "Microsoft-Windows-Windows Defender/WHC",
"eventTypes": [
{
"eventType": "Error"
},
{
"eventType": "Warning"
},
{
"eventType": "Information"
}
]
},
"kind": "WindowsEvent"
},
{
//Set Log Analytics workspace to collect all security events
"apiVersion": "2020-08-01",
@ -300,9 +143,351 @@
"name": "[concat(variables('workspaceName'),'/SecurityEventCollectionConfiguration')]",
"kind": "SecurityEventCollectionConfiguration",
"properties": {
"tier": "All",
"tier": "Recommended",
"tierSetMethod": "Custom"
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-AccountLockoutEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Security!*[System[((EventID=4625))]]", //Failed logins
"Security!*[System[((EventID=4740))]]" //Lockout
],
"name": "AccountLockoutEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-ASREvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]",
"Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1121 and EventID <= 1122))]]"
],
"name": "ASREvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-NTLMEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]"
],
"name": "NTLMEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-ExploitProtectionEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Microsoft-Windows-Security-Mitigations/KernelMode!*[System[((EventID >= 1 and EventID <= 24))]]",
"Microsoft-Windows-Security-Mitigations/UserMode!*[System[((EventID >= 1 and EventID <= 24))]]",
"Microsoft-Windows-Win32k/Operational!*[System[((EventID=260))]]",
"System!*[System[Provider[@Name='Microsoft-Windows-WER-Diag'] and (EventID=5)]]"
],
"name": "ExploitProtectionEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-IPsecEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Security!*[System[((EventID >= 4650 and EventID <= 4651))]]", //Main mode security associations
"Security!*[System[((EventID=5451))]]" //Quick mode security associations
],
"name": "IPsecEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-NetworkProtectionEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]",
"Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1125 and EventID <= 1126))]]"
],
"name": "NetworkProtectionEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-SChannelEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"System!*[System[((EventID=36880))]]"
],
"name": "SChannelEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
},
{
"apiVersion": "2021-04-01",
"type": "Microsoft.Insights/dataCollectionRules",
"name": "DCR-WDACEvents",
"kind": "Windows",
"location": "[parameters('workspaceRegion')]",
"properties": {
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-Event"
],
"xPathQueries": [
"Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]"
],
"name": "WDACEvents"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "[variables('workspaceName')]"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Event"
],
"destinations": [
"[variables('workspaceName')]"
]
}
]
}
}
]
],
"outputs": {
"dataCollectionRuleResourceIds":{
"type": "object",
"value": {
"DCR-AccountLockoutEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-AccountLockoutEvents')]",
"DCR-ASREvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-ASREvents')]",
"DCR-NTLMEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-NTLMEvents')]",
"DCR-ExploitProtectionEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-ExploitProtectionEvents')]",
"DCR-IPsecEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-IPsecEvents')]",
"DCR-NetworkProtectionEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-NetworkProtectionEvents')]",
"DCR-SChannelEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-SChannelEvents')]",
"DCR-WDACEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-WDACEvents')]"
}
}
}
}

180
arm-cloudsoe-policy-baseline.json
Просмотреть файл

@ -7,6 +7,18 @@
"metadata": {
"description": "The scope at which policies, relating to the cloud SOE, will be assigned."
}
},
"windowsImageIds": {
"type": "array",
"metadata":{
"description": "The set of resource IDs for the Windows images that will be considered in scope for policies that apply to built VMs."
}
},
"dataCollectionRuleEventResourceIds": {
"type": "object",
"metadata":{
"description": "An object that lists the resource IDs for the Azure Monitor data collection rules."
}
}
},
"variables": {
@ -306,6 +318,174 @@
"ISM-1412-2"
],
"parameters": {}
},
{
"assignmentName": "enable-dcr-association-account-lockout-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-AccountLockoutEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-AccountLockoutEvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-asr-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-ASREvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-ASREvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-ntlm-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-NTLMEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-NTLMEvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-exploit-protection-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-ExploitProtectionEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-ExploitProtectionEvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-ipsec-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-IPsecEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-IPsecEvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-network-protection-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-NetworkProtectionEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-NetworkProtectionEvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-schannel-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-SChannelEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-SChannelEvents']]"
}
}
},
{
"assignmentName": "enable-dcr-association-wdac-events",
"displayName": "Windows VMs should associate with the data collection rule: DCR-WDACEvents",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c",
"roleDefinitionIds": [
"749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
},
"DcrResourceId": {
"value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-WDACEvents']]"
}
}
},
{
"assignmentName": "enable-azure-monitor-agent-windows",
"displayName": "Configure Windows virtual machines to run Azure Monitor Agent",
"definition": {
"builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca817e41-e85a-4783-bc7f-dc532d36235e",
"roleDefinitionIds": [
"9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor
]
},
"parameters": {
"listOfWindowsImageIdToInclude": {
"value": "[parameters('windowsImageIds')]"
}
}
}
]
},

2
arm-cloudsoe-workbook.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

25
azureDeploy.json
Просмотреть файл

@ -24,7 +24,11 @@
"type": "string",
"metadata": {
"description": "The region that log analytics is deployed to."
}
},
"allowedValues": [
"australiaeast",
"australiasoutheast"
]
},
"automationAccountResourceId": {
"type": "string",
@ -76,6 +80,16 @@
"autoProvision": "On"
}
},
{
//Set the subscriptions log workspace
"name": "default",
"type": "Microsoft.Security/workspaceSettings",
"apiVersion": "2017-08-01-preview",
"properties": {
"workspaceId": "[parameters('workspaceResourceId')]",
"scope": "[parameters('policyScopeId')]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-05-01",
@ -171,7 +185,8 @@
"location": "australiaeast",
"dependsOn": [
"CloudSOEImageDeployment",
"CloudSOEAutomanageAccountDeployment"
"CloudSOEAutomanageAccountDeployment",
"CloudSOELaSolutionDeployment"
],
"properties": {
"mode": "Incremental",
@ -182,6 +197,12 @@
"parameters": {
"policyScopeId": {
"value": "[parameters('policyScopeId')]"
},
"windowsImageIds": {
"value": "[reference('CloudSOEImageDeployment').outputs.windowsImageIds.value]"
},
"dataCollectionRuleEventResourceIds": {
"value": "[reference('CloudSOELaSolutionDeployment').outputs.dataCollectionRuleResourceIds.value]"
}
}
}

