diff --git a/.azure-pipelines/kqlValidations.yaml b/.azure-pipelines/kqlValidations.yaml index b668bdfdf0..b5aa5efa53 100644 --- a/.azure-pipelines/kqlValidations.yaml +++ b/.azure-pipelines/kqlValidations.yaml @@ -14,8 +14,13 @@ jobs: version: '$(dotnetSdkVersion)' - task: DotNetCoreCLI@2 displayName: 'Run kql validation tests' + env: + GITHUBAPPID: $(GitHubAppID) + GITHUBAPPINSTALLATIONID: $(GitHubAppInstallationID) + GITHUBAPPPRIVATEKEY: $(GitHubAppPrivateKey) inputs: command: 'test' arguments: '--configuration $(buildConfiguration)' publishTestResults: true - projects: '**/Kqlvalidations.Tests.csproj' \ No newline at end of file + projects: '**/Kqlvalidations.Tests.csproj' + diff --git a/.github/workflows/slash-command-dispatch.yaml b/.github/workflows/slash-command-dispatch.yaml index 0b2df2dbb9..cd5242aa33 100644 --- a/.github/workflows/slash-command-dispatch.yaml +++ b/.github/workflows/slash-command-dispatch.yaml @@ -43,6 +43,7 @@ jobs: GeneratedToken: ${{ steps.generate_token.outputs.token }} with: token: ${{ env.GeneratedToken }} + permission: none commands: | package Package diff --git a/.script/package-automation/checkSkipPackagingInfo.ps1 b/.script/package-automation/checkSkipPackagingInfo.ps1 index 1e12bee197..c1ae241ca4 100644 --- a/.script/package-automation/checkSkipPackagingInfo.ps1 +++ b/.script/package-automation/checkSkipPackagingInfo.ps1 @@ -1,7 +1,7 @@ param ($solutionName, $pullRequestNumber, $runId, $baseFolderPath, $instrumentationKey) . ./Tools/Create-Azure-Sentinel-Solution/common/LogAppInsights.ps1 - +$isPackagingRequired = $false try { $customProperties = @{ 'RunId'="$runId"; 'PullRequestNumber'= "$pullRequestNumber"; "EventName"="CheckPackagingSkipStatus"; } @@ -17,7 +17,7 @@ try if ($null -eq $filesList -or $filesList.Count -le 0) { Write-Host "Skipping as data file is not present!" - Write-Output "isPackagingRequired=$false" >> $env:GITHUB_OUTPUT + Write-Output "isPackagingRequired=$isPackagingRequired" >> $env:GITHUB_OUTPUT } else { @@ -31,9 +31,9 @@ try $isCreatePackageSetToTrue = $dataFileContentObject.createPackage if ($hasCreatePackageAttribute -eq $true -and $isCreatePackageSetToTrue -eq $false) { Write-Host "::warning::Skipping Package Creation for Solution '$solutionName', as Data File has attribute 'createPackage' set to False!" - Write-Output "isPackagingRequired=$false" >> $env:GITHUB_OUTPUT + Write-Output "isPackagingRequired=$isPackagingRequired" >> $env:GITHUB_OUTPUT - $customProperties['isPackagingRequired'] = $false + $customProperties['isPackagingRequired'] = $isPackagingRequired if ($instrumentationKey -ne '') { Send-AppInsightsTraceTelemetry -InstrumentationKey $instrumentationKey -Message "Execution for CheckPackagingSkipStatus started, Job Run Id : $runId" -Severity Information -CustomProperties $customProperties @@ -51,7 +51,7 @@ try if ($changesInPackageFolder.Count -gt 0) { # changes are in Package folder so skip packaging - Write-Output "isPackagingRequired=$false" >> $env:GITHUB_OUTPUT + Write-Output "isPackagingRequired=$isPackagingRequired" >> $env:GITHUB_OUTPUT Write-Host "Skip packaging as changes are in Package folder!" } else @@ -66,19 +66,20 @@ try # there are no changes in package folder but check if changes in pr are valid and not from exclusion list if ($changesInSolutionFolder.Count -gt 0) { - + $isPackagingRequired = $true # has changes in Solution folder and valid files # WE NEED PACKAGING - $customProperties['isPackagingRequired'] = $true - Write-Output "isPackagingRequired=$true" >> $env:GITHUB_OUTPUT - + $customProperties['isPackagingRequired'] = $isPackagingRequired + Write-Output "isPackagingRequired=$isPackagingRequired" >> $env:GITHUB_OUTPUT + Write-Host "isPackagingRequired $isPackagingRequired" if ($instrumentationKey -ne '') { Send-AppInsightsTraceTelemetry -InstrumentationKey $instrumentationKey -Message "CheckPackagingSkipStatus started, Job Run Id : $runId" -Severity Information -CustomProperties $customProperties } } else { - Write-Output "isPackagingRequired=$false" >> $env:GITHUB_OUTPUT + Write-Output "isPackagingRequired=$isPackagingRequired" >> $env:GITHUB_OUTPUT + Write-Host "isPackagingRequired $isPackagingRequired" } } } @@ -86,7 +87,7 @@ try } catch { - Write-Output "isPackagingRequired=$false" >> $env:GITHUB_OUTPUT + Write-Output "isPackagingRequired=$isPackagingRequired" >> $env:GITHUB_OUTPUT Write-Host "Error in checkSkipPackagingInfo file. Error Details: $_" if ($instrumentationKey -ne '') { diff --git a/.script/package-automation/package-service.ps1 b/.script/package-automation/package-service.ps1 index d140148eeb..96fbadec39 100644 --- a/.script/package-automation/package-service.ps1 +++ b/.script/package-automation/package-service.ps1 @@ -5,6 +5,9 @@ Write-Host "RunId $runId, PR Number $pullRequestNumber" try { + $baseFolderPath = $baseFolderPath + "/" + $baseFolderPath = $baseFolderPath.replace("//", "/") + Write-Host "====Identifying Solution Name====" # Get Solution Name . $PSScriptRoot/getSolutionName.ps1 $runId $pullRequestNumber $instrumentationKey diff --git a/.script/tests/KqlvalidationsTests/CustomTables/OracleWebLogicServerEvent.json b/.script/tests/KqlvalidationsTests/CustomTables/OracleWebLogicServerEvent.json index 0b6895e8cc..c593a7ea91 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/OracleWebLogicServerEvent.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/OracleWebLogicServerEvent.json @@ -98,7 +98,7 @@ "Type": "String" }, { - "Name": "TreadId", + "Name": "ThreadId", "Type": "String" }, { diff --git a/.script/tests/KqlvalidationsTests/CustomTables/UrlClickEvents.json b/.script/tests/KqlvalidationsTests/CustomTables/UrlClickEvents.json new file mode 100644 index 0000000000..dec8da0ad9 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/UrlClickEvents.json @@ -0,0 +1,73 @@ +{ + "Name":"UrlClickEvents", + "Properties":[ + { + "Name": "AccountUpn", + "Type": "string" + }, + { + "Name": "ActionType", + "Type": "string" + }, + { + "Name": "DetectionMethods", + "Type": "string" + }, + { + "Name": "IPAddress", + "Type": "string" + }, + { + "Name": "IsClickedThrough", + "Type": "bool" + }, + { + "Name": "NetworkMessageId", + "Type": "string" + }, + { + "Name": "ReportId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "ThreatTypes", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "Url", + "Type": "string" + }, + { + "Name": "UrlChain", + "Type": "string" + }, + { + "Name": "Workload", + "Type": "string" + }, + { + "Name": "_BilledSize", + "Type": "real" + }, + { + "Name": "_IsBillable", + "Type": "string" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/GitHubApiClient.cs b/.script/tests/KqlvalidationsTests/GitHubApiClient.cs index 3feff5b6ea..df58dc7c8d 100644 --- a/.script/tests/KqlvalidationsTests/GitHubApiClient.cs +++ b/.script/tests/KqlvalidationsTests/GitHubApiClient.cs @@ -1,12 +1,23 @@ -using Octokit; +using Microsoft.IdentityModel.Tokens; +using Newtonsoft.Json; +using Octokit; using System; using System.Collections.Generic; +using System.IdentityModel.Tokens.Jwt; +using System.Net.Http; +using System.Security.Claims; +using System.Security.Cryptography; +using System.Threading.Tasks; namespace Kqlvