From fa52f1c06f63cee3a31c7404533ec73417eea768 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 15 Jan 2022 22:34:14 +1100 Subject: [PATCH 01/28] Add NTLM data collection rule --- arm-cloudsoe-la-solutions.json | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index e1c3439..2711e73 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -303,6 +303,46 @@ "tier": "All", "tierSetMethod": "Custom" } + }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-NTLMEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-WindowsEvent" + ], + "xPathQueries": [ + "$XPath = 'Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]'!*", + ], + "name": "NTLMEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } } ] } \ No newline at end of file From 1cad49e5984981348786870085a05fa8ad971bfb Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Mon, 17 Jan 2022 22:19:52 +1100 Subject: [PATCH 02/28] Data collection rule for ASR events --- arm-cloudsoe-la-solutions.json | 43 +++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 2711e73..6acc750 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -304,6 +304,47 @@ "tierSetMethod": "Custom" } }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-ASREvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-WindowsEvent" + ], + "xPathQueries": [ + "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*", + "$XPath = 'Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*" + ], + "name": "NTLMEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } + }, { "apiVersion": "2021-04-01", "type": "Microsoft.Insights/dataCollectionRules", @@ -318,7 +359,7 @@ "Microsoft-WindowsEvent" ], "xPathQueries": [ - "$XPath = 'Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]'!*", + "$XPath = 'Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]'!*" ], "name": "NTLMEvents" } From 0b035de579f0948f3e3176171eb742842aa4a0f8 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Mon, 17 Jan 2022 22:34:03 +1100 Subject: [PATCH 03/28] Implement DCR for exploit protection --- arm-cloudsoe-la-solutions.json | 43 ++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 6acc750..e352d9f 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -384,6 +384,49 @@ } ] } + }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-ExploitProtectionEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-WindowsEvent" + ], + "xPathQueries": [ + "$XPath = 'Microsoft-Windows-Security-Mitigations/KernelMode!*[System[((EventID >= 1 and EventID <= 24))]]'!*", + "$XPath = 'Microsoft-Windows-Security-Mitigations/UserMode!*[System[((EventID >= 1 and EventID <= 24))]]'!*", + "$XPath = 'Microsoft-Windows-Win32k/Operational!*[System[((EventID=260))]]'!*", + "$XPath = 'System!*[System[Provider[@Name='Microsoft-Windows-WER-Diag'] and (EventID=5)]]'!*" + ], + "name": "NTLMEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } } ] } \ No newline at end of file From 4325ef0c45182e194ab40c03dfafeb27e9e4078b Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 08:49:28 +1100 Subject: [PATCH 04/28] Implement data collection rule for network protection events --- arm-cloudsoe-la-solutions.json | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index e352d9f..7fe33cb 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -427,6 +427,47 @@ } ] } + }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-NetworkProtectionEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-WindowsEvent" + ], + "xPathQueries": [ + "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*", + "$XPath = 'Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*" + ], + "name": "NTLMEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } } ] } \ No newline at end of file From b31140fe502aed60abe3ca93dfdc3ae812a0b363 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 08:52:38 +1100 Subject: [PATCH 05/28] Add data collection rule for schannel events --- arm-cloudsoe-la-solutions.json | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 7fe33cb..01d57c0 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -468,6 +468,46 @@ } ] } + }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-SChannelEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-WindowsEvent" + ], + "xPathQueries": [ + "$XPath = 'System!*[System[((EventID=36880))]]'!*" + ], + "name": "NTLMEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } } ] } \ No newline at end of file From 75aa308ba2440c7528f8451bf23dd2fb35ad6cc3 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 08:59:35 +1100 Subject: [PATCH 06/28] Implement data collection rule for WDAC --- arm-cloudsoe-la-solutions.json | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 01d57c0..997de3e 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -508,6 +508,46 @@ } ] } + }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-WDACEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-WindowsEvent" + ], + "xPathQueries": [ + "$XPath = 'Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]'!*" + ], + "name": "WDACEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } } ] } \ No newline at end of file From d792c17b65f8560523a0aa57aa5d44bbba001ebd Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 09:01:22 +1100 Subject: [PATCH 07/28] Fix DCR name properties --- arm-cloudsoe-la-solutions.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 997de3e..577dd71 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -321,7 +321,7 @@ "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*", "$XPath = 'Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*" ], - "name": "NTLMEvents" + "name": "ASREvents" } ] }, @@ -404,7 +404,7 @@ "$XPath = 'Microsoft-Windows-Win32k/Operational!*[System[((EventID=260))]]'!*", "$XPath = 'System!*[System[Provider[@Name='Microsoft-Windows-WER-Diag'] and (EventID=5)]]'!*" ], - "name": "NTLMEvents" + "name": "ExploitProtectionEvents" } ] }, @@ -445,7 +445,7 @@ "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*", "$XPath = 'Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*" ], - "name": "NTLMEvents" + "name": "NetworkProtectionEvents" } ] }, @@ -485,7 +485,7 @@ "xPathQueries": [ "$XPath = 'System!*[System[((EventID=36880))]]'!*" ], - "name": "NTLMEvents" + "name": "SChannelEvents" } ] }, From 9a4cc8c8629c45257acea0b2e81073ba49411aac Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 11:36:22 +1100 Subject: [PATCH 08/28] Ensure workspaceRegion uses short form for DCRs --- arm-cloudsoe-la-solutions.json | 6 +++++- azureDeploy.json | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 577dd71..72fb3c9 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -6,7 +6,11 @@ "type": "string", "metadata": { "description": "The region that log analytics is deployed to." - } + }, + "allowedValues": [ + "australiaeast", + "australiasoutheast" + ] }, "workspaceResourceId": { "type": "string", diff --git a/azureDeploy.json b/azureDeploy.json index 34460a6..7f3b69c 100644 --- a/azureDeploy.json +++ b/azureDeploy.json @@ -24,7 +24,11 @@ "type": "string", "metadata": { "description": "The region that log analytics is deployed to." - } + }, + "allowedValues": [ + "australiaeast", + "australiasoutheast" + ] }, "automationAccountResourceId": { "type": "string", From fee60d564b0d0fe4e79330a081aa3197c512d069 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 12:19:09 +1100 Subject: [PATCH 09/28] Fix LA table destination --- arm-cloudsoe-la-solutions.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 72fb3c9..e1a45eb 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -319,7 +319,7 @@ "windowsEventLogs": [ { "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "xPathQueries": [ "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*", @@ -360,7 +360,7 @@ "windowsEventLogs": [ { "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "xPathQueries": [ "$XPath = 'Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]'!*" @@ -400,7 +400,7 @@ "windowsEventLogs": [ { "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "xPathQueries": [ "$XPath = 'Microsoft-Windows-Security-Mitigations/KernelMode!*[System[((EventID >= 1 and EventID <= 24))]]'!*", @@ -443,7 +443,7 @@ "windowsEventLogs": [ { "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "xPathQueries": [ "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*", @@ -484,7 +484,7 @@ "windowsEventLogs": [ { "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "xPathQueries": [ "$XPath = 'System!*[System[((EventID=36880))]]'!*" @@ -524,7 +524,7 @@ "windowsEventLogs": [ { "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "xPathQueries": [ "$XPath = 'Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]'!*" From 9aea1de9e4bf5fe99f2e40d01c0fb9b1d1814d49 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 12:31:01 +1100 Subject: [PATCH 10/28] Remove erroneous PowerShell syntax from xPathQueries arrays --- arm-cloudsoe-la-solutions.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index e1a45eb..b81bd0e 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -322,8 +322,8 @@ "Microsoft-Event" ], "xPathQueries": [ - "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*", - "$XPath = 'Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1121 and EventID <= 1122))]]'!*" + "Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]", + "Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1121 and EventID <= 1122))]]" ], "name": "ASREvents" } @@ -363,7 +363,7 @@ "Microsoft-Event" ], "xPathQueries": [ - "$XPath = 'Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]'!*" + "Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]" ], "name": "NTLMEvents" } @@ -403,10 +403,10 @@ "Microsoft-Event" ], "xPathQueries": [ - "$XPath = 'Microsoft-Windows-Security-Mitigations/KernelMode!*[System[((EventID >= 1 and EventID <= 24))]]'!*", - "$XPath = 'Microsoft-Windows-Security-Mitigations/UserMode!*[System[((EventID >= 1 and EventID <= 24))]]'!*", - "$XPath = 'Microsoft-Windows-Win32k/Operational!*[System[((EventID=260))]]'!*", - "$XPath = 'System!*[System[Provider[@Name='Microsoft-Windows-WER-Diag'] and (EventID=5)]]'!*" + "Microsoft-Windows-Security-Mitigations/KernelMode!*[System[((EventID >= 1 and EventID <= 24))]]", + "Microsoft-Windows-Security-Mitigations/UserMode!*[System[((EventID >= 1 and EventID <= 24))]]", + "Microsoft-Windows-Win32k/Operational!*[System[((EventID=260))]]", + "System!*[System[Provider[@Name='Microsoft-Windows-WER-Diag'] and (EventID=5)]]" ], "name": "ExploitProtectionEvents" } @@ -446,8 +446,8 @@ "Microsoft-Event" ], "xPathQueries": [ - "$XPath = 'Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*", - "$XPath = 'Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1125 and EventID <= 1126))]]'!*" + "Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]", + "Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1125 and EventID <= 1126))]]" ], "name": "NetworkProtectionEvents" } @@ -487,7 +487,7 @@ "Microsoft-Event" ], "xPathQueries": [ - "$XPath = 'System!*[System[((EventID=36880))]]'!*" + "System!*[System[((EventID=36880))]]" ], "name": "SChannelEvents" } @@ -527,7 +527,7 @@ "Microsoft-Event" ], "xPathQueries": [ - "$XPath = 'Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]'!*" + "Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]" ], "name": "WDACEvents" } From c3d1dfe8cdf4213272cddf2c9e3b4717a08d0ada Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 20:55:48 +1100 Subject: [PATCH 11/28] Account lockout data collection rule --- arm-cloudsoe-la-solutions.json | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index b81bd0e..90952f6 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -308,6 +308,47 @@ "tierSetMethod": "Custom" } }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-AccountLockoutEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-Event" + ], + "xPathQueries": [ + "Security!*[System[((EventID=4625))]]", //Failed logins + "Security!*[System[((EventID=4740))]]" //Lockout + ], + "name": "AccountLockoutEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } + }, { "apiVersion": "2021-04-01", "type": "Microsoft.Insights/dataCollectionRules", From da2ccb694483b8fd7f08081e7c03a87e9ad0f0d1 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 20:59:40 +1100 Subject: [PATCH 12/28] Implement IPsec data collection rule --- arm-cloudsoe-la-solutions.json | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 90952f6..abe3144 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -473,6 +473,47 @@ ] } }, + { + "apiVersion": "2021-04-01", + "type": "Microsoft.Insights/dataCollectionRules", + "name": "DCR-IPsecEvents", + "kind": "Windows", + "location": "[parameters('workspaceRegion')]", + "properties": { + "dataSources": { + "windowsEventLogs": [ + { + "streams": [ + "Microsoft-Event" + ], + "xPathQueries": [ + "Security!*[System[((EventID >= 4650 and EventID <= 4651))]]", //Main mode security associations + "Security!*[System[((EventID=5451))]]" //Quick mode security associations + ], + "name": "IPsecEvents" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "[variables('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('workspaceName')]" + ] + } + ] + } + }, { "apiVersion": "2021-04-01", "type": "Microsoft.Insights/dataCollectionRules", From 0766db5e90ded636d5feedde9bbbf1a134ea7f9a Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 22:09:51 +1100 Subject: [PATCH 13/28] Implemented DINE policy to associate DCRs with VMs --- azureDeploy.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/azureDeploy.json b/azureDeploy.json index 7f3b69c..5e35ca6 100644 --- a/azureDeploy.json +++ b/azureDeploy.json @@ -175,7 +175,8 @@ "location": "australiaeast", "dependsOn": [ "CloudSOEImageDeployment", - "CloudSOEAutomanageAccountDeployment" + "CloudSOEAutomanageAccountDeployment", + "CloudSOELaSolutionDeployment" ], "properties": { "mode": "Incremental", @@ -186,6 +187,12 @@ "parameters": { "policyScopeId": { "value": "[parameters('policyScopeId')]" + }, + "windowsImageIds": { + "value": "[reference('CloudSOEImageDeployment').outputs.windowsImageIds.value]" + }, + "dataCollectionRuleEventResourceIds": { + "value": "[reference('CloudSOELaSolutionDeployment').outputs.dataCollectionRuleResourceIds.value]" } } } From b6d08378e0f3626dab35bb255dab560deff47d35 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Tue, 18 Jan 2022 22:10:20 +1100 Subject: [PATCH 14/28] Implement DINE policy to associate DCRs with VMs --- arm-cloudsoe-la-solutions.json | 17 +++- arm-cloudsoe-policy-baseline.json | 132 ++++++++++++++++++++++++++++++ 2 files changed, 148 insertions(+), 1 deletion(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index abe3144..cba9758 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -635,5 +635,20 @@ ] } } - ] + ], + "outputs": { + "dataCollectionRuleResourceIds":{ + "type": "object", + "value": { + "DCR-AccountLockoutEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-AccountLockoutEvents')]", + "DCR-ASREvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-ASREvents')]", + "DCR-NTLMEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-NTLMEvents')]", + "DCR-ExploitProtectionEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-ExploitProtectionEvents')]", + "DCR-IPsecEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-IPsecEvents')]", + "DCR-NetworkProtectionEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-NetworkProtectionEvents')]", + "DCR-SChannelEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-SChannelEvents')]", + "DCR-WDACEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-WDACEvents')]" + } + } + } } \ No newline at end of file diff --git a/arm-cloudsoe-policy-baseline.json b/arm-cloudsoe-policy-baseline.json index d668f13..33c50a9 100644 --- a/arm-cloudsoe-policy-baseline.json +++ b/arm-cloudsoe-policy-baseline.json @@ -7,6 +7,18 @@ "metadata": { "description": "The scope at which policies, relating to the cloud SOE, will be assigned." } + }, + "windowsImageIds": { + "type": "array", + "metadata":{ + "description": "The set of resource IDs for the Windows images that will be considered in scope for policies that apply to built VMs." + } + }, + "dataCollectionRuleEventResourceIds": { + "type": "object", + "metadata":{ + "description": "An object that lists the resource IDs for the Azure Monitor data collection rules." + } } }, "variables": { @@ -306,6 +318,126 @@ "ISM-1412-2" ], "parameters": {} + }, + { + "assignmentName": "enable-dcr-association-account-lockout-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-AccountLockoutEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-AccountLockoutEvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-asr-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-ASREvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-ASREvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-ntlm-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-NTLMEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-NTLMEvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-exploit-protection-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-ExploitProtectionEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-ExploitProtectionEvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-ipsec-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-IPsecEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-IPsecEvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-network-protection-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-NetworkProtectionEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-NetworkProtectionEvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-schannel-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-SChannelEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-SChannelEvents']]" + } + } + }, + { + "assignmentName": "enable-dcr-association-wdac-events", + "displayName": "Windows VMs should associate with the data collection rule: DCR-WDACEvents", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + }, + "DcrResourceId": { + "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-WDACEvents']]" + } + } } ] }, From 796fc6b41fdbf4f147e0a3b9e920b7a42197fe29 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Thu, 20 Jan 2022 22:21:24 +1100 Subject: [PATCH 15/28] Change example to use short region format --- docs/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index 22a5475..4153920 100644 --- a/docs/README.md +++ b/docs/README.md @@ -285,7 +285,7 @@ Create a hashtable `$params` to hold your deployment parameters: $params = @{policyScopeId="/subscriptions/"; workspaceId=""; workspaceResourceId="/subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/"; - workspaceRegion="Australia East"; + workspaceRegion="australiaeast"; automationAccountResourceId="/subscriptions//resourceGroups//providers/Microsoft.Automation/automationAccounts/"; updateManagementScope=@("/subscriptions/")} ``` @@ -312,7 +312,7 @@ This is the resourceId attribute of the Log Analytics workspace which will be us Input: `workspaceRegion` -This is the Azure region of the Log Analytics workspace which will be used by the project to enable solutions and collect logs and other data sources. +This is the Azure region of the Log Analytics workspace which will be used by the project to enable solutions and collect logs and other data sources. This should be specified in short form. (I.e. "australiaeast") --- From 5434ef2103e72cc75a018905d1fc8f543c35702f Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 29 Jan 2022 11:54:47 +1100 Subject: [PATCH 16/28] Add policy roles --- arm-cloudsoe-policy-baseline.json | 40 ++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/arm-cloudsoe-policy-baseline.json b/arm-cloudsoe-policy-baseline.json index 33c50a9..23212f2 100644 --- a/arm-cloudsoe-policy-baseline.json +++ b/arm-cloudsoe-policy-baseline.json @@ -323,7 +323,10 @@ "assignmentName": "enable-dcr-association-account-lockout-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-AccountLockoutEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -338,7 +341,10 @@ "assignmentName": "enable-dcr-association-asr-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-ASREvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -353,7 +359,10 @@ "assignmentName": "enable-dcr-association-ntlm-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-NTLMEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -368,7 +377,10 @@ "assignmentName": "enable-dcr-association-exploit-protection-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-ExploitProtectionEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -383,7 +395,10 @@ "assignmentName": "enable-dcr-association-ipsec-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-IPsecEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -398,7 +413,10 @@ "assignmentName": "enable-dcr-association-network-protection-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-NetworkProtectionEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -413,7 +431,10 @@ "assignmentName": "enable-dcr-association-schannel-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-SChannelEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { @@ -428,7 +449,10 @@ "assignmentName": "enable-dcr-association-wdac-events", "displayName": "Windows VMs should associate with the data collection rule: DCR-WDACEvents", "definition": { - "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c" + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", + "roleDefinitionIds": [ + "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] }, "parameters": { "listOfWindowsImageIdToInclude": { From ec4d254add9f6b7525f320c8e7c948e311fe00ea Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 29 Jan 2022 11:55:11 +1100 Subject: [PATCH 17/28] Set ASC security log collection to Common --- arm-cloudsoe-la-solutions.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index cba9758..acbb119 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -304,7 +304,7 @@ "name": "[concat(variables('workspaceName'),'/SecurityEventCollectionConfiguration')]", "kind": "SecurityEventCollectionConfiguration", "properties": { - "tier": "All", + "tier": "Custom", "tierSetMethod": "Custom" } }, From e8666875761034f48750fb3af1478be4cf756770 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 29 Jan 2022 12:39:02 +1100 Subject: [PATCH 18/28] Revised documentation to reflect Azure Defender log collection change --- docs/ism-guidelines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ism-guidelines.md b/docs/ism-guidelines.md index 0df93cb..e3b7b96 100644 --- a/docs/ism-guidelines.md +++ b/docs/ism-guidelines.md @@ -51,7 +51,7 @@ Identifier | Description | Measures 1501 | Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All
Azure Monitor Workbook surfaces a summary report of all VM instances and the OS version they use. 1405 | A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs. | Deployed virtual machines send logs to Azure Monitor Logs workspace. 0584 | For any system requiring authentication, logon, failed logon and logoff events are logged. | Windows All
1. Azure Image Builder customisation enables advanced audit logging with Logon subcategory.
2. Azure Monitor Logs is configured to collect all security logs. -0582 | The following events are logged for operating systems:
• access to important data and processes
• application crashes and any error messages
• attempts to use special privileges
• changes to accounts
• changes to security policy
• changes to system configurations
• Domain Name System (DNS) and Hypertext Transfer Protocol requests
• failed attempts to access data and system resources
• service failures and restarts
• system startup and shutdown
• transfer of data to and from external media
• user or group management
• use of special privileges. | Windows All
Azure Monitor Logs is configured to collect all security logs. +0582 | The following events are logged for operating systems:
• access to important data and processes
• application crashes and any error messages
• attempts to use special privileges
• changes to accounts
• changes to security policy
• changes to system configurations
• Domain Name System (DNS) and Hypertext Transfer Protocol requests
• failed attempts to access data and system resources
• service failures and restarts
• system startup and shutdown
• transfer of data to and from external media
• user or group management
• use of special privileges. | Windows All
Azure Defender is configured to collect Common security logs.

_Note: Setting Azure Defender to "Common" may not all Events IDs necessary to identify the events described in the guideline. Consider Azure Defender event collection setting and adding additional Azure Monitor Data Collection Rules as necessary._ 0521 | IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used. | Windows All
Azure Monitor Workbook surfaces all Windows systems which are attached to IPv4-only virtual networks, but do not have IPv6 disabled. 1428 | Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment. | Windows All
1. Azure Monitor Logs Change Tracking solution is enabled. Change tracking is enabled for HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters. Azure Monitor Workbook surfaces Windows systems without IPv6 tunnel protocols disabled. 1311 | SNMP version 1 and 2 are not used on networks. | Windows All
Azure Image Builder customisation disables the snmptrap service. From 1e786f65991c3e07432c0395ddad951839f9217c Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 29 Jan 2022 16:08:19 +1100 Subject: [PATCH 19/28] Applied workaround for insufficient policy role --- arm-cloudsoe-policy-baseline.json | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/arm-cloudsoe-policy-baseline.json b/arm-cloudsoe-policy-baseline.json index 23212f2..6849651 100644 --- a/arm-cloudsoe-policy-baseline.json +++ b/arm-cloudsoe-policy-baseline.json @@ -325,7 +325,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -343,7 +344,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -361,7 +363,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -379,7 +382,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -397,7 +401,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -415,7 +420,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -433,7 +439,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { @@ -451,7 +458,8 @@ "definition": { "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "roleDefinitionIds": [ - "749f88d5-cbae-40b8-bcfc-e573ddc772fa" + "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor ] }, "parameters": { From 70b23f69339b55fe274529f6d3f9c2c2c9dcb67a Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 29 Jan 2022 18:55:14 +1100 Subject: [PATCH 20/28] Fix event collection tier --- arm-cloudsoe-la-solutions.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index acbb119..2a0a020 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -304,7 +304,7 @@ "name": "[concat(variables('workspaceName'),'/SecurityEventCollectionConfiguration')]", "kind": "SecurityEventCollectionConfiguration", "properties": { - "tier": "Custom", + "tier": "Recommended", "tierSetMethod": "Custom" } }, From c7716a75e09c0ed4d44c5ea9167f3c7e0554472e Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sun, 30 Jan 2022 13:58:22 +1100 Subject: [PATCH 21/28] Install Azure Monitor agent on Windows VMs --- arm-cloudsoe-policy-baseline.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/arm-cloudsoe-policy-baseline.json b/arm-cloudsoe-policy-baseline.json index 6849651..feb8f94 100644 --- a/arm-cloudsoe-policy-baseline.json +++ b/arm-cloudsoe-policy-baseline.json @@ -470,6 +470,22 @@ "value": "[parameters('dataCollectionRuleEventResourceIds')['DCR-WDACEvents']]" } } + }, + { + "assignmentName": "enable-azure-monitor-agent-windows", + "displayName": "Configure Windows virtual machines to run Azure Monitor Agent", + "definition": { + "builtinPolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca817e41-e85a-4783-bc7f-dc532d36235e", + "roleDefinitionIds": [ + "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "b24988ac-6180-42a0-ab88-20f7382dd24c" //Contributor + ] + }, + "parameters": { + "listOfWindowsImageIdToInclude": { + "value": "[parameters('windowsImageIds')]" + } + } } ] }, From 03c8c88e7b1b92231c903b0ac55654d90440a7e1 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sun, 30 Jan 2022 15:13:16 +1100 Subject: [PATCH 22/28] Remove collection of whole logs --- arm-cloudsoe-la-solutions.json | 161 --------------------------------- 1 file changed, 161 deletions(-) diff --git a/arm-cloudsoe-la-solutions.json b/arm-cloudsoe-la-solutions.json index 2a0a020..d61b80c 100644 --- a/arm-cloudsoe-la-solutions.json +++ b/arm-cloudsoe-la-solutions.json @@ -136,167 +136,6 @@ }, "kind": "ChangeTrackingDefaultRegistry" }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-NTLM/Operational'))]", - "properties": { - "eventLogName": "Microsoft-Windows-NTLM/Operational", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-CodeIntegrity/Operational'))]", - "properties": { - "eventLogName": "Microsoft-Windows-CodeIntegrity/Operational", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-AppLocker/MSI and Script'))]", - "properties": { - "eventLogName": "Microsoft-Windows-AppLocker/MSI and Script", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Security-Mitigations/KernelMode'))]", - "properties": { - "eventLogName": "Microsoft-Windows-Security-Mitigations/KernelMode", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Windows Defender/Operational'))]", - "properties": { - "eventLogName": "Microsoft-Windows-Windows Defender/Operational", - - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Security-Mitigations/UserMode'))]", - "properties": { - "eventLogName": "Microsoft-Windows-Security-Mitigations/UserMode", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Win32k/Operational'))]", - "properties": { - "eventLogName": "Microsoft-Windows-Win32k/Operational", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, - { - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "name": "[concat(variables('workspaceName'),'/','DataSource_WindowsEvent_',guid('Microsoft-Windows-Windows Defender/WHC'))]", - "properties": { - "eventLogName": "Microsoft-Windows-Windows Defender/WHC", - "eventTypes": [ - { - "eventType": "Error" - }, - { - "eventType": "Warning" - }, - { - "eventType": "Information" - } - ] - }, - "kind": "WindowsEvent" - }, { //Set Log Analytics workspace to collect all security events "apiVersion": "2020-08-01", From e34bc6af872fff5946f85eda087f630f36697c96 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sun, 30 Jan 2022 15:29:48 +1100 Subject: [PATCH 23/28] Set the subscription log workspace --- azureDeploy.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/azureDeploy.json b/azureDeploy.json index 5e35ca6..bef51ef 100644 --- a/azureDeploy.json +++ b/azureDeploy.json @@ -80,6 +80,16 @@ "autoProvision": "On" } }, + { + //Set the subscriptions log workspace + "name": "default", + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2017-08-01-preview", + "properties": { + "workspaceId": "[parameters('workspaceResourceId')]", + "scope": "[parameters('policyScopeId')]" + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2019-05-01", From 67b5a9c9a19794d097d6a84255ebdd5a7985c597 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 5 Feb 2022 13:04:12 +1100 Subject: [PATCH 24/28] Updated IPsec detection KQL snippets to use Event table source --- ...sec-detect-hmac-algorithms-event-table.kql | 23 +++++++++++++++++++ ...tect-low-modulus-dh-groups-event-table.kql | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 kql/windows-ipsec-detect-hmac-algorithms-event-table.kql create mode 100644 kql/windows-ipsec-detect-low-modulus-dh-groups-event-table.kql diff --git a/kql/windows-ipsec-detect-hmac-algorithms-event-table.kql b/kql/windows-ipsec-detect-hmac-algorithms-event-table.kql new file mode 100644 index 0000000..134e383 --- /dev/null +++ b/kql/windows-ipsec-detect-hmac-algorithms-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec MM HMAC algorithm (Event table) +Event +| where EventID == 4650 or EventID == 4651 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'MMIntegrityAlg' + | project MMIntegrityAlg = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where MMIntegrityAlg != "%%8242" and MMIntegrityAlg != "%%8243" +| project TimeGenerated, Computer, LocalAddress, RemoteAddress, MMIntegrityAlg diff --git a/kql/windows-ipsec-detect-low-modulus-dh-groups-event-table.kql b/kql/windows-ipsec-detect-low-modulus-dh-groups-event-table.kql new file mode 100644 index 0000000..f5c6c33 --- /dev/null +++ b/kql/windows-ipsec-detect-low-modulus-dh-groups-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec DH Groups with low modulus (Event table) +Event +| where EventID == 4650 or EventID == 4651 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'DHGroup' + | project DHGroup = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where DHGroup != "%%8232" and DHGroup != "%%8248" and DHGroup != "%%8233" and DHGroup != "%%8234" +| project TimeGenerated, Computer, LocalAddress, RemoteAddress, DHGroup From 4ce4d63fee203847c395bb91cf621cd774bc12a7 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 5 Feb 2022 13:04:26 +1100 Subject: [PATCH 25/28] Updated IPsec detection KQL snippets to use Event table source --- ...s-ipsec-detect-mm-lifetime-event-table.kql | 23 +++++++++++++++++++ ...indows-ipsec-detect-no-esp-event-table.kql | 23 +++++++++++++++++++ ...indows-ipsec-detect-no-ike-event-table.kql | 23 +++++++++++++++++++ ...s-ipsec-detect-qm-lifetime-event-table.kql | 23 +++++++++++++++++++ ...ndows-ipsec-detect-sa-mode-event-table.kql | 23 +++++++++++++++++++ 5 files changed, 115 insertions(+) create mode 100644 kql/windows-ipsec-detect-mm-lifetime-event-table.kql create mode 100644 kql/windows-ipsec-detect-no-esp-event-table.kql create mode 100644 kql/windows-ipsec-detect-no-ike-event-table.kql create mode 100644 kql/windows-ipsec-detect-qm-lifetime-event-table.kql create mode 100644 kql/windows-ipsec-detect-sa-mode-event-table.kql diff --git a/kql/windows-ipsec-detect-mm-lifetime-event-table.kql b/kql/windows-ipsec-detect-mm-lifetime-event-table.kql new file mode 100644 index 0000000..a6759dc --- /dev/null +++ b/kql/windows-ipsec-detect-mm-lifetime-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec MM SAs with long lifetime (Event table) +Event +| where EventID == 4650 or EventID == 4651 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'MMLifetime' + | project LifetimeSeconds = (ed['#text'] * 60) +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where LifetimeSeconds >= 14400 +| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds diff --git a/kql/windows-ipsec-detect-no-esp-event-table.kql b/kql/windows-ipsec-detect-no-esp-event-table.kql new file mode 100644 index 0000000..e0d5f25 --- /dev/null +++ b/kql/windows-ipsec-detect-no-esp-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec SAs without ESP (Event table) +Event +| where EventID == 5451 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'EspAuthType' + | project ESPAuthType = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where ESPAuthType == "-" +| project TimeGenerated, Computer, LocalAddress, RemoteAddress diff --git a/kql/windows-ipsec-detect-no-ike-event-table.kql b/kql/windows-ipsec-detect-no-ike-event-table.kql new file mode 100644 index 0000000..044c284 --- /dev/null +++ b/kql/windows-ipsec-detect-no-ike-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec SAs without IKE (Event table) +Event +| where EventID == 5451 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'KeyingModuleName' + | project KeyingModuleName = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where KeyingModuleName !startswith "IKE" +| project TimeGenerated, Computer, LocalAddress, RemoteAddress, KeyingModuleName diff --git a/kql/windows-ipsec-detect-qm-lifetime-event-table.kql b/kql/windows-ipsec-detect-qm-lifetime-event-table.kql new file mode 100644 index 0000000..4916c9b --- /dev/null +++ b/kql/windows-ipsec-detect-qm-lifetime-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec QM SAs with long lifetime (Event table) +Event +| where EventID == 5451 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LifetimeSeconds' + | project LifetimeSeconds = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where LifetimeSeconds > 14400 +| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds \ No newline at end of file diff --git a/kql/windows-ipsec-detect-sa-mode-event-table.kql b/kql/windows-ipsec-detect-sa-mode-event-table.kql new file mode 100644 index 0000000..08a05b2 --- /dev/null +++ b/kql/windows-ipsec-detect-sa-mode-event-table.kql @@ -0,0 +1,23 @@ +//KQL query to detect IPsec Transport mode (Event table) +Event +| where EventID == 5451 +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'Mode' + | project Mode = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'LocalAddress' + | project LocalAddress = ed['#text'] +) +| extend ed = parse_xml(EventData).DataItem.EventData.Data +| mv-apply ed on +( + where ed['@Name'] == 'RemoteAddress' + | project RemoteAddress = ed['#text'] +) +| where Mode == "%%16403" +| project TimeGenerated, Computer, LocalAddress, RemoteAddress, Mode="Transport" \ No newline at end of file From f9eba5bbbcaf227630110b5251c3e2bbc538b252 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 5 Feb 2022 14:06:14 +1100 Subject: [PATCH 26/28] Update sample workbook KQL --- workbooks/sample-dashboard-workbook.json | 841 +++++++++++++++++++++++ 1 file changed, 841 insertions(+) create mode 100644 workbooks/sample-dashboard-workbook.json diff --git a/workbooks/sample-dashboard-workbook.json b/workbooks/sample-dashboard-workbook.json new file mode 100644 index 0000000..00b9fe2 --- /dev/null +++ b/workbooks/sample-dashboard-workbook.json @@ -0,0 +1,841 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f3e7cdac-f2b5-4682-aefa-cf4130bde675", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "value": "", + "typeSettings": { + "additionalResourceOptions": [], + "includeAll": false, + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "ed59c0aa-e545-46c9-812c-05af308f0777", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "value": "", + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + }, + "additionalResourceOptions": [] + }, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 9" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "7ded99c5-2f17-4c37-80bb-dbbc2796c0fd", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Software Updates", + "subTarget": "Software Updates", + "style": "link" + }, + { + "id": "ae848e98-a680-424a-98c2-bc3268c87074", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Installed Software", + "subTarget": "Installed Software", + "style": "link" + }, + { + "id": "179336c4-797c-40f5-97cc-ebf76fd92efc", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Application Control", + "subTarget": "Application Control", + "style": "link" + }, + { + "id": "bbdb7762-fd5b-401b-a537-253f011c7b29", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Connectivity", + "subTarget": "Connectivity", + "style": "link" + }, + { + "id": "2dba6e16-afc4-4143-9058-4e40d49938fc", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Exploit Protection", + "subTarget": "Exploit Protection", + "style": "link" + }, + { + "id": "c5f3401b-f92b-4ab3-92ea-ef66de0607b3", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Account Lockout", + "subTarget": "Account Lockout", + "style": "link" + }, + { + "id": "21bf6837-d8d3-43b4-8a7a-e1d3af0113ea", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Weak authentication protocols", + "subTarget": "Weak authentication protocols", + "style": "link" + }, + { + "id": "c279d59c-e24b-4762-8006-4a5b8d9e536a", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Operating System", + "subTarget": "Operating System", + "style": "link" + } + ] + }, + "name": "links - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Software Updates", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Shows all updates newer than 90 days and all updates with < 100% coverage and renders their coverage summary\r\nUpdate\r\n| where MSRCSeverity == \"Critical\" or MSRCSeverity == \"Security\"\r\n| where TimeGenerated > now(-180days) or UpdateID in ( \r\n (Update\r\n | where MSRCSeverity == \"Critical\" or MSRCSeverity == \"Security\"\r\n | summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\r\n | where UpdateState != \"Installed\"\r\n | project UpdateID)\r\n)\r\n| summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\r\n| summarize NotInstalledCount = countif(UpdateState != \"Installed\"), InstalledCount = countif(UpdateState == \"Installed\"), TotalCount = count() by Product, MSRCSeverity, KBID, Title\r\n//| project Product, MSRCSeverity, KBID, Title, NotInstalledCount, InstalledCount, TotalCount, Coverage = strcat(tostring(InstalledCount / TotalCount * 100),\"%\")\r\n| project Update=strcat(Product,\" - \", Title), NotInstalledCount,InstalledCount\r\n| render barchart with (kind = stacked)", + "size": 1, + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Show system missing updates over time\r\nUpdateSummary\r\n| project TimeGenerated,Computer, SecurityUpdatesMissing\r\n| render timechart with (series = Computer)", + "size": 1, + "title": "Missing Updates", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Show systems missing most updates\r\nUpdateSummary \r\n| summarize arg_max(TimeGenerated, *) by SourceComputerId\r\n| project Computer, OsVersion,OldestMissingSecurityUpdateInDays\r\n| sort by OldestMissingSecurityUpdateInDays", + "size": 0, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Update\r\n| where MSRCSeverity == \"Critical\" or MSRCSeverity == \"Security\"\r\n| summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\r\n| where UpdateState != \"Installed\"\r\n| project Computer, Product, MSRCSeverity, KBID, Title, UpdateState, HoursOld = datetime_diff('hour',now(),PublishedDate)\r\n| sort by HoursOld", + "size": 0, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Software Updates" + }, + "name": "Software Updates" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Installed Software", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Identifies the prevelance of unqiue software versions\r\nConfigurationData \r\n| where ConfigDataType == \"Software\"\r\n| where SoftwareType == \"Application\" \r\n| summarize arg_max(TimeGenerated, *) by Computer,SoftwareName,Publisher,CurrentVersion\r\n| summarize Systems=make_set(Computer) by SoftwareName,Publisher,CurrentVersion\r\n| where not(Publisher == \"Microsoft Corporation\" and SoftwareName hasprefix \"Security Intelligence Update for Microsoft Defender Antivirus - KB\")\r\n| where not(Publisher == \"Microsoft Corporation\" and SoftwareName hasprefix \"Update for Microsoft Defender Antivirus antimalware platform - KB\")\r\n| project SoftwareVersion = strcat(SoftwareName, \" \", CurrentVersion), Publisher, SystemCount = array_length(Systems), Systems", + "size": 0, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Identifies software applications where multiple versions are present\r\nConfigurationData \r\n| where ConfigDataType == \"Software\"\r\n| where SoftwareType == \"Application\" \r\n| summarize arg_max(TimeGenerated, *) by Computer,SoftwareName,Publisher,CurrentVersion\r\n| summarize Versions=make_set(CurrentVersion) by SoftwareName,Publisher\r\n| where not(Publisher == \"Microsoft Corporation\" and SoftwareName hasprefix \"Security Intelligence Update for Microsoft Defender Antivirus - KB\")\r\n| where not(Publisher == \"Microsoft Corporation\" and SoftwareName hasprefix \"Update for Microsoft Defender Antivirus antimalware platform - KB\")\r\n| where array_length(Versions) > 1", + "size": 0, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Installed Software" + }, + "name": "Installed Software" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Application Control", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Summarise all WDAC block events by count of event pattern\r\nEvent\r\n| where EventID == 3077\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Process Name'\r\n | project CallingProcess = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'File Name'\r\n | project FileName = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'PolicyName'\r\n | project PolicyName = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'FileDescription'\r\n | project FileDescription = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ProductName'\r\n | project ProductName = tostring(ed['#text'])\r\n)\r\n| project TimeGenerated,Computer,CallingProcess,FileName,PolicyName,FileDescription,ProductName\r\n| summarize count() by Computer,CallingProcess,FileName,PolicyName,FileDescription,ProductName", + "size": 0, + "title": "WDAC Block Events (24 hours)", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "rowLimit": 30 + } + }, + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Summarises the lastest WDAC policy load events by Computer, PolicyName, PolicyId\r\nEvent\r\n| where EventID == 3099\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'PolicyNameBuffer'\r\n | project PolicyName = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'PolicyIdBuffer'\r\n | project PolicyId = tostring(ed['#text'])\r\n)\r\n| project TimeGenerated,Computer,PolicyName,PolicyId\r\n| summarize arg_max(TimeGenerated,*) by Computer,PolicyName,PolicyId", + "size": 0, + "title": "WDAC policy load events (24 hours)", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "rowLimit": 30 + } + }, + "name": "query - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Show WDAC blocks as a result of the ISG\r\nEvent\r\n| where EventID == 3092\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'FileName'\r\n | project FileName = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'StatusCode'\r\n | project StatusCode = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'PassesSmartlocker'\r\n | project PassesISG = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'PolicyName'\r\n | project PolicyName = tostring(ed['#text'])\r\n)\r\n| where PassesISG == \"false\"\r\n| summarize FailCount = count() by FileName\r\n| sort by FailCount", + "size": 0, + "title": "WDAC Intelligent Security Graph Block Events (24 hours)", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 10" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Application Control" + }, + "name": "Application Control" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Connectivity", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect TLS versions used, cipher used and destination targets\r\n//update the Cipher table here with Cipher Suite/Name mappings\r\nlet CipherLookupTable = datatable(CipherSuite: string, CipherName: string )\r\n[\r\n\"0X0001\", \"RSA_WITH_NULL_MD5\", \r\n\"0X0002\", \"RSA_WITH_NULL_SHA\",\r\n\"0X0004\", \"RSA_WITH_RC4_128_MD5\",\r\n\"0X0005\", \"RSA_WITH_RC4_128_SHA\",\r\n\"0X0009\", \"RSA_WITH_DES_CBC_SHA\",\r\n\"0X000A\", \"RSA_WITH_3DES_EDE_CBC_SHA\",\r\n\"0X0012\", \"DHE_DSS_WITH_DES_CBC_SHA\",\r\n\"0X0013\", \"DHE_DSS_WITH_3DES_EDE_CBC_SHA\",\r\n\"0X0015\", \"DHE_RSA_WITH_DES_CBC_SHA\",\r\n\"0X0016\", \"DHE_RSA_WITH_3DES_EDE_CBC_SHA\",\r\n\"0X002F\", \"RSA_WITH_AES_128_CBC_SHA\",\r\n\"0X0032\", \"DHE_DSS_WITH_AES_128_CBC_SHA\",\r\n\"0X0033\", \"DHE_RSA_WITH_AES_128_CBC_SHA\",\r\n\"0X0035\", \"RSA_WITH_AES_256_CBC_SHA\",\r\n\"0X0038\", \"DHE_DSS_WITH_AES_256_CBC_SHA\",\r\n\"0X0039\", \"DHE_RSA_WITH_AES_256_CBC_SHA\",\r\n\"0X003B\", \"RSA_WITH_NULL_SHA256\",\r\n\"0X003C\", \"RSA_WITH_AES_128_CBC_SHA256\",\r\n\"0X003D\", \"RSA_WITH_AES_256_CBC_SHA256\",\r\n\"0X0040\", \"DHE_DSS_WITH_AES_128_CBC_SHA256\",\r\n\"0X0067\", \"DHE_RSA_WITH_AES_128_CBC_SHA256\",\r\n\"0X006A\", \"DHE_DSS_WITH_AES_256_CBC_SHA256\",\r\n\"0X006B\", \"DHE_RSA_WITH_AES_256_CBC_SHA256\",\r\n\"0X009C\", \"RSA_WITH_AES_128_GCM_SHA256\",\r\n\"0X9C\", \"RSA_WITH_AES_128_GCM_SHA256\",\r\n\"0X009D\", \"RSA_WITH_AES_256_GCM_SHA384\",\r\n\"0X009E\", \"DHE_RSA_WITH_AES_128_GCM_SHA256\",\r\n\"0X009F\", \"DHE_RSA_WITH_AES_256_GCM_SHA384\",\r\n\"0X00A2\", \"DHE_DSS_WITH_AES_128_GCM_SHA256\",\r\n\"0X00A3\", \"DHE_DSS_WITH_AES_256_GCM_SHA384\",\r\n\"0XC010\", \"ECDHE_RSA_WITH_NULL_SHA\",\r\n\"0XC011\", \"ECDHE_RSA_WITH_RC4_128_SHA\",\r\n\"0XC012\", \"ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\",\r\n\"0XC013\", \"ECDHE_RSA_WITH_AES_128_CBC_SHA\",\r\n\"0XC014\", \"ECDHE_RSA_WITH_AES_256_CBC_SHA\",\r\n\"0XC027\", \"ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\r\n\"0XC028\", \"ECDHE_RSA_WITH_AES_256_CBC_SHA384\",\r\n\"0XC02F\", \"ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\r\n\"0XC030\", \"ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\r\n\"0XC006\", \"ECDHE_ECDSA_WITH_NULL_SHA\",\r\n\"0XC007\", \"ECDHE_ECDSA_WITH_RC4_128_SHA\",\r\n\"0XC008\", \"ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA\",\r\n\"0XC009\", \"ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\r\n\"0XC00A\", \"ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\r\n\"0XC023\", \"ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\",\r\n\"0XC024\", \"ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\",\r\n\"0XC02B\", \"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\r\n\"0XC02C\", \"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\r\n\"0X1301\", \"AES_128_GCM_SHA256\",\r\n\"0X1302\", \"AES_256_GCM_SHA384\",\r\n\"0X1303\", \"CHACHA20_POLY1305_SHA256\",\r\n\"0X1304\", \"AES_128_CCM_SHA256\",\r\n\"0X1305\", \"AES_128_CCM_8_SHA256\"\r\n];\r\nEvent\r\n| where EventID == 36880\r\n| extend Protocol = tostring(parse_xml(EventData).DataItem.UserData.EventXML.Protocol)\r\n| extend Type = tostring(parse_xml(EventData).DataItem.UserData.EventXML.Type)\r\n| extend TargetName = (parse_xml(EventData).DataItem.UserData.EventXML.TargetName)\r\n| extend CipherSuite = tostring(toupper((parse_xml(EventData).DataItem.UserData.EventXML.CipherSuite)))\r\n| join kind=inner CipherLookupTable on CipherSuite\r\n| project TimeGenerated, Type, Computer, Protocol, TargetName, CipherSuite, CipherName", + "size": 0, + "title": "Detect TLS version", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Identifies where SNMP service is running on Windows systems\r\nConfigurationData \r\n| where ConfigDataType == \"WindowsServices\"\r\n| where SvcName =~ \"snmptrap\"\r\n| where SvcState == \"Running\"\r\n| project TimeGenerated,Computer,SvcDisplayName,SvcName,SvcState,SvcStartupType\r\n| summarize arg_max(TimeGenerated, *) by Computer", + "size": 0, + "title": "Detect SNMP service running", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect VMs not reporting IPv6 tunnels disabled\r\nHeartbeat | where SourceComputerId !in (\r\n ( ConfigurationData \r\n | where RegistryKey == \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\"\r\n | where ValueName == \"DisabledComponents\"\r\n | where binary_and(toint(ValueData),1) == 1\r\n | project SourceComputerId )\r\n)\r\n| extend resourceId=ResourceId\r\n| distinct resourceId", + "size": 0, + "title": "Detect IPv6 tunnel protocols enabled", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Heartbeat \r\n| where SourceComputerId !in (\r\n ( ConfigurationData \r\n | where RegistryKey == \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Tcpip6\\\\Parameters\"\r\n | where ValueName == \"DisabledComponents\"\r\n | where ValueData == 255\r\n | project SourceComputerId )\r\n )\r\n| extend resourceId=ResourceId\r\n| distinct resourceId", + "size": 0, + "title": "VMs with IPv6 enabled", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "conditionalVisibility": { + "parameterName": "ShowIPv6Tables", + "comparison": "isEqualTo", + "value": "t" + }, + "showPin": false, + "name": "VMs with IPv6 enabled" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Resources\r\n| where type =~ 'microsoft.compute/virtualmachines'\r\n| mv-expand nic=properties.networkProfile.networkInterfaces\r\n| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id) \r\n| join kind=inner (\r\n resources \r\n | where type == 'microsoft.network/networkinterfaces' \r\n | mvexpand properties.ipConfigurations \r\n | extend subnetId = tostring(properties_ipConfigurations.properties.subnet.id) \r\n | extend nicId = id \r\n | join kind=inner ( \r\n resources \r\n | where type == 'microsoft.network/virtualnetworks' \r\n | mvexpand properties.subnets\r\n | where tostring(properties_subnets.properties.addressPrefixes) !contains ':' \r\n | extend subnetId = tostring(properties_subnets.id)) \r\n on subnetId\r\n) on nicId\r\n| project resourceId=vmId", + "size": 0, + "title": "VMs connected to IPv4 -only subnets", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ] + }, + "conditionalVisibility": { + "parameterName": "ShowIPv6Tables", + "comparison": "isEqualTo", + "value": "true" + }, + "name": "VMs connected to IPv4 -only subnets" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"Merge/1.0\",\"merges\":[{\"id\":\"0fa799b5-a6e5-4ade-b919-8ceb2b5f415f\",\"mergeType\":\"innerunique\",\"leftTable\":\"VMs with IPv6 enabled\",\"rightTable\":\"VMs connected to IPv4 -only subnets\",\"leftColumn\":\"resourceId\",\"rightColumn\":\"resourceId\"}]}", + "size": 0, + "title": "IPv6 unnecessarily enabled", + "queryType": 7, + "gridSettings": { + "formatters": [ + { + "columnMatch": "resourceId1", + "formatter": 5 + } + ] + } + }, + "showPin": false, + "name": "query - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "IPsec reporting", + "expandable": true, + "expanded": true, + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec MM HMAC algorithm (Event table)\r\nEvent \r\n| where EventID == 4650 or EventID == 4651\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'MMIntegrityAlg'\r\n | project MMIntegrityAlg = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where MMIntegrityAlg != \"%%8242\" and MMIntegrityAlg != \"%%8243\" \r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, MMIntegrityAlg\r\n", + "size": 0, + "title": "IPsec HMAC algorithms", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec DH Groups with low modulus (Event table)\r\nEvent \r\n| where EventID == 4650 or EventID == 4651\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'DHGroup'\r\n | project DHGroup = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where DHGroup != \"%%8232\" and DHGroup != \"%%8248\" and DHGroup != \"%%8233\" and DHGroup != \"%%8234\"\r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, DHGroup\r\n", + "size": 0, + "title": "Low modulus DH groups", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec MM SAs with long lifetime (Event table)\r\nEvent \r\n| where EventID == 4650 or EventID == 4651\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'MMLifetime'\r\n | project LifetimeSeconds = (ed['#text'] * 60)\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where LifetimeSeconds >= 14400\r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds\r\n", + "size": 0, + "title": "Long lifetime main-mode SAs", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec SAs without ESP (Event table)\r\nEvent \r\n| where EventID == 5451\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'EspAuthType'\r\n | project ESPAuthType = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where ESPAuthType == \"-\"\r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress\r\n", + "size": 0, + "title": "SAs without ESP", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec SAs without IKE (Event table)\r\nEvent \r\n| where EventID == 5451\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'KeyingModuleName'\r\n | project KeyingModuleName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where KeyingModuleName !startswith \"IKE\"\r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, KeyingModuleName\r\n", + "size": 0, + "title": "SAs without IKE", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec QM SAs with long lifetime (Event table)\r\nEvent \r\n| where EventID == 5451\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LifetimeSeconds'\r\n | project LifetimeSeconds = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where LifetimeSeconds > 14400\r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds", + "size": 0, + "title": "Long lifetime quick-mode SAs", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to detect IPsec Transport mode (Event table)\r\nEvent \r\n| where EventID == 5451\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Mode'\r\n | project Mode = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'LocalAddress'\r\n | project LocalAddress = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'RemoteAddress'\r\n | project RemoteAddress = ed['#text']\r\n)\r\n| where Mode == \"%%16403\"\r\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, Mode=\"Transport\"", + "size": 0, + "title": "Transport mode SAs", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 6" + } + ] + }, + "name": "group - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Connectivity" + }, + "name": "Connectivity" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Exploit Protection", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Show all Exploit Protection events\r\nlet Mitigations = datatable (EventLogID:string, Mitigation:string)\r\n [\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-1\", \"ACG audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-2\", \"ACG enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-3\", \"Do not allow child processes audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-4\", \"Do not allow child processes block\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-5\", \"Block low integrity images audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-6\", \"Block low integrity images block\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-7\", \"Block remote images audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-8\", \"Block remote images block\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-9\", \"Disable win32k system calls audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-10\", \"Disable win32k system calls block\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-11\", \"Code integrity guard audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-12\", \"Code integrity guard block\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-13\", \"EAF audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-14\", \"EAF enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-15\", \"EAF+ audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-16\", \"EAF+ enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-17\", \"IAF audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-18\", \"IAF enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-19\", \"ROP StackPivot audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-20\", \"ROP StackPivot enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-21\", \"ROP CallerCheck audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-22\", \"ROP CallerCheck enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-23\", \"ROP SimExec audit\",\r\n \"Microsoft-Windows-Security-Mitigations/KernelMode-24\", \"ROP SimExec enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-1\", \"ACG audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-2\", \"ACG enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-3\", \"Do not allow child processes audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-4\", \"Do not allow child processes block\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-5\", \"Block low integrity images audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-6\", \"Block low integrity images block\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-7\", \"Block remote images audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-8\", \"Block remote images block\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-9\", \"Disable win32k system calls audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-10\", \"Disable win32k system calls block\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-11\", \"Code integrity guard audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-12\", \"Code integrity guard block\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-13\", \"EAF audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-14\", \"EAF enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-15\", \"EAF+ audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-16\", \"EAF+ enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-17\", \"IAF audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-18\", \"IAF enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-19\", \"ROP StackPivot audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-20\", \"ROP StackPivot enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-21\", \"ROP CallerCheck audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-22\", \"ROP CallerCheck enforce\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-23\", \"ROP SimExec audit\",\r\n \"Microsoft-Windows-Security-Mitigations/UserMode-24\", \"ROP SimExec enforce\",\r\n \"WER-Diagnostics-5\", \"CFG Block\",\r\n \"Microsoft-Windows-Win32k/Operational-260\", \"Untrusted Font\"\r\n ];\r\nEvent\r\n| where (EventID >= 1 and EventID <= 24 and (EventLog == \"Microsoft-Windows-Security-Mitigations/KernelMode\" or EventLog == \"Microsoft-Windows-Security-Mitigations/UserMode\")) or (EventID == 260 and EventLog == \"Microsoft-Windows-Win32k/Operational\") or (EventID == 5 and EventLog == \"System\" and Source == \"Microsoft-Windows-WER-Diag\")\r\n| extend EventLogID = strcat(EventLog, \"-\", tostring(EventID))\r\n| join kind=leftouter Mitigations on EventLogID\r\n| project TimeGenerated, Computer,UserName,Mitigation,RenderedDescription", + "size": 0, + "title": "Exploit protection events", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Summarise all recent ASR block/audit events\r\nlet Mitigations = datatable (MitigationName:string, MitigationId:string)\r\n [\r\n \"Block Adobe Reader from creating child processes\", \"7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C\",\r\n \"Block all Office applications from creating child processes\", \"D4F940AB-401B-4EFC-AADC-AD5F3C50688A\",\r\n \"Block credential stealing from the Windows local security authority subsystem (lsass.exe)\", \"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\",\r\n \"Block executable content from email client and webmail\", \"BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550\",\r\n \"Block executable files from running unless they meet a prevalence, age, or trusted list criterion\", \"01443614-CD74-433A-B99E-2ECDC07BFC25\",\r\n \"Block execution of potentially obfuscated scripts\", \"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC\",\r\n \"Block JavaScript or VBScript from launching downloaded executable content\", \"D3E037E1-3EB8-44C8-A917-57927947596D\",\r\n \"Block Office applications from creating executable content\", \"3B576869-A4EC-4529-8536-B80A7769E899\",\r\n \"Block Office applications from injecting code into other processes\", \"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84\",\r\n \"Block Office communication application from creating child processes\", \"26190899-1602-49E8-8B27-EB1D0A1CE869\",\r\n \"Block persistence through WMI event subscription\", \"E6DB77E5-3DF2-4CF1-B95A-636979351E5B\",\r\n \"Block process creations originating from PSExec and WMI commands\", \"D1E49AAC-8F56-4280-B9BA-993A6D77406C\",\r\n \"Block untrusted and unsigned processes that run from USB\", \"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4\",\r\n \"Block Win32 API calls from Office macros\", \"92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B\",\r\n \"Use advanced protection against ransomware\", \"C1DB55AB-C21A-4637-BB3F-A12568109D35\"\r\n ];\r\nlet Responses = datatable (EventID:int, Response:string)\r\n [\r\n 1121, \"Block\",\r\n 1122, \"Audit\"\r\n ];\r\nEvent\r\n| where EventLog == \"Microsoft-Windows-Windows Defender/Operational\" or EventLog == \"Microsoft-Windows-Windows Defender/WHC\"\r\n| where EventID == 1121 or EventID == 1122\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ID'\r\n | project MitigationId = toupper(tostring(ed['#text']))\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Detection Time'\r\n | project DetectionTime = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Process Name'\r\n | project ProcessName = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'User'\r\n | project User = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Path'\r\n | project Path = tostring(ed['#text'])\r\n)\r\n| join kind=leftouter Mitigations on MitigationId\r\n| join kind=leftouter Responses on EventID\r\n| summarize Count=count() by Computer, MitigationName, ProcessName, User, Path, Response\r\n| project Count, Response, Computer, MitigationName, ProcessName, User, Path\r\n| sort by Count", + "size": 0, + "title": "Attack surface reduction events", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Summarise Network Protection events\r\nlet Responses = datatable (EventID:int, Response:string)\r\n [\r\n 1126, \"Block\",\r\n 1125, \"Audit\"\r\n ];\r\nEvent\r\n| where EventLog == \"Microsoft-Windows-Windows Defender/Operational\" or EventLog == \"Microsoft-Windows-Windows Defender/WHC\"\r\n| where EventID == 1125 or EventID == 1126\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Detection Time'\r\n | project DetectionTime = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'User'\r\n | project User = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Destination'\r\n | project Destination = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'Process Name'\r\n | project ProcessName = tostring(ed['#text'])\r\n)\r\n| join kind=leftouter Responses on EventID\r\n| summarize Count=count() by Computer, ProcessName, User, Destination, Response\r\n| project Count, Response, Computer, ProcessName, Destination, User\r\n| sort by Count", + "size": 0, + "title": "Network protection events", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Exploit Protection" + }, + "name": "Exploit Protection" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Account Lockout", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to show account lockout events\r\nSecurityEvent \r\n| where EventID == 4740", + "size": 0, + "title": "Account Lockouts", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//KQL query to show failed logins by account and source\r\nSecurityEvent \r\n| where EventID == 4625\r\n| where Status =~ \"0xC000006D\"\r\n| summarize BadLogins = count() by TargetAccount, WorkstationName\r\n| sort by BadLogins", + "size": 0, + "title": "Failed Logins", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Account Lockout" + }, + "name": "Account Lockout" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Weak authentication protocols", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Aggregate NTLM incomming/outgoing events into one table\r\nlet AllEvents = Event\r\n| where EventLog =~ \"Microsoft-Windows-NTLM/Operational\"\r\n| extend NtlmDirection = iif(EventID == 8001, \"Outgoing\", iif(EventID == 8002, \"Incomming\", iif(EventID == 8003,\"In Domain (Server)\", iif(EventID == 8004,\"In Domain (Domain Controller)\", \"Unknown\"))))\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data;\r\nlet IncommingEvents = AllEvents | where NtlmDirection == \"Incomming\"\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'CallerPID'\r\n | project CallerPID = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ProcessName'\r\n | project ProcessName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ClientLUID'\r\n | project ClientLUID = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ClientUserName'\r\n | project ClientUserName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ClientDomainName'\r\n | project ClientDomainName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'MechanismOID'\r\n | project MechanismOID = ed['#text']\r\n);\r\nlet OutgoingEvents = AllEvents | where NtlmDirection == \"Outgoing\"\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'TargetName'\r\n | project TargetName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'UserName'\r\n | project UserName = tostring(ed['#text'])\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'DomainName'\r\n | project DomainName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'CallerPID'\r\n | project CallerPID = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ProcessName'\r\n | project ProcessName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ClientLUID'\r\n | project ClientLUID = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ClientUserName'\r\n | project ClientUserName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'ClientDomainName'\r\n | project ClientDomainName = ed['#text']\r\n)\r\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\r\n| mv-apply ed on \r\n(\r\n where ed['@Name'] == 'MechanismOID'\r\n | project MechanismOID = ed['#text']\r\n)\r\n;\r\nunion IncommingEvents, OutgoingEvents\r\n| project TimeGenerated, Computer, NtlmDirection, TargetName, UserName, DomainName, CallerPID, ProcessName, ClientLUID, ClientUserName, ClientDomainName, MechanismOID\r\n", + "size": 0, + "title": "NTLM Events", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Discover state of lanman auth\r\nHeartbeat\r\n| summarize arg_max(TimeGenerated, *) by Computer\r\n| join kind=leftouter (\r\n ( ConfigurationData \r\n | where ConfigDataType == \"Registry\"\r\n | where RegistryKey =~ \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\"\r\n | where ValueName =~ \"lmcompatibilitylevel\"\r\n | summarize arg_max(TimeGenerated, *) by Computer\r\n | project SourceComputerId, LmCompatibilityLevel = ValueData )\r\n) on SourceComputerId\r\n| project Computer, InferredLmCompatibilityLevel = toint(iif(isnull(LmCompatibilityLevel),LmCompatibilityLevel,\"3\"))\r\n| project Computer, LanmanEnabled = (InferredLmCompatibilityLevel <= 3), Ntlmv1Enabled = (InferredLmCompatibilityLevel <= 4)", + "size": 0, + "title": "Lanman Auth Level", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Weak authentication protocols" + }, + "name": "Weak authentication protocols" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Operating System", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Summarises count of VM by OS version\r\nlet VersionConfigItems = ConfigurationData \r\n| where RegistryKey =~ \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\"\r\n| where ValueName =~ \"ProductName\" or ValueName =~ \"ReleaseId\"\r\n| summarize arg_max(TimeGenerated, *) by Computer,ValueName\r\n| project Computer, ValueName, ValueData;\r\nVersionConfigItems\r\n| extend p = pack(ValueName, ValueData)\r\n| summarize bag=make_bag(p)\r\n| evaluate bag_unpack(bag)\r\n| project OperatingSystem = strcat(ProductName, \" - \", ReleaseId)\r\n| summarize count() by OperatingSystem\r\n| render columnchart", + "size": 0, + "title": "OS summary", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Details VM and associated operating system version\r\nlet VersionConfigItems = ConfigurationData \r\n| where RegistryKey =~ \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\"\r\n| where ValueName =~ \"ProductName\" or ValueName =~ \"ReleaseId\"\r\n| summarize arg_max(TimeGenerated, *) by Computer,ValueName\r\n| project Computer, ValueName, ValueData;\r\nVersionConfigItems\r\n| extend p = pack(ValueName, ValueData)\r\n| summarize bag=make_bag(p) by Computer\r\n| evaluate bag_unpack(bag);", + "size": 0, + "title": "OS detailed", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Operating System" + }, + "name": "Operating System" + } + ], + "defaultResourceIds": [ + "Azure Monitor" + ], + "fallbackResourceIds": [ + "Azure Monitor" + ], + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" + } \ No newline at end of file From 04996efa47094f2acccc677570bbe1170cc96365 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 5 Feb 2022 14:58:07 +1100 Subject: [PATCH 27/28] Update sample workbook and ARM template --- arm-cloudsoe-workbook.json | 2 +- workbooks/sample-dashboard-workbook.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/arm-cloudsoe-workbook.json b/arm-cloudsoe-workbook.json index 3dc8017..2bbd4b9 100644 --- a/arm-cloudsoe-workbook.json +++ b/arm-cloudsoe-workbook.json @@ -45,7 +45,7 @@ }, "variables": { // serializedData from original exported Azure Resource Manager template - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f3e7cdac-f2b5-4682-aefa-cf4130bde675\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"value\":\"\",\"typeSettings\":{\"additionalResourceOptions\":[],\"includeAll\":false,\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"ed59c0aa-e545-46c9-812c-05af308f0777\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"value\":\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"7ded99c5-2f17-4c37-80bb-dbbc2796c0fd\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Software Updates\",\"subTarget\":\"Software Updates\",\"style\":\"link\"},{\"id\":\"ae848e98-a680-424a-98c2-bc3268c87074\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Installed Software\",\"subTarget\":\"Installed Software\",\"style\":\"link\"},{\"id\":\"179336c4-797c-40f5-97cc-ebf76fd92efc\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Application Control\",\"subTarget\":\"Application Control\",\"style\":\"link\"},{\"id\":\"bbdb7762-fd5b-401b-a537-253f011c7b29\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Connectivity\",\"subTarget\":\"Connectivity\",\"style\":\"link\"},{\"id\":\"2dba6e16-afc4-4143-9058-4e40d49938fc\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exploit Protection\",\"subTarget\":\"Exploit Protection\",\"style\":\"link\"},{\"id\":\"c5f3401b-f92b-4ab3-92ea-ef66de0607b3\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Account Lockout\",\"subTarget\":\"Account Lockout\",\"style\":\"link\"},{\"id\":\"21bf6837-d8d3-43b4-8a7a-e1d3af0113ea\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Weak authentication protocols\",\"subTarget\":\"Weak authentication protocols\",\"style\":\"link\"},{\"id\":\"c279d59c-e24b-4762-8006-4a5b8d9e536a\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Operating System\",\"subTarget\":\"Operating System\",\"style\":\"link\"}]},\"name\":\"links - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Software Updates\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Shows all updates newer than 90 days and all updates with < 100% coverage and renders their coverage summary\\r\\nUpdate\\r\\n| where MSRCSeverity == \\\"Critical\\\" or MSRCSeverity == \\\"Security\\\"\\r\\n| where TimeGenerated > now(-180days) or UpdateID in ( \\r\\n (Update\\r\\n | where MSRCSeverity == \\\"Critical\\\" or MSRCSeverity == \\\"Security\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\\r\\n | where UpdateState != \\\"Installed\\\"\\r\\n | project UpdateID)\\r\\n)\\r\\n| summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\\r\\n| summarize NotInstalledCount = countif(UpdateState != \\\"Installed\\\"), InstalledCount = countif(UpdateState == \\\"Installed\\\"), TotalCount = count() by Product, MSRCSeverity, KBID, Title\\r\\n//| project Product, MSRCSeverity, KBID, Title, NotInstalledCount, InstalledCount, TotalCount, Coverage = strcat(tostring(InstalledCount / TotalCount * 100),\\\"%\\\")\\r\\n| project Update=strcat(Product,\\\" - \\\", Title), NotInstalledCount,InstalledCount\\r\\n| render barchart with (kind = stacked)\",\"size\":1,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show system missing updates over time\\r\\nUpdateSummary\\r\\n| project TimeGenerated,Computer, SecurityUpdatesMissing\\r\\n| render timechart with (series = Computer)\",\"size\":1,\"title\":\"Missing Updates\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show systems missing most updates\\r\\nUpdateSummary \\r\\n| summarize arg_max(TimeGenerated, *) by SourceComputerId\\r\\n| project Computer, OsVersion,OldestMissingSecurityUpdateInDays\\r\\n| sort by OldestMissingSecurityUpdateInDays\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Update\\r\\n| where MSRCSeverity == \\\"Critical\\\" or MSRCSeverity == \\\"Security\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\\r\\n| where UpdateState != \\\"Installed\\\"\\r\\n| project Computer, Product, MSRCSeverity, KBID, Title, UpdateState, HoursOld = datetime_diff('hour',now(),PublishedDate)\\r\\n| sort by HoursOld\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Software Updates\"},\"name\":\"Software Updates\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Installed Software\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Identifies the prevelance of unqiue software versions\\r\\nConfigurationData \\r\\n| where ConfigDataType == \\\"Software\\\"\\r\\n| where SoftwareType == \\\"Application\\\" \\r\\n| summarize arg_max(TimeGenerated, *) by Computer,SoftwareName,Publisher,CurrentVersion\\r\\n| summarize Systems=make_set(Computer) by SoftwareName,Publisher,CurrentVersion\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Security Intelligence Update for Microsoft Defender Antivirus - KB\\\")\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Update for Microsoft Defender Antivirus antimalware platform - KB\\\")\\r\\n| project SoftwareVersion = strcat(SoftwareName, \\\" \\\", CurrentVersion), Publisher, SystemCount = array_length(Systems), Systems\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Identifies software applications where multiple versions are present\\r\\nConfigurationData \\r\\n| where ConfigDataType == \\\"Software\\\"\\r\\n| where SoftwareType == \\\"Application\\\" \\r\\n| summarize arg_max(TimeGenerated, *) by Computer,SoftwareName,Publisher,CurrentVersion\\r\\n| summarize Versions=make_set(CurrentVersion) by SoftwareName,Publisher\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Security Intelligence Update for Microsoft Defender Antivirus - KB\\\")\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Update for Microsoft Defender Antivirus antimalware platform - KB\\\")\\r\\n| where array_length(Versions) > 1\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Installed Software\"},\"name\":\"Installed Software\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Control\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarise all WDAC block events by count of event pattern\\r\\nEvent\\r\\n| where EventID == 3077\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Process Name'\\r\\n | project CallingProcess = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'File Name'\\r\\n | project FileName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyName'\\r\\n | project PolicyName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'FileDescription'\\r\\n | project FileDescription = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ProductName'\\r\\n | project ProductName = tostring(ed['#text'])\\r\\n)\\r\\n| project TimeGenerated,Computer,CallingProcess,FileName,PolicyName,FileDescription,ProductName\\r\\n| summarize count() by Computer,CallingProcess,FileName,PolicyName,FileDescription,ProductName\",\"size\":0,\"title\":\"WDAC Block Events (24 hours)\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":30}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarises the lastest WDAC policy load events by Computer, PolicyName, PolicyId\\r\\nEvent\\r\\n| where EventID == 3099\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyNameBuffer'\\r\\n | project PolicyName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyIdBuffer'\\r\\n | project PolicyId = tostring(ed['#text'])\\r\\n)\\r\\n| project TimeGenerated,Computer,PolicyName,PolicyId\\r\\n| summarize arg_max(TimeGenerated,*) by Computer,PolicyName,PolicyId\",\"size\":0,\"title\":\"WDAC policy load events (24 hours)\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":30}},\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show WDAC blocks as a result of the ISG\\r\\nEvent\\r\\n| where EventID == 3092\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'FileName'\\r\\n | project FileName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'StatusCode'\\r\\n | project StatusCode = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PassesSmartlocker'\\r\\n | project PassesISG = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyName'\\r\\n | project PolicyName = tostring(ed['#text'])\\r\\n)\\r\\n| where PassesISG == \\\"false\\\"\\r\\n| summarize FailCount = count() by FileName\\r\\n| sort by FailCount\",\"size\":0,\"title\":\"WDAC Intelligent Security Graph Block Events (24 hours)\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 10\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application Control\"},\"name\":\"Application Control\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Connectivity\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect TLS versions used, cipher used and destination targets\\r\\n//update the Cipher table here with Cipher Suite/Name mappings\\r\\nlet CipherLookupTable = datatable(CipherSuite: string, CipherName: string )\\r\\n[\\r\\n\\\"0X0001\\\", \\\"RSA_WITH_NULL_MD5\\\", \\r\\n\\\"0X0002\\\", \\\"RSA_WITH_NULL_SHA\\\",\\r\\n\\\"0X0004\\\", \\\"RSA_WITH_RC4_128_MD5\\\",\\r\\n\\\"0X0005\\\", \\\"RSA_WITH_RC4_128_SHA\\\",\\r\\n\\\"0X0009\\\", \\\"RSA_WITH_DES_CBC_SHA\\\",\\r\\n\\\"0X000A\\\", \\\"RSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0X0012\\\", \\\"DHE_DSS_WITH_DES_CBC_SHA\\\",\\r\\n\\\"0X0013\\\", \\\"DHE_DSS_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0X0015\\\", \\\"DHE_RSA_WITH_DES_CBC_SHA\\\",\\r\\n\\\"0X0016\\\", \\\"DHE_RSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0X002F\\\", \\\"RSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0X0032\\\", \\\"DHE_DSS_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0X0033\\\", \\\"DHE_RSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0X0035\\\", \\\"RSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0X0038\\\", \\\"DHE_DSS_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0X0039\\\", \\\"DHE_RSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0X003B\\\", \\\"RSA_WITH_NULL_SHA256\\\",\\r\\n\\\"0X003C\\\", \\\"RSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0X003D\\\", \\\"RSA_WITH_AES_256_CBC_SHA256\\\",\\r\\n\\\"0X0040\\\", \\\"DHE_DSS_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0X0067\\\", \\\"DHE_RSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0X006A\\\", \\\"DHE_DSS_WITH_AES_256_CBC_SHA256\\\",\\r\\n\\\"0X006B\\\", \\\"DHE_RSA_WITH_AES_256_CBC_SHA256\\\",\\r\\n\\\"0X009C\\\", \\\"RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X9C\\\", \\\"RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X009D\\\", \\\"RSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0X009E\\\", \\\"DHE_RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X009F\\\", \\\"DHE_RSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0X00A2\\\", \\\"DHE_DSS_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X00A3\\\", \\\"DHE_DSS_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0XC010\\\", \\\"ECDHE_RSA_WITH_NULL_SHA\\\",\\r\\n\\\"0XC011\\\", \\\"ECDHE_RSA_WITH_RC4_128_SHA\\\",\\r\\n\\\"0XC012\\\", \\\"ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0XC013\\\", \\\"ECDHE_RSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0XC014\\\", \\\"ECDHE_RSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0XC027\\\", \\\"ECDHE_RSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0XC028\\\", \\\"ECDHE_RSA_WITH_AES_256_CBC_SHA384\\\",\\r\\n\\\"0XC02F\\\", \\\"ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0XC030\\\", \\\"ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0XC006\\\", \\\"ECDHE_ECDSA_WITH_NULL_SHA\\\",\\r\\n\\\"0XC007\\\", \\\"ECDHE_ECDSA_WITH_RC4_128_SHA\\\",\\r\\n\\\"0XC008\\\", \\\"ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0XC009\\\", \\\"ECDHE_ECDSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0XC00A\\\", \\\"ECDHE_ECDSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0XC023\\\", \\\"ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0XC024\\\", \\\"ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\\\",\\r\\n\\\"0XC02B\\\", \\\"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0XC02C\\\", \\\"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0X1301\\\", \\\"AES_128_GCM_SHA256\\\",\\r\\n\\\"0X1302\\\", \\\"AES_256_GCM_SHA384\\\",\\r\\n\\\"0X1303\\\", \\\"CHACHA20_POLY1305_SHA256\\\",\\r\\n\\\"0X1304\\\", \\\"AES_128_CCM_SHA256\\\",\\r\\n\\\"0X1305\\\", \\\"AES_128_CCM_8_SHA256\\\"\\r\\n];\\r\\nEvent\\r\\n| where EventID == 36880\\r\\n| extend Protocol = tostring(parse_xml(EventData).DataItem.UserData.EventXML.Protocol)\\r\\n| extend Type = tostring(parse_xml(EventData).DataItem.UserData.EventXML.Type)\\r\\n| extend TargetName = (parse_xml(EventData).DataItem.UserData.EventXML.TargetName)\\r\\n| extend CipherSuite = tostring(toupper((parse_xml(EventData).DataItem.UserData.EventXML.CipherSuite)))\\r\\n| join kind=inner CipherLookupTable on CipherSuite\\r\\n| project TimeGenerated, Type, Computer, Protocol, TargetName, CipherSuite, CipherName\",\"size\":0,\"title\":\"Detect TLS version\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Identifies where SNMP service is running on Windows systems\\r\\nConfigurationData \\r\\n| where ConfigDataType == \\\"WindowsServices\\\"\\r\\n| where SvcName =~ \\\"snmptrap\\\"\\r\\n| where SvcState == \\\"Running\\\"\\r\\n| project TimeGenerated,Computer,SvcDisplayName,SvcName,SvcState,SvcStartupType\\r\\n| summarize arg_max(TimeGenerated, *) by Computer\",\"size\":0,\"title\":\"Detect SNMP service running\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect VMs not reporting IPv6 tunnels disabled\\r\\nHeartbeat | where SourceComputerId !in (\\r\\n ( ConfigurationData \\r\\n | where RegistryKey == \\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\Tcpip6\\\\\\\\Parameters\\\"\\r\\n | where ValueName == \\\"DisabledComponents\\\"\\r\\n | where binary_and(toint(ValueData),1) == 1\\r\\n | project SourceComputerId )\\r\\n)\\r\\n| extend resourceId=ResourceId\\r\\n| distinct resourceId\",\"size\":0,\"title\":\"Detect IPv6 tunnel protocols enabled\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat \\r\\n| where SourceComputerId !in (\\r\\n ( ConfigurationData \\r\\n | where RegistryKey == \\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\Tcpip6\\\\\\\\Parameters\\\"\\r\\n | where ValueName == \\\"DisabledComponents\\\"\\r\\n | where ValueData == 255\\r\\n | project SourceComputerId )\\r\\n )\\r\\n| extend resourceId=ResourceId\\r\\n| distinct resourceId\",\"size\":0,\"title\":\"VMs with IPv6 enabled\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"conditionalVisibility\":{\"parameterName\":\"ShowIPv6Tables\",\"comparison\":\"isEqualTo\",\"value\":\"t\"},\"showPin\":false,\"name\":\"VMs with IPv6 enabled\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type =~ 'microsoft.compute/virtualmachines'\\r\\n| mv-expand nic=properties.networkProfile.networkInterfaces\\r\\n| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id) \\r\\n| join kind=inner (\\r\\n resources \\r\\n | where type == 'microsoft.network/networkinterfaces' \\r\\n | mvexpand properties.ipConfigurations \\r\\n | extend subnetId = tostring(properties_ipConfigurations.properties.subnet.id) \\r\\n | extend nicId = id \\r\\n | join kind=inner ( \\r\\n resources \\r\\n | where type == 'microsoft.network/virtualnetworks' \\r\\n | mvexpand properties.subnets\\r\\n | where tostring(properties_subnets.properties.addressPrefixes) !contains ':' \\r\\n | extend subnetId = tostring(properties_subnets.id)) \\r\\n on subnetId\\r\\n) on nicId\\r\\n| project resourceId=vmId\",\"size\":0,\"title\":\"VMs connected to IPv4 -only subnets\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"]},\"conditionalVisibility\":{\"parameterName\":\"ShowIPv6Tables\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"VMs connected to IPv4 -only subnets\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"Merge/1.0\\\",\\\"merges\\\":[{\\\"id\\\":\\\"0fa799b5-a6e5-4ade-b919-8ceb2b5f415f\\\",\\\"mergeType\\\":\\\"innerunique\\\",\\\"leftTable\\\":\\\"VMs with IPv6 enabled\\\",\\\"rightTable\\\":\\\"VMs connected to IPv4 -only subnets\\\",\\\"leftColumn\\\":\\\"resourceId\\\",\\\"rightColumn\\\":\\\"resourceId\\\"}]}\",\"size\":0,\"title\":\"IPv6 unnecessarily enabled\",\"queryType\":7,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"resourceId1\",\"formatter\":5}]}},\"showPin\":false,\"name\":\"query - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"IPsec reporting\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec MM HMAC algorithm\\r\\nSecurityEvent \\r\\n| where EventID == 4650 or EventID == 4651\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MMIntegrityAlg'\\r\\n | project MMIntegrityAlg = ed['#text']\\r\\n)\\r\\n| where MMIntegrityAlg != \\\"%%8242\\\" and MMIntegrityAlg != \\\"%%8243\\\" \\r\\n| project TimeGenerated, Computer, Activity, MMIntegrityAlg\",\"size\":0,\"title\":\"IPsec HMAC algorithms\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec DH Groups with low modulus\\r\\nSecurityEvent \\r\\n| where EventID == 4650 or EventID == 4651\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'DHGroup'\\r\\n | project DHGroup = ed['#text']\\r\\n)\\r\\n| where DHGroup != \\\"%%8232\\\" and DHGroup != \\\"%%8248\\\" and DHGroup != \\\"%%8233\\\" and DHGroup != \\\"%%8234\\\"\\r\\n| project TimeGenerated, Computer, Activity, DHGroup\\r\\n\",\"size\":0,\"title\":\"Low modulus DH groups\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec MM SAs with long lifetime\\r\\nSecurityEvent \\r\\n| where EventID == 4650 or EventID == 4651\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MMLifetime'\\r\\n | project LifetimeSeconds = (ed['#text'] * 60)\\r\\n)\\r\\n| where LifetimeSeconds >= 14400\\r\\n| project TimeGenerated, Computer, Activity, LifetimeSeconds\",\"size\":0,\"title\":\"Long lifetime main-mode SAs\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec SAs without ESP\\r\\nSecurityEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'EspAuthType'\\r\\n | project ESPAuthType = ed['#text']\\r\\n)\\r\\n| where ESPAuthType == \\\"-\\\"\\r\\n| project TimeGenerated, Computer, Activity, ESPAuthType\\r\\n\",\"size\":0,\"title\":\"SAs without ESP\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec SAs without IKE\\r\\nSecurityEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'KeyingModuleName'\\r\\n | project KeyingModuleName = ed['#text']\\r\\n)\\r\\n| where KeyingModuleName !startswith \\\"IKE\\\"\\r\\n| project TimeGenerated, Computer, Activity, KeyingModuleName\\r\\n\",\"size\":0,\"title\":\"SAs without IKE\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec QM SAs with long lifetime\\r\\nSecurityEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LifetimeSeconds'\\r\\n | project LifetimeSeconds = ed['#text']\\r\\n)\\r\\n| where LifetimeSeconds > 14400\\r\\n| project TimeGenerated, Computer, Activity, LifetimeSeconds\",\"size\":0,\"title\":\"Long lifetime quick-mode SAs\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec Transport mode\\r\\nSecurityEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Mode'\\r\\n | project Mode = ed['#text']\\r\\n)\\r\\n| where Mode == \\\"%%16403\\\"\\r\\n| project TimeGenerated, Computer, Activity, Mode=\\\"Transport\\\"\",\"size\":0,\"title\":\"Transport mode SAs\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 6\"}]},\"name\":\"group - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Connectivity\"},\"name\":\"Connectivity\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exploit Protection\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show all Exploit Protection events\\r\\nlet Mitigations = datatable (EventLogID:string, Mitigation:string)\\r\\n [\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-1\\\", \\\"ACG audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-2\\\", \\\"ACG enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-3\\\", \\\"Do not allow child processes audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-4\\\", \\\"Do not allow child processes block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-5\\\", \\\"Block low integrity images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-6\\\", \\\"Block low integrity images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-7\\\", \\\"Block remote images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-8\\\", \\\"Block remote images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-9\\\", \\\"Disable win32k system calls audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-10\\\", \\\"Disable win32k system calls block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-11\\\", \\\"Code integrity guard audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-12\\\", \\\"Code integrity guard block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-13\\\", \\\"EAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-14\\\", \\\"EAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-15\\\", \\\"EAF+ audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-16\\\", \\\"EAF+ enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-17\\\", \\\"IAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-18\\\", \\\"IAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-19\\\", \\\"ROP StackPivot audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-20\\\", \\\"ROP StackPivot enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-21\\\", \\\"ROP CallerCheck audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-22\\\", \\\"ROP CallerCheck enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-23\\\", \\\"ROP SimExec audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-24\\\", \\\"ROP SimExec enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-1\\\", \\\"ACG audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-2\\\", \\\"ACG enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-3\\\", \\\"Do not allow child processes audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-4\\\", \\\"Do not allow child processes block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-5\\\", \\\"Block low integrity images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-6\\\", \\\"Block low integrity images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-7\\\", \\\"Block remote images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-8\\\", \\\"Block remote images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-9\\\", \\\"Disable win32k system calls audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-10\\\", \\\"Disable win32k system calls block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-11\\\", \\\"Code integrity guard audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-12\\\", \\\"Code integrity guard block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-13\\\", \\\"EAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-14\\\", \\\"EAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-15\\\", \\\"EAF+ audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-16\\\", \\\"EAF+ enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-17\\\", \\\"IAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-18\\\", \\\"IAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-19\\\", \\\"ROP StackPivot audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-20\\\", \\\"ROP StackPivot enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-21\\\", \\\"ROP CallerCheck audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-22\\\", \\\"ROP CallerCheck enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-23\\\", \\\"ROP SimExec audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-24\\\", \\\"ROP SimExec enforce\\\",\\r\\n \\\"WER-Diagnostics-5\\\", \\\"CFG Block\\\",\\r\\n \\\"Microsoft-Windows-Win32k/Operational-260\\\", \\\"Untrusted Font\\\"\\r\\n ];\\r\\nEvent\\r\\n| where (EventID >= 1 and EventID <= 24 and (EventLog == \\\"Microsoft-Windows-Security-Mitigations/KernelMode\\\" or EventLog == \\\"Microsoft-Windows-Security-Mitigations/UserMode\\\")) or (EventID == 260 and EventLog == \\\"Microsoft-Windows-Win32k/Operational\\\") or (EventID == 5 and EventLog == \\\"System\\\" and Source == \\\"Microsoft-Windows-WER-Diag\\\")\\r\\n| extend EventLogID = strcat(EventLog, \\\"-\\\", tostring(EventID))\\r\\n| join kind=leftouter Mitigations on EventLogID\\r\\n| project TimeGenerated, Computer,UserName,Mitigation,RenderedDescription\",\"size\":0,\"title\":\"Exploit protection events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarise all recent ASR block/audit events\\r\\nlet Mitigations = datatable (MitigationName:string, MitigationId:string)\\r\\n [\\r\\n \\\"Block Adobe Reader from creating child processes\\\", \\\"7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C\\\",\\r\\n \\\"Block all Office applications from creating child processes\\\", \\\"D4F940AB-401B-4EFC-AADC-AD5F3C50688A\\\",\\r\\n \\\"Block credential stealing from the Windows local security authority subsystem (lsass.exe)\\\", \\\"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\\\",\\r\\n \\\"Block executable content from email client and webmail\\\", \\\"BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550\\\",\\r\\n \\\"Block executable files from running unless they meet a prevalence, age, or trusted list criterion\\\", \\\"01443614-CD74-433A-B99E-2ECDC07BFC25\\\",\\r\\n \\\"Block execution of potentially obfuscated scripts\\\", \\\"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC\\\",\\r\\n \\\"Block JavaScript or VBScript from launching downloaded executable content\\\", \\\"D3E037E1-3EB8-44C8-A917-57927947596D\\\",\\r\\n \\\"Block Office applications from creating executable content\\\", \\\"3B576869-A4EC-4529-8536-B80A7769E899\\\",\\r\\n \\\"Block Office applications from injecting code into other processes\\\", \\\"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84\\\",\\r\\n \\\"Block Office communication application from creating child processes\\\", \\\"26190899-1602-49E8-8B27-EB1D0A1CE869\\\",\\r\\n \\\"Block persistence through WMI event subscription\\\", \\\"E6DB77E5-3DF2-4CF1-B95A-636979351E5B\\\",\\r\\n \\\"Block process creations originating from PSExec and WMI commands\\\", \\\"D1E49AAC-8F56-4280-B9BA-993A6D77406C\\\",\\r\\n \\\"Block untrusted and unsigned processes that run from USB\\\", \\\"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4\\\",\\r\\n \\\"Block Win32 API calls from Office macros\\\", \\\"92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B\\\",\\r\\n \\\"Use advanced protection against ransomware\\\", \\\"C1DB55AB-C21A-4637-BB3F-A12568109D35\\\"\\r\\n ];\\r\\nlet Responses = datatable (EventID:int, Response:string)\\r\\n [\\r\\n 1121, \\\"Block\\\",\\r\\n 1122, \\\"Audit\\\"\\r\\n ];\\r\\nEvent\\r\\n| where EventLog == \\\"Microsoft-Windows-Windows Defender/Operational\\\" or EventLog == \\\"Microsoft-Windows-Windows Defender/WHC\\\"\\r\\n| where EventID == 1121 or EventID == 1122\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ID'\\r\\n | project MitigationId = toupper(tostring(ed['#text']))\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Detection Time'\\r\\n | project DetectionTime = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Process Name'\\r\\n | project ProcessName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'User'\\r\\n | project User = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Path'\\r\\n | project Path = tostring(ed['#text'])\\r\\n)\\r\\n| join kind=leftouter Mitigations on MitigationId\\r\\n| join kind=leftouter Responses on EventID\\r\\n| summarize Count=count() by Computer, MitigationName, ProcessName, User, Path, Response\\r\\n| project Count, Response, Computer, MitigationName, ProcessName, User, Path\\r\\n| sort by Count\",\"size\":0,\"title\":\"Attack surface reduction events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarise Network Protection events\\r\\nlet Responses = datatable (EventID:int, Response:string)\\r\\n [\\r\\n 1126, \\\"Block\\\",\\r\\n 1125, \\\"Audit\\\"\\r\\n ];\\r\\nEvent\\r\\n| where EventLog == \\\"Microsoft-Windows-Windows Defender/Operational\\\" or EventLog == \\\"Microsoft-Windows-Windows Defender/WHC\\\"\\r\\n| where EventID == 1125 or EventID == 1126\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Detection Time'\\r\\n | project DetectionTime = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'User'\\r\\n | project User = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Destination'\\r\\n | project Destination = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Process Name'\\r\\n | project ProcessName = tostring(ed['#text'])\\r\\n)\\r\\n| join kind=leftouter Responses on EventID\\r\\n| summarize Count=count() by Computer, ProcessName, User, Destination, Response\\r\\n| project Count, Response, Computer, ProcessName, Destination, User\\r\\n| sort by Count\",\"size\":0,\"title\":\"Network protection events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Exploit Protection\"},\"name\":\"Exploit Protection\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Account Lockout\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to show account lockout events\\r\\nSecurityEvent \\r\\n| where EventID == 4740\",\"size\":0,\"title\":\"Account Lockouts\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to show failed logins by account and source\\r\\nSecurityEvent \\r\\n| where EventID == 4625\\r\\n| where Status =~ \\\"0xC000006D\\\"\\r\\n| summarize BadLogins = count() by TargetAccount, WorkstationName\\r\\n| sort by BadLogins\",\"size\":0,\"title\":\"Failed Logins\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Account Lockout\"},\"name\":\"Account Lockout\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Weak authentication protocols\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Aggregate NTLM incomming/outgoing events into one table\\r\\nlet AllEvents = Event\\r\\n| where EventLog =~ \\\"Microsoft-Windows-NTLM/Operational\\\"\\r\\n| extend NtlmDirection = iif(EventID == 8001, \\\"Outgoing\\\", iif(EventID == 8002, \\\"Incomming\\\", iif(EventID == 8003,\\\"In Domain (Server)\\\", iif(EventID == 8004,\\\"In Domain (Domain Controller)\\\", \\\"Unknown\\\"))))\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data;\\r\\nlet IncommingEvents = AllEvents | where NtlmDirection == \\\"Incomming\\\"\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'CallerPID'\\r\\n | project CallerPID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ProcessName'\\r\\n | project ProcessName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientLUID'\\r\\n | project ClientLUID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientUserName'\\r\\n | project ClientUserName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientDomainName'\\r\\n | project ClientDomainName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MechanismOID'\\r\\n | project MechanismOID = ed['#text']\\r\\n);\\r\\nlet OutgoingEvents = AllEvents | where NtlmDirection == \\\"Outgoing\\\"\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'TargetName'\\r\\n | project TargetName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'UserName'\\r\\n | project UserName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'DomainName'\\r\\n | project DomainName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'CallerPID'\\r\\n | project CallerPID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ProcessName'\\r\\n | project ProcessName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientLUID'\\r\\n | project ClientLUID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientUserName'\\r\\n | project ClientUserName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientDomainName'\\r\\n | project ClientDomainName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MechanismOID'\\r\\n | project MechanismOID = ed['#text']\\r\\n)\\r\\n;\\r\\nunion IncommingEvents, OutgoingEvents\\r\\n| project TimeGenerated, Computer, NtlmDirection, TargetName, UserName, DomainName, CallerPID, ProcessName, ClientLUID, ClientUserName, ClientDomainName, MechanismOID\\r\\n\",\"size\":0,\"title\":\"NTLM Events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Discover state of lanman auth\\r\\nHeartbeat\\r\\n| summarize arg_max(TimeGenerated, *) by Computer\\r\\n| join kind=leftouter (\\r\\n ( ConfigurationData \\r\\n | where ConfigDataType == \\\"Registry\\\"\\r\\n | where RegistryKey =~ \\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\"\\r\\n | where ValueName =~ \\\"lmcompatibilitylevel\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n | project SourceComputerId, LmCompatibilityLevel = ValueData )\\r\\n) on SourceComputerId\\r\\n| project Computer, InferredLmCompatibilityLevel = toint(iif(isnull(LmCompatibilityLevel),LmCompatibilityLevel,\\\"3\\\"))\\r\\n| project Computer, LanmanEnabled = (InferredLmCompatibilityLevel <= 3), Ntlmv1Enabled = (InferredLmCompatibilityLevel <= 4)\",\"size\":0,\"title\":\"Lanman Auth Level\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Weak authentication protocols\"},\"name\":\"Weak authentication protocols\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Operating System\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarises count of VM by OS version\\r\\nlet VersionConfigItems = ConfigurationData \\r\\n| where RegistryKey =~ \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\"\\r\\n| where ValueName =~ \\\"ProductName\\\" or ValueName =~ \\\"ReleaseId\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Computer,ValueName\\r\\n| project Computer, ValueName, ValueData;\\r\\nVersionConfigItems\\r\\n| extend p = pack(ValueName, ValueData)\\r\\n| summarize bag=make_bag(p)\\r\\n| evaluate bag_unpack(bag)\\r\\n| project OperatingSystem = strcat(ProductName, \\\" - \\\", ReleaseId)\\r\\n| summarize count() by OperatingSystem\\r\\n| render columnchart\",\"size\":0,\"title\":\"OS summary\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Details VM and associated operating system version\\r\\nlet VersionConfigItems = ConfigurationData \\r\\n| where RegistryKey =~ \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\"\\r\\n| where ValueName =~ \\\"ProductName\\\" or ValueName =~ \\\"ReleaseId\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Computer,ValueName\\r\\n| project Computer, ValueName, ValueData;\\r\\nVersionConfigItems\\r\\n| extend p = pack(ValueName, ValueData)\\r\\n| summarize bag=make_bag(p) by Computer\\r\\n| evaluate bag_unpack(bag);\",\"size\":0,\"title\":\"OS detailed\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Operating System\"},\"name\":\"Operating System\"}],\"isLocked\":false,\"defaultResourceIds\":[\"Azure Monitor\"],\"fallbackResourceIds\":[\"Azure Monitor\"]}", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f3e7cdac-f2b5-4682-aefa-cf4130bde675\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"value\":\"\",\"typeSettings\":{\"additionalResourceOptions\":[],\"includeAll\":false,\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"ed59c0aa-e545-46c9-812c-05af308f0777\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"value\":\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"7ded99c5-2f17-4c37-80bb-dbbc2796c0fd\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Software Updates\",\"subTarget\":\"Software Updates\",\"style\":\"link\"},{\"id\":\"ae848e98-a680-424a-98c2-bc3268c87074\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Installed Software\",\"subTarget\":\"Installed Software\",\"style\":\"link\"},{\"id\":\"179336c4-797c-40f5-97cc-ebf76fd92efc\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Application Control\",\"subTarget\":\"Application Control\",\"style\":\"link\"},{\"id\":\"bbdb7762-fd5b-401b-a537-253f011c7b29\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Connectivity\",\"subTarget\":\"Connectivity\",\"style\":\"link\"},{\"id\":\"2dba6e16-afc4-4143-9058-4e40d49938fc\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exploit Protection\",\"subTarget\":\"Exploit Protection\",\"style\":\"link\"},{\"id\":\"c5f3401b-f92b-4ab3-92ea-ef66de0607b3\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Account Lockout\",\"subTarget\":\"Account Lockout\",\"style\":\"link\"},{\"id\":\"21bf6837-d8d3-43b4-8a7a-e1d3af0113ea\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Weak authentication protocols\",\"subTarget\":\"Weak authentication protocols\",\"style\":\"link\"},{\"id\":\"c279d59c-e24b-4762-8006-4a5b8d9e536a\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Operating System\",\"subTarget\":\"Operating System\",\"style\":\"link\"}]},\"name\":\"links - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Software Updates\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Shows all updates newer than 90 days and all updates with < 100% coverage and renders their coverage summary\\r\\nUpdate\\r\\n| where MSRCSeverity == \\\"Critical\\\" or MSRCSeverity == \\\"Security\\\"\\r\\n| where TimeGenerated > now(-180days) or UpdateID in ( \\r\\n (Update\\r\\n | where MSRCSeverity == \\\"Critical\\\" or MSRCSeverity == \\\"Security\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\\r\\n | where UpdateState != \\\"Installed\\\"\\r\\n | project UpdateID)\\r\\n)\\r\\n| summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\\r\\n| summarize NotInstalledCount = countif(UpdateState != \\\"Installed\\\"), InstalledCount = countif(UpdateState == \\\"Installed\\\"), TotalCount = count() by Product, MSRCSeverity, KBID, Title\\r\\n//| project Product, MSRCSeverity, KBID, Title, NotInstalledCount, InstalledCount, TotalCount, Coverage = strcat(tostring(InstalledCount / TotalCount * 100),\\\"%\\\")\\r\\n| project Update=strcat(Product,\\\" - \\\", Title), NotInstalledCount,InstalledCount\\r\\n| render barchart with (kind = stacked)\",\"size\":1,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show system missing updates over time\\r\\nUpdateSummary\\r\\n| project TimeGenerated,Computer, SecurityUpdatesMissing\\r\\n| render timechart with (series = Computer)\",\"size\":1,\"title\":\"Missing Updates\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show systems missing most updates\\r\\nUpdateSummary \\r\\n| summarize arg_max(TimeGenerated, *) by SourceComputerId\\r\\n| project Computer, OsVersion,OldestMissingSecurityUpdateInDays\\r\\n| sort by OldestMissingSecurityUpdateInDays\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Update\\r\\n| where MSRCSeverity == \\\"Critical\\\" or MSRCSeverity == \\\"Security\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by UpdateID,SourceComputerId\\r\\n| where UpdateState != \\\"Installed\\\"\\r\\n| project Computer, Product, MSRCSeverity, KBID, Title, UpdateState, HoursOld = datetime_diff('hour',now(),PublishedDate)\\r\\n| sort by HoursOld\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Software Updates\"},\"name\":\"Software Updates\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Installed Software\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Identifies the prevelance of unqiue software versions\\r\\nConfigurationData \\r\\n| where ConfigDataType == \\\"Software\\\"\\r\\n| where SoftwareType == \\\"Application\\\" \\r\\n| summarize arg_max(TimeGenerated, *) by Computer,SoftwareName,Publisher,CurrentVersion\\r\\n| summarize Systems=make_set(Computer) by SoftwareName,Publisher,CurrentVersion\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Security Intelligence Update for Microsoft Defender Antivirus - KB\\\")\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Update for Microsoft Defender Antivirus antimalware platform - KB\\\")\\r\\n| project SoftwareVersion = strcat(SoftwareName, \\\" \\\", CurrentVersion), Publisher, SystemCount = array_length(Systems), Systems\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Identifies software applications where multiple versions are present\\r\\nConfigurationData \\r\\n| where ConfigDataType == \\\"Software\\\"\\r\\n| where SoftwareType == \\\"Application\\\" \\r\\n| summarize arg_max(TimeGenerated, *) by Computer,SoftwareName,Publisher,CurrentVersion\\r\\n| summarize Versions=make_set(CurrentVersion) by SoftwareName,Publisher\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Security Intelligence Update for Microsoft Defender Antivirus - KB\\\")\\r\\n| where not(Publisher == \\\"Microsoft Corporation\\\" and SoftwareName hasprefix \\\"Update for Microsoft Defender Antivirus antimalware platform - KB\\\")\\r\\n| where array_length(Versions) > 1\",\"size\":0,\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Installed Software\"},\"name\":\"Installed Software\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Control\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarise all WDAC block events by count of event pattern\\r\\nEvent\\r\\n| where EventID == 3077\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Process Name'\\r\\n | project CallingProcess = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'File Name'\\r\\n | project FileName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyName'\\r\\n | project PolicyName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'FileDescription'\\r\\n | project FileDescription = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ProductName'\\r\\n | project ProductName = tostring(ed['#text'])\\r\\n)\\r\\n| project TimeGenerated,Computer,CallingProcess,FileName,PolicyName,FileDescription,ProductName\\r\\n| summarize count() by Computer,CallingProcess,FileName,PolicyName,FileDescription,ProductName\",\"size\":0,\"title\":\"WDAC Block Events (24 hours)\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":30}},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarises the lastest WDAC policy load events by Computer, PolicyName, PolicyId\\r\\nEvent\\r\\n| where EventID == 3099\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyNameBuffer'\\r\\n | project PolicyName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyIdBuffer'\\r\\n | project PolicyId = tostring(ed['#text'])\\r\\n)\\r\\n| project TimeGenerated,Computer,PolicyName,PolicyId\\r\\n| summarize arg_max(TimeGenerated,*) by Computer,PolicyName,PolicyId\",\"size\":0,\"title\":\"WDAC policy load events (24 hours)\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":30}},\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show WDAC blocks as a result of the ISG\\r\\nEvent\\r\\n| where EventID == 3092\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'FileName'\\r\\n | project FileName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'StatusCode'\\r\\n | project StatusCode = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PassesSmartlocker'\\r\\n | project PassesISG = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'PolicyName'\\r\\n | project PolicyName = tostring(ed['#text'])\\r\\n)\\r\\n| where PassesISG == \\\"false\\\"\\r\\n| summarize FailCount = count() by FileName\\r\\n| sort by FailCount\",\"size\":0,\"title\":\"WDAC Intelligent Security Graph Block Events (24 hours)\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 10\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Application Control\"},\"name\":\"Application Control\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Connectivity\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect TLS versions used, cipher used and destination targets\\r\\n//update the Cipher table here with Cipher Suite/Name mappings\\r\\nlet CipherLookupTable = datatable(CipherSuite: string, CipherName: string )\\r\\n[\\r\\n\\\"0X0001\\\", \\\"RSA_WITH_NULL_MD5\\\", \\r\\n\\\"0X0002\\\", \\\"RSA_WITH_NULL_SHA\\\",\\r\\n\\\"0X0004\\\", \\\"RSA_WITH_RC4_128_MD5\\\",\\r\\n\\\"0X0005\\\", \\\"RSA_WITH_RC4_128_SHA\\\",\\r\\n\\\"0X0009\\\", \\\"RSA_WITH_DES_CBC_SHA\\\",\\r\\n\\\"0X000A\\\", \\\"RSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0X0012\\\", \\\"DHE_DSS_WITH_DES_CBC_SHA\\\",\\r\\n\\\"0X0013\\\", \\\"DHE_DSS_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0X0015\\\", \\\"DHE_RSA_WITH_DES_CBC_SHA\\\",\\r\\n\\\"0X0016\\\", \\\"DHE_RSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0X002F\\\", \\\"RSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0X0032\\\", \\\"DHE_DSS_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0X0033\\\", \\\"DHE_RSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0X0035\\\", \\\"RSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0X0038\\\", \\\"DHE_DSS_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0X0039\\\", \\\"DHE_RSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0X003B\\\", \\\"RSA_WITH_NULL_SHA256\\\",\\r\\n\\\"0X003C\\\", \\\"RSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0X003D\\\", \\\"RSA_WITH_AES_256_CBC_SHA256\\\",\\r\\n\\\"0X0040\\\", \\\"DHE_DSS_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0X0067\\\", \\\"DHE_RSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0X006A\\\", \\\"DHE_DSS_WITH_AES_256_CBC_SHA256\\\",\\r\\n\\\"0X006B\\\", \\\"DHE_RSA_WITH_AES_256_CBC_SHA256\\\",\\r\\n\\\"0X009C\\\", \\\"RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X9C\\\", \\\"RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X009D\\\", \\\"RSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0X009E\\\", \\\"DHE_RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X009F\\\", \\\"DHE_RSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0X00A2\\\", \\\"DHE_DSS_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0X00A3\\\", \\\"DHE_DSS_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0XC010\\\", \\\"ECDHE_RSA_WITH_NULL_SHA\\\",\\r\\n\\\"0XC011\\\", \\\"ECDHE_RSA_WITH_RC4_128_SHA\\\",\\r\\n\\\"0XC012\\\", \\\"ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0XC013\\\", \\\"ECDHE_RSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0XC014\\\", \\\"ECDHE_RSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0XC027\\\", \\\"ECDHE_RSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0XC028\\\", \\\"ECDHE_RSA_WITH_AES_256_CBC_SHA384\\\",\\r\\n\\\"0XC02F\\\", \\\"ECDHE_RSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0XC030\\\", \\\"ECDHE_RSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0XC006\\\", \\\"ECDHE_ECDSA_WITH_NULL_SHA\\\",\\r\\n\\\"0XC007\\\", \\\"ECDHE_ECDSA_WITH_RC4_128_SHA\\\",\\r\\n\\\"0XC008\\\", \\\"ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA\\\",\\r\\n\\\"0XC009\\\", \\\"ECDHE_ECDSA_WITH_AES_128_CBC_SHA\\\",\\r\\n\\\"0XC00A\\\", \\\"ECDHE_ECDSA_WITH_AES_256_CBC_SHA\\\",\\r\\n\\\"0XC023\\\", \\\"ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\\\",\\r\\n\\\"0XC024\\\", \\\"ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\\\",\\r\\n\\\"0XC02B\\\", \\\"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\\\",\\r\\n\\\"0XC02C\\\", \\\"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\\\",\\r\\n\\\"0X1301\\\", \\\"AES_128_GCM_SHA256\\\",\\r\\n\\\"0X1302\\\", \\\"AES_256_GCM_SHA384\\\",\\r\\n\\\"0X1303\\\", \\\"CHACHA20_POLY1305_SHA256\\\",\\r\\n\\\"0X1304\\\", \\\"AES_128_CCM_SHA256\\\",\\r\\n\\\"0X1305\\\", \\\"AES_128_CCM_8_SHA256\\\"\\r\\n];\\r\\nEvent\\r\\n| where EventID == 36880\\r\\n| extend Protocol = tostring(parse_xml(EventData).DataItem.UserData.EventXML.Protocol)\\r\\n| extend Type = tostring(parse_xml(EventData).DataItem.UserData.EventXML.Type)\\r\\n| extend TargetName = (parse_xml(EventData).DataItem.UserData.EventXML.TargetName)\\r\\n| extend CipherSuite = tostring(toupper((parse_xml(EventData).DataItem.UserData.EventXML.CipherSuite)))\\r\\n| join kind=inner CipherLookupTable on CipherSuite\\r\\n| project TimeGenerated, Type, Computer, Protocol, TargetName, CipherSuite, CipherName\",\"size\":0,\"title\":\"Detect TLS version\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Identifies where SNMP service is running on Windows systems\\r\\nConfigurationData \\r\\n| where ConfigDataType == \\\"WindowsServices\\\"\\r\\n| where SvcName =~ \\\"snmptrap\\\"\\r\\n| where SvcState == \\\"Running\\\"\\r\\n| project TimeGenerated,Computer,SvcDisplayName,SvcName,SvcState,SvcStartupType\\r\\n| summarize arg_max(TimeGenerated, *) by Computer\",\"size\":0,\"title\":\"Detect SNMP service running\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect VMs not reporting IPv6 tunnels disabled\\r\\nHeartbeat | where SourceComputerId !in (\\r\\n ( ConfigurationData \\r\\n | where RegistryKey == \\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\Tcpip6\\\\\\\\Parameters\\\"\\r\\n | where ValueName == \\\"DisabledComponents\\\"\\r\\n | where binary_and(toint(ValueData),1) == 1\\r\\n | project SourceComputerId )\\r\\n)\\r\\n| extend resourceId=ResourceId\\r\\n| distinct resourceId\",\"size\":0,\"title\":\"Detect IPv6 tunnel protocols enabled\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat \\r\\n| where SourceComputerId !in (\\r\\n ( ConfigurationData \\r\\n | where RegistryKey == \\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\Tcpip6\\\\\\\\Parameters\\\"\\r\\n | where ValueName == \\\"DisabledComponents\\\"\\r\\n | where ValueData == 255\\r\\n | project SourceComputerId )\\r\\n )\\r\\n| extend resourceId=ResourceId\\r\\n| distinct resourceId\",\"size\":0,\"title\":\"VMs with IPv6 enabled\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"conditionalVisibility\":{\"parameterName\":\"ShowIPv6Tables\",\"comparison\":\"isEqualTo\",\"value\":\"t\"},\"showPin\":false,\"name\":\"VMs with IPv6 enabled\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type =~ 'microsoft.compute/virtualmachines'\\r\\n| mv-expand nic=properties.networkProfile.networkInterfaces\\r\\n| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id) \\r\\n| join kind=inner (\\r\\n resources \\r\\n | where type == 'microsoft.network/networkinterfaces' \\r\\n | mvexpand properties.ipConfigurations \\r\\n | extend subnetId = tostring(properties_ipConfigurations.properties.subnet.id) \\r\\n | extend nicId = id \\r\\n | join kind=inner ( \\r\\n resources \\r\\n | where type == 'microsoft.network/virtualnetworks' \\r\\n | mvexpand properties.subnets\\r\\n | where tostring(properties_subnets.properties.addressPrefixes) !contains ':' \\r\\n | extend subnetId = tostring(properties_subnets.id)) \\r\\n on subnetId\\r\\n) on nicId\\r\\n| project resourceId=vmId\",\"size\":0,\"title\":\"VMs connected to IPv4 -only subnets\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"]},\"conditionalVisibility\":{\"parameterName\":\"ShowIPv6Tables\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"VMs connected to IPv4 -only subnets\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"Merge/1.0\\\",\\\"merges\\\":[{\\\"id\\\":\\\"0fa799b5-a6e5-4ade-b919-8ceb2b5f415f\\\",\\\"mergeType\\\":\\\"innerunique\\\",\\\"leftTable\\\":\\\"VMs with IPv6 enabled\\\",\\\"rightTable\\\":\\\"VMs connected to IPv4 -only subnets\\\",\\\"leftColumn\\\":\\\"resourceId\\\",\\\"rightColumn\\\":\\\"resourceId\\\"}]}\",\"size\":0,\"title\":\"IPv6 unnecessarily enabled\",\"queryType\":7,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"resourceId1\",\"formatter\":5}]}},\"showPin\":false,\"name\":\"query - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"IPsec reporting\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec MM HMAC algorithm (Event table)\\r\\nEvent \\r\\n| where EventID == 4650 or EventID == 4651\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MMIntegrityAlg'\\r\\n | project MMIntegrityAlg = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where MMIntegrityAlg != \\\"%%8242\\\" and MMIntegrityAlg != \\\"%%8243\\\" \\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, MMIntegrityAlg\\r\\n\",\"size\":0,\"title\":\"IPsec HMAC algorithms\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec DH Groups with low modulus (Event table)\\r\\nEvent \\r\\n| where EventID == 4650 or EventID == 4651\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'DHGroup'\\r\\n | project DHGroup = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where DHGroup != \\\"%%8232\\\" and DHGroup != \\\"%%8248\\\" and DHGroup != \\\"%%8233\\\" and DHGroup != \\\"%%8234\\\"\\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, DHGroup\\r\\n\",\"size\":0,\"title\":\"Low modulus DH groups\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec MM SAs with long lifetime (Event table)\\r\\nEvent \\r\\n| where EventID == 4650 or EventID == 4651\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MMLifetime'\\r\\n | project LifetimeSeconds = (ed['#text'] * 60)\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where LifetimeSeconds >= 14400\\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds\\r\\n\",\"size\":0,\"title\":\"Long lifetime main-mode SAs\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec SAs without ESP (Event table)\\r\\nEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'EspAuthType'\\r\\n | project ESPAuthType = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where ESPAuthType == \\\"-\\\"\\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress\\r\\n\",\"size\":0,\"title\":\"SAs without ESP\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec SAs without IKE (Event table)\\r\\nEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'KeyingModuleName'\\r\\n | project KeyingModuleName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where KeyingModuleName !startswith \\\"IKE\\\"\\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, KeyingModuleName\\r\\n\",\"size\":0,\"title\":\"SAs without IKE\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec QM SAs with long lifetime (Event table)\\r\\nEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LifetimeSeconds'\\r\\n | project LifetimeSeconds = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where LifetimeSeconds > 14400\\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds\",\"size\":0,\"title\":\"Long lifetime quick-mode SAs\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to detect IPsec Transport mode (Event table)\\r\\nEvent \\r\\n| where EventID == 5451\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Mode'\\r\\n | project Mode = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'LocalAddress'\\r\\n | project LocalAddress = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'RemoteAddress'\\r\\n | project RemoteAddress = ed['#text']\\r\\n)\\r\\n| where Mode == \\\"%%16403\\\"\\r\\n| project TimeGenerated, Computer, LocalAddress, RemoteAddress, Mode=\\\"Transport\\\"\",\"size\":0,\"title\":\"Transport mode SAs\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 6\"}]},\"name\":\"group - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Connectivity\"},\"name\":\"Connectivity\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exploit Protection\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Show all Exploit Protection events\\r\\nlet Mitigations = datatable (EventLogID:string, Mitigation:string)\\r\\n [\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-1\\\", \\\"ACG audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-2\\\", \\\"ACG enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-3\\\", \\\"Do not allow child processes audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-4\\\", \\\"Do not allow child processes block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-5\\\", \\\"Block low integrity images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-6\\\", \\\"Block low integrity images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-7\\\", \\\"Block remote images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-8\\\", \\\"Block remote images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-9\\\", \\\"Disable win32k system calls audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-10\\\", \\\"Disable win32k system calls block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-11\\\", \\\"Code integrity guard audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-12\\\", \\\"Code integrity guard block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-13\\\", \\\"EAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-14\\\", \\\"EAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-15\\\", \\\"EAF+ audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-16\\\", \\\"EAF+ enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-17\\\", \\\"IAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-18\\\", \\\"IAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-19\\\", \\\"ROP StackPivot audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-20\\\", \\\"ROP StackPivot enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-21\\\", \\\"ROP CallerCheck audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-22\\\", \\\"ROP CallerCheck enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-23\\\", \\\"ROP SimExec audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/KernelMode-24\\\", \\\"ROP SimExec enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-1\\\", \\\"ACG audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-2\\\", \\\"ACG enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-3\\\", \\\"Do not allow child processes audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-4\\\", \\\"Do not allow child processes block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-5\\\", \\\"Block low integrity images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-6\\\", \\\"Block low integrity images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-7\\\", \\\"Block remote images audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-8\\\", \\\"Block remote images block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-9\\\", \\\"Disable win32k system calls audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-10\\\", \\\"Disable win32k system calls block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-11\\\", \\\"Code integrity guard audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-12\\\", \\\"Code integrity guard block\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-13\\\", \\\"EAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-14\\\", \\\"EAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-15\\\", \\\"EAF+ audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-16\\\", \\\"EAF+ enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-17\\\", \\\"IAF audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-18\\\", \\\"IAF enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-19\\\", \\\"ROP StackPivot audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-20\\\", \\\"ROP StackPivot enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-21\\\", \\\"ROP CallerCheck audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-22\\\", \\\"ROP CallerCheck enforce\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-23\\\", \\\"ROP SimExec audit\\\",\\r\\n \\\"Microsoft-Windows-Security-Mitigations/UserMode-24\\\", \\\"ROP SimExec enforce\\\",\\r\\n \\\"WER-Diagnostics-5\\\", \\\"CFG Block\\\",\\r\\n \\\"Microsoft-Windows-Win32k/Operational-260\\\", \\\"Untrusted Font\\\"\\r\\n ];\\r\\nEvent\\r\\n| where (EventID >= 1 and EventID <= 24 and (EventLog == \\\"Microsoft-Windows-Security-Mitigations/KernelMode\\\" or EventLog == \\\"Microsoft-Windows-Security-Mitigations/UserMode\\\")) or (EventID == 260 and EventLog == \\\"Microsoft-Windows-Win32k/Operational\\\") or (EventID == 5 and EventLog == \\\"System\\\" and Source == \\\"Microsoft-Windows-WER-Diag\\\")\\r\\n| extend EventLogID = strcat(EventLog, \\\"-\\\", tostring(EventID))\\r\\n| join kind=leftouter Mitigations on EventLogID\\r\\n| project TimeGenerated, Computer,UserName,Mitigation,RenderedDescription\",\"size\":0,\"title\":\"Exploit protection events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarise all recent ASR block/audit events\\r\\nlet Mitigations = datatable (MitigationName:string, MitigationId:string)\\r\\n [\\r\\n \\\"Block Adobe Reader from creating child processes\\\", \\\"7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C\\\",\\r\\n \\\"Block all Office applications from creating child processes\\\", \\\"D4F940AB-401B-4EFC-AADC-AD5F3C50688A\\\",\\r\\n \\\"Block credential stealing from the Windows local security authority subsystem (lsass.exe)\\\", \\\"9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2\\\",\\r\\n \\\"Block executable content from email client and webmail\\\", \\\"BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550\\\",\\r\\n \\\"Block executable files from running unless they meet a prevalence, age, or trusted list criterion\\\", \\\"01443614-CD74-433A-B99E-2ECDC07BFC25\\\",\\r\\n \\\"Block execution of potentially obfuscated scripts\\\", \\\"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC\\\",\\r\\n \\\"Block JavaScript or VBScript from launching downloaded executable content\\\", \\\"D3E037E1-3EB8-44C8-A917-57927947596D\\\",\\r\\n \\\"Block Office applications from creating executable content\\\", \\\"3B576869-A4EC-4529-8536-B80A7769E899\\\",\\r\\n \\\"Block Office applications from injecting code into other processes\\\", \\\"75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84\\\",\\r\\n \\\"Block Office communication application from creating child processes\\\", \\\"26190899-1602-49E8-8B27-EB1D0A1CE869\\\",\\r\\n \\\"Block persistence through WMI event subscription\\\", \\\"E6DB77E5-3DF2-4CF1-B95A-636979351E5B\\\",\\r\\n \\\"Block process creations originating from PSExec and WMI commands\\\", \\\"D1E49AAC-8F56-4280-B9BA-993A6D77406C\\\",\\r\\n \\\"Block untrusted and unsigned processes that run from USB\\\", \\\"B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4\\\",\\r\\n \\\"Block Win32 API calls from Office macros\\\", \\\"92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B\\\",\\r\\n \\\"Use advanced protection against ransomware\\\", \\\"C1DB55AB-C21A-4637-BB3F-A12568109D35\\\"\\r\\n ];\\r\\nlet Responses = datatable (EventID:int, Response:string)\\r\\n [\\r\\n 1121, \\\"Block\\\",\\r\\n 1122, \\\"Audit\\\"\\r\\n ];\\r\\nEvent\\r\\n| where EventLog == \\\"Microsoft-Windows-Windows Defender/Operational\\\" or EventLog == \\\"Microsoft-Windows-Windows Defender/WHC\\\"\\r\\n| where EventID == 1121 or EventID == 1122\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ID'\\r\\n | project MitigationId = toupper(tostring(ed['#text']))\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Detection Time'\\r\\n | project DetectionTime = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Process Name'\\r\\n | project ProcessName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'User'\\r\\n | project User = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Path'\\r\\n | project Path = tostring(ed['#text'])\\r\\n)\\r\\n| join kind=leftouter Mitigations on MitigationId\\r\\n| join kind=leftouter Responses on EventID\\r\\n| summarize Count=count() by Computer, MitigationName, ProcessName, User, Path, Response\\r\\n| project Count, Response, Computer, MitigationName, ProcessName, User, Path\\r\\n| sort by Count\",\"size\":0,\"title\":\"Attack surface reduction events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarise Network Protection events\\r\\nlet Responses = datatable (EventID:int, Response:string)\\r\\n [\\r\\n 1126, \\\"Block\\\",\\r\\n 1125, \\\"Audit\\\"\\r\\n ];\\r\\nEvent\\r\\n| where EventLog == \\\"Microsoft-Windows-Windows Defender/Operational\\\" or EventLog == \\\"Microsoft-Windows-Windows Defender/WHC\\\"\\r\\n| where EventID == 1125 or EventID == 1126\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Detection Time'\\r\\n | project DetectionTime = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'User'\\r\\n | project User = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Destination'\\r\\n | project Destination = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'Process Name'\\r\\n | project ProcessName = tostring(ed['#text'])\\r\\n)\\r\\n| join kind=leftouter Responses on EventID\\r\\n| summarize Count=count() by Computer, ProcessName, User, Destination, Response\\r\\n| project Count, Response, Computer, ProcessName, Destination, User\\r\\n| sort by Count\",\"size\":0,\"title\":\"Network protection events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Exploit Protection\"},\"name\":\"Exploit Protection\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Account Lockout\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to show account lockout events\\r\\nSecurityEvent \\r\\n| where EventID == 4740\",\"size\":0,\"title\":\"Account Lockouts\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//KQL query to show failed logins by account and source\\r\\nSecurityEvent \\r\\n| where EventID == 4625\\r\\n| where Status =~ \\\"0xC000006D\\\"\\r\\n| summarize BadLogins = count() by TargetAccount, WorkstationName\\r\\n| sort by BadLogins\",\"size\":0,\"title\":\"Failed Logins\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Account Lockout\"},\"name\":\"Account Lockout\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Weak authentication protocols\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Aggregate NTLM incomming/outgoing events into one table\\r\\nlet AllEvents = Event\\r\\n| where EventLog =~ \\\"Microsoft-Windows-NTLM/Operational\\\"\\r\\n| extend NtlmDirection = iif(EventID == 8001, \\\"Outgoing\\\", iif(EventID == 8002, \\\"Incomming\\\", iif(EventID == 8003,\\\"In Domain (Server)\\\", iif(EventID == 8004,\\\"In Domain (Domain Controller)\\\", \\\"Unknown\\\"))))\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data;\\r\\nlet IncommingEvents = AllEvents | where NtlmDirection == \\\"Incomming\\\"\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'CallerPID'\\r\\n | project CallerPID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ProcessName'\\r\\n | project ProcessName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientLUID'\\r\\n | project ClientLUID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientUserName'\\r\\n | project ClientUserName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientDomainName'\\r\\n | project ClientDomainName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MechanismOID'\\r\\n | project MechanismOID = ed['#text']\\r\\n);\\r\\nlet OutgoingEvents = AllEvents | where NtlmDirection == \\\"Outgoing\\\"\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'TargetName'\\r\\n | project TargetName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'UserName'\\r\\n | project UserName = tostring(ed['#text'])\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'DomainName'\\r\\n | project DomainName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'CallerPID'\\r\\n | project CallerPID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ProcessName'\\r\\n | project ProcessName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientLUID'\\r\\n | project ClientLUID = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientUserName'\\r\\n | project ClientUserName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'ClientDomainName'\\r\\n | project ClientDomainName = ed['#text']\\r\\n)\\r\\n| extend ed = parse_xml(EventData).DataItem.EventData.Data\\r\\n| mv-apply ed on \\r\\n(\\r\\n where ed['@Name'] == 'MechanismOID'\\r\\n | project MechanismOID = ed['#text']\\r\\n)\\r\\n;\\r\\nunion IncommingEvents, OutgoingEvents\\r\\n| project TimeGenerated, Computer, NtlmDirection, TargetName, UserName, DomainName, CallerPID, ProcessName, ClientLUID, ClientUserName, ClientDomainName, MechanismOID\\r\\n\",\"size\":0,\"title\":\"NTLM Events\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Discover state of lanman auth\\r\\nHeartbeat\\r\\n| summarize arg_max(TimeGenerated, *) by Computer\\r\\n| join kind=leftouter (\\r\\n ( ConfigurationData \\r\\n | where ConfigDataType == \\\"Registry\\\"\\r\\n | where RegistryKey =~ \\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\"\\r\\n | where ValueName =~ \\\"lmcompatibilitylevel\\\"\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n | project SourceComputerId, LmCompatibilityLevel = ValueData )\\r\\n) on SourceComputerId\\r\\n| project Computer, InferredLmCompatibilityLevel = toint(iif(isnull(LmCompatibilityLevel),LmCompatibilityLevel,\\\"3\\\"))\\r\\n| project Computer, LanmanEnabled = (InferredLmCompatibilityLevel <= 3), Ntlmv1Enabled = (InferredLmCompatibilityLevel <= 4)\",\"size\":0,\"title\":\"Lanman Auth Level\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Weak authentication protocols\"},\"name\":\"Weak authentication protocols\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Operating System\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Summarises count of VM by OS version\\r\\nlet VersionConfigItems = ConfigurationData \\r\\n| where RegistryKey =~ \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\"\\r\\n| where ValueName =~ \\\"ProductName\\\" or ValueName =~ \\\"ReleaseId\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Computer,ValueName\\r\\n| project Computer, ValueName, ValueData;\\r\\nVersionConfigItems\\r\\n| extend p = pack(ValueName, ValueData)\\r\\n| summarize bag=make_bag(p)\\r\\n| evaluate bag_unpack(bag)\\r\\n| project OperatingSystem = strcat(ProductName, \\\" - \\\", ReleaseId)\\r\\n| summarize count() by OperatingSystem\\r\\n| render columnchart\",\"size\":0,\"title\":\"OS summary\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Details VM and associated operating system version\\r\\nlet VersionConfigItems = ConfigurationData \\r\\n| where RegistryKey =~ \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\"\\r\\n| where ValueName =~ \\\"ProductName\\\" or ValueName =~ \\\"ReleaseId\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by Computer,ValueName\\r\\n| project Computer, ValueName, ValueData;\\r\\nVersionConfigItems\\r\\n| extend p = pack(ValueName, ValueData)\\r\\n| summarize bag=make_bag(p) by Computer\\r\\n| evaluate bag_unpack(bag);\",\"size\":0,\"title\":\"OS detailed\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Operating System\"},\"name\":\"Operating System\"}],\"defaultResourceIds\":[\"Azure Monitor\"],\"fallbackResourceIds\":[\"Azure Monitor\"],\"isLocked\":false,\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}", // parse the original into a JSON object, so that it can be manipulated "parsedData": "[json(variables('serializedData'))]", diff --git a/workbooks/sample-dashboard-workbook.json b/workbooks/sample-dashboard-workbook.json index 00b9fe2..acfd013 100644 --- a/workbooks/sample-dashboard-workbook.json +++ b/workbooks/sample-dashboard-workbook.json @@ -837,5 +837,6 @@ "fallbackResourceIds": [ "Azure Monitor" ], + "isLocked": false, "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file From 6156c6a7a087393c5cc03d9a71578f2cc20b9b04 Mon Sep 17 00:00:00 2001 From: Jimmy Fitzsimmons <44599392+jimmyfit@users.noreply.github.com> Date: Sat, 5 Feb 2022 15:20:41 +1100 Subject: [PATCH 28/28] Update docs for this PR --- docs/ism-guidelines.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/ism-guidelines.md b/docs/ism-guidelines.md index e3b7b96..d31ff5d 100644 --- a/docs/ism-guidelines.md +++ b/docs/ism-guidelines.md @@ -13,14 +13,14 @@ Identifier | Description | Measures 1408 | When developing a Microsoft Windows SOE, the 64-bit version of the operating system is used. | Windows - All
Source images used by Azure Image Builder are all 64-bit. 1409 | ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems. | Windows - Server 2016
1. Windows Server 2016 SCT baseline settings partially implemented in Azure Image Builder customisation
2. Windows Server 2016 SCT baseline settings partially implemented in Guest Configuration policy (audit only)

Windows - Server 2019
1. Windows Server 2019 SCT baseline settings partially implemented in Azure Image Builder customisation
2. Windows Server 2019 SCT baseline settings partially implemented in Guest Configuration policy (audit only)

Windows - Server 2022
1. Windows Server 2022 SCT baseline settings partially implemented in Azure Image Builder customisation
2. Windows Server 2022 SCT baseline settings partially implemented in Guest Configuration policy (audit only) 1491 | Standard users are prevented from running script execution engines in Microsoft Windows, including:
• Windows Script Host (cscript.exe and wscript.exe)
• PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
• Command Prompt (cmd.exe)
• Windows Management Instrumentation (wmic.exe)
• Microsoft HTML Application Host (mshta.exe). | Windows - All:
Azure Image Builder customisation includes AppLocker configuration to block these script execution engines for standard users -0843 | Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -1490 | Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -0955 | Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -1471 | When implementing application control using publisher certificate rules, both publisher names and product names are used. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -1392 | When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -1544 | Microsoft’s latest recommended block rules are implemented to prevent application control bypasses. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -0846 | All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks -0957 | Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +0843 | Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +1490 | Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +0955 | Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +1471 | When implementing application control using publisher certificate rules, both publisher names and product names are used. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +1392 | When implementing application control using path rules, file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents (including adding new files) and individual files that are approved to execute. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +1544 | Microsoft’s latest recommended block rules are implemented to prevent application control bypasses. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +0846 | All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks +0957 | Application control is configured to generate event logs for failed execution attempts, including information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file. | Windows - All:
1. Azure Image Builder customisation includes enablement of WDAC in Audit mode. Microsoft published user and kernel-mode block lists were used as base rule set. Intelligent Security Graph option is enabled.
2. Enable Azure Monitor Logs collection of relevant events from Microsoft-Windows-CodeIntegrity/Operational and Microsoft-Windows-AppLocker/MSI and Script logs.
3. Surface WDAC block events in Azure Monitor Workbooks 1414 | If supported, the latest version of Microsoft’s EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures. | Windows All
Azure Image Builder customisation enables Exploit Protection with sample rule set. 1492 | If supported, Microsoft's exploit protection functionality is implemented on workstations and servers. | Windows All
Azure Image Builder customisation enables Exploit Protection with sample rule set. 1621 | PowerShell 2.0 and below is removed from operating systems. | Windows Server
Implements Guest Configuration policy to validate PowerShell 2 is not installed (audit only)

Note: This functionality currently does not work due to upstream bug.
@@ -36,7 +36,7 @@ Identifier | Description | Measures 1601 | If supported, Microsoft’s Attack Surface Reduction rules are implemented. | Windows Server 2022 & Windows Server 2019
All Microsoft ASR rules are enabled in in Azure Image Builder customisation.
0421 | Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. | All Windows
1. Azure Image Builder customisation sets minimum password length to 14
2. A Guest Configuration policy validates that the minimum password length has been configured to 14 characters (audit only) 1403 | Accounts are locked out after a maximum of five failed logon attempts. | Windows All
Use Azure Image Builder to set account lockout threshold value. -0431 | Repeated account lockouts are investigated before reauthorising access. | Windows All
1. Use Azure Image Builder to enable Windows advanced audit logging, and enable advanced audit subcategories User Account Management (success) and Logon (failure).
2. Set Azure Monitor Logs to collect all Security event logs.
3. Surface failed logins and account lockout events in Azure Monitor Workbooks +0431 | Repeated account lockouts are investigated before reauthorising access. | Windows All
1. Use Azure Image Builder to enable Windows advanced audit logging, and enable advanced audit subcategories User Account Management (success) and Logon (failure).
2. Set Azure Monitor Logs to collect common Security event logs.
3. Surface failed logins and account lockout events in Azure Monitor Workbooks 1055 | LAN Manager and NT LAN Manager authentication methods are disabled. | All Windows
1. Azure Image Builder customisation enables NTLM audit logging.
2. A Guest Configuration policy is assigned that verifies NTLM audit logging is enabled (audit only)

Windows Server 2016
A subset of the Windows Server 2016 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM)

Windows Server 2019
A subset of the Windows Server 2019 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM)

Windows Server 2022
A subset of the Windows Server 2022 SCT baseline is configured by Azure Image Builder customisation. As part of that configuration LmCompatibilityLevel is set to 5. (Send NTLMv2 responses only. Refuse LM & NTLM) 0428 | Systems are configured with a session or screen lock that:
• activates after a maximum of 15 minutes of user inactivity or if manually activated by the user
• completely conceals all information on the screen
• ensures that the screen does not enter a power saving state before the screen or session lock is activated
• requires the user to reauthenticate to unlock the system
• denies users the ability to disable the session or screen locking mechanism. | Windows All
1. Azure Image Builder customisation sets an RDP timeout value.
2. Guest Configuration Policy validates (audit only) that RDP timeout value is configured. 0408 | Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted. | Windows All
1. Azure Image Builder customisation sets a logon banner via static registry entry.
2. Azure Guest Configuration policy (audit only) validates a specific logon banner is used. @@ -50,7 +50,7 @@ Identifier | Description | Measures 0304 | Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All
Azure Monitor Workbook surfaces a summary report of install count of software by title and version. 1501 | Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions. | Windows All
Azure Monitor Workbook surfaces a summary report of all VM instances and the OS version they use. 1405 | A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs. | Deployed virtual machines send logs to Azure Monitor Logs workspace. -0584 | For any system requiring authentication, logon, failed logon and logoff events are logged. | Windows All
1. Azure Image Builder customisation enables advanced audit logging with Logon subcategory.
2. Azure Monitor Logs is configured to collect all security logs. +0584 | For any system requiring authentication, logon, failed logon and logoff events are logged. | Windows All
1. Azure Image Builder customisation enables advanced audit logging with Logon subcategory.
2. Azure Monitor Logs is configured to collect common security logs. 0582 | The following events are logged for operating systems:
• access to important data and processes
• application crashes and any error messages
• attempts to use special privileges
• changes to accounts
• changes to security policy
• changes to system configurations
• Domain Name System (DNS) and Hypertext Transfer Protocol requests
• failed attempts to access data and system resources
• service failures and restarts
• system startup and shutdown
• transfer of data to and from external media
• user or group management
• use of special privileges. | Windows All
Azure Defender is configured to collect Common security logs.

_Note: Setting Azure Defender to "Common" may not all Events IDs necessary to identify the events described in the guideline. Consider Azure Defender event collection setting and adding additional Azure Monitor Data Collection Rules as necessary._ 0521 | IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used. | Windows All
Azure Monitor Workbook surfaces all Windows systems which are attached to IPv4-only virtual networks, but do not have IPv6 disabled. 1428 | Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment. | Windows All
1. Azure Monitor Logs Change Tracking solution is enabled. Change tracking is enabled for HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters. Azure Monitor Workbook surfaces Windows systems without IPv6 tunnel protocols disabled.