4
docs/README.md
Просмотреть файл

@ -279,7 +279,7 @@ Create a hashtable `$params` to hold your deployment parameters:
$params = @{policyScopeId="/subscriptions/<subscriptionId>";
workspaceId="<workspaceId>";
workspaceResourceId="/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.operationalinsights/workspaces/<workspaceName>";
workspaceRegion="Australia East";
workspaceRegion="australiaeast";
automationAccountResourceId="/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Automation/automationAccounts/<automationAccountName>";
updateManagementScope=@("/subscriptions/<subscriptionId>")}
```
@ -306,7 +306,7 @@ This is the resourceId attribute of the Log Analytics workspace which will be us
Input: `workspaceRegion`
This is the Azure region of the Log Analytics workspace which will be used by the project to enable solutions and collect logs and other data sources.
This is the Azure region of the Log Analytics workspace which will be used by the project to enable solutions and collect logs and other data sources. This should be specified in short form. (I.e. "australiaeast")
---

22
docs/ism-guidelines.md
Просмотреть файл

@ -13,14 +13,14 @@ Identifier | Description | Measures
1408 | When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used. | Windows - All<br>Source images used by Azure Image Builder are all 64-bit.
1409 | ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems. | Windows - Server 2016<br>1. Windows Server 2016 SCT baseline settings partially implemented in Azure Image Builder customisation<br>2. Windows Server 2016 SCT baseline settings partially implemented in Guest Configuration policy (audit only)<br><br>Windows - Server 2019<br>1. Windows Server 2019 SCT baseline settings partially implemented in Azure Image Builder customisation<br>2. Windows Server 2019 SCT baseline settings partially implemented in Guest Configuration policy (audit only)<br><br>Windows - Server 2022<br>1. Windows Server 2022 SCT baseline settings partially implemented in Azure Image Builder customisation<br>2. Windows Server 2022 SCT baseline settings partially implemented in Guest Configuration policy (audit only)
1491 | Standard users are prevented from running script execution engines in Microsoft Windows, including:<br>• Windows Script Host (cscript.exe and wscript.exe)<br>• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)<br>• Command Prompt (cmd.exe)<br>• Windows Management Instrumentation (wmic.exe) <br>• Microsoft HTML Application Host (mshta.exe). | Windows - All: <br>Azure Image Builder customisation includes AppLocker configuration to block these script execution engines for standard users
0843 | Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1490 | Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0955 | Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1471 | When implementing application control using publisher certificate rules, both publisher names and product names are used. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1392 | When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1544 | Microsofts latest recommended block rules are implemented to prevent application control bypasses. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0846 | All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0957 | Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0843 | Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1490 | Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0955 | Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1471 | When implementing application control using publisher certificate rules, both publisher names and product names are used. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1392 | When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1544 | Microsofts latest recommended block rules are implemented to prevent application control bypasses. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0846 | All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
0957 | Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file. | Windows - All: <br>1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.<br>2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.<br>3. Surface WDAC block events in Azure Monitor Workbooks
1414 | If supported, the latest version of Microsofts EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures. | Windows All<br>Azure Image Builder customisation enables Exploit Protection with sample rule set.
1492 | If supported, Microsoft's exploit protection functionality is implemented on workstations and servers. | Windows All<br>Azure Image Builder customisation enables Exploit Protection with sample rule set.
1621 | PowerShell 2.0 and below is removed from operating systems. | Windows Server<br>Implements Guest Configuration policy to validate PowerShell 2 is not installed (audit only)<br><br>Note: This functionality currently does not work due to upstream bug.<br>
@ -36,7 +36,7 @@ Identifier | Description | Measures
1601 | If supported, Microsofts Attack Surface Reduction rules are implemented. | Windows Server 2022 & Windows Server 2019<br>All Microsoft ASR rules are enabled in in Azure Image Builder customisation.<br>
0421 | Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. | All Windows<br>1. Azure Image Builder customisation sets minimum password length to 14<br>2. A Guest Configuration policy validates that the minimum password length has been configured to 14 characters (audit only)
1403 | Accounts are locked out after a maximum of five failed logon attempts. | Windows All<br>Use Azure Image Builder to set account lockout threshold value.
0431 | Repeated account lockouts are investigated before reauthorising access. | Windows All<br>1. Use Azure Image Builder to enable Windows advanced audit logging, and enable advanced audit subcategories User Account Management (success) and Logon (failure).<br>2. Set Azure Monitor Logs to collect all Security event logs.<br>3. Surface failed logins and account lockout events in Azure Monitor Workbooks
0431 | Repeated account lockouts are investigated before reauthorising access. | Windows All<br>1. Use Azure Image Builder to enable Windows advanced audit logging, and enable advanced audit subcategories User Account Management (success) and Logon (failure).<br>2. Set Azure Monitor Logs to collect common Security event logs.<br>3. Surface failed logins and account lockout events in Azure Monitor Workbooks
1055 | LAN Manager and NT LAN Manager authentication methods are disabled. | All Windows<br>1. Azure Image Builder customisation enables NTLM audit logging. <br>2. A Guest Configuration policy is assigned that verifies NTLM audit logging is enabled (audit only)<br><br>Windows Server 2016<br>A subset of the Windows Server 2016 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM)<br><br>Windows Server 2019<br>A subset of the Windows Server 2019 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM)<br><br>Windows Server 2022<br>A subset of the Windows Server 2022 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM)
0428 | Systems are configured with a session or screen lock that:<br>• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user<br>• completely conceals all information on the screen<br>• ensures that the screen does not enter a power saving state before the screen or session lock is activated<br>• requires the user to reauthenticate to unlock the system<br>• denies users the ability to disable the session or screen locking mechanism. | Windows All<br>1. Azure Image Builder customisation sets an RDP timeout value.<br>2. Guest Configuration Policy validates (audit only) that RDP timeout value is configured.
0408 | Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted. | Windows All<br>1. Azure Image Builder customisation sets a logon banner via static registry entry.<br>2. Azure Guest Configuration policy (audit only) validates a specific logon banner is used.
@ -50,8 +50,8 @@ Identifier | Description | Measures
0304 | Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All<br>Azure Monitor Workbook surfaces a summary report of install count of software by title and version.
1501 | Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All<br>Azure Monitor Workbook surfaces a summary report of all VM instances and the OS version they use.
1405 | A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs. | Deployed virtual machines send logs to Azure Monitor Logs workspace.
0584 | For any system requiring authentication, logon, failed logon and logoff events are logged. | Windows All<br>1. Azure Image Builder customisation enables advanced audit logging with Logon subcategory.<br>2. Azure Monitor Logs is configured to collect all security logs.
0582 | The following events are logged for operating systems:<br>• access to important data and processes<br>• application crashes and any error messages<br>• attempts to use special privileges<br>• changes to accounts<br>• changes to security policy<br>• changes to system configurations<br>• Domain Name System (DNS) and Hypertext Transfer Protocol requests<br>• failed attempts to access data and system resources<br>• service failures and restarts<br>• system startup and shutdown<br>• transfer of data to and from external media<br>• user or group management<br>• use of special privileges. | Windows All<br>Azure Monitor Logs is configured to collect all security logs.
0584 | For any system requiring authentication, logon, failed logon and logoff events are logged. | Windows All<br>1. Azure Image Builder customisation enables advanced audit logging with Logon subcategory.<br>2. Azure Monitor Logs is configured to collect common security logs.
0582 | The following events are logged for operating systems:<br>• access to important data and processes<br>• application crashes and any error messages<br>• attempts to use special privileges<br>• changes to accounts<br>• changes to security policy<br>• changes to system configurations<br>• Domain Name System (DNS) and Hypertext Transfer Protocol requests<br>• failed attempts to access data and system resources<br>• service failures and restarts<br>• system startup and shutdown<br>• transfer of data to and from external media<br>• user or group management<br>• use of special privileges. | Windows All<br>Azure Defender is configured to collect Common security logs.<br><br>_Note: Setting Azure Defender to "Common" may not all Events IDs necessary to identify the events described in the guideline. Consider Azure Defender event collection setting and adding additional Azure Monitor Data Collection Rules as necessary._
0521 | IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used. | Windows All<br>Azure Monitor Workbook surfaces all Windows systems which are attached to IPv4-only virtual networks, but do not have IPv6 disabled.
1428 | Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment. | Windows All<br>1. Azure Monitor Logs Change Tracking solution is enabled. Change tracking is enabled for HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters. Azure Monitor Workbook surfaces Windows systems without IPv6 tunnel protocols disabled.
1311 | SNMP version 1 and 2 are not used on networks. | Windows All<br>Azure Image Builder customisation disables the snmptrap service.

23
kql/windows-ipsec-detect-hmac-algorithms-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec MM HMAC algorithm (Event table)
Event
| where EventID == 4650 or EventID == 4651
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'MMIntegrityAlg'
| project MMIntegrityAlg = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where MMIntegrityAlg != "%%8242" and MMIntegrityAlg != "%%8243"
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, MMIntegrityAlg

23
kql/windows-ipsec-detect-low-modulus-dh-groups-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec DH Groups with low modulus (Event table)
Event
| where EventID == 4650 or EventID == 4651
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'DHGroup'
| project DHGroup = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where DHGroup != "%%8232" and DHGroup != "%%8248" and DHGroup != "%%8233" and DHGroup != "%%8234"
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, DHGroup

23
kql/windows-ipsec-detect-mm-lifetime-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec MM SAs with long lifetime (Event table)
Event
| where EventID == 4650 or EventID == 4651
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'MMLifetime'
| project LifetimeSeconds = (ed['#text'] * 60)
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where LifetimeSeconds >= 14400
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds

23
kql/windows-ipsec-detect-no-esp-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec SAs without ESP (Event table)
Event
| where EventID == 5451
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'EspAuthType'
| project ESPAuthType = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where ESPAuthType == "-"
| project TimeGenerated, Computer, LocalAddress, RemoteAddress

23
kql/windows-ipsec-detect-no-ike-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec SAs without IKE (Event table)
Event
| where EventID == 5451
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'KeyingModuleName'
| project KeyingModuleName = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where KeyingModuleName !startswith "IKE"
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, KeyingModuleName

23
kql/windows-ipsec-detect-qm-lifetime-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec QM SAs with long lifetime (Event table)
Event
| where EventID == 5451
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LifetimeSeconds'
| project LifetimeSeconds = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where LifetimeSeconds > 14400
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds

23
kql/windows-ipsec-detect-sa-mode-event-table.kql Normal file
Просмотреть файл

@ -0,0 +1,23 @@
//KQL query to detect IPsec Transport mode (Event table)
Event
| where EventID == 5451
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'Mode'
| project Mode = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'LocalAddress'
| project LocalAddress = ed['#text']
)
| extend ed = parse_xml(EventData).DataItem.EventData.Data
| mv-apply ed on
(
where ed['@Name'] == 'RemoteAddress'
| project RemoteAddress = ed['#text']
)
| where Mode == "%%16403"
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, Mode="Transport"

842
workbooks/sample-dashboard-workbook.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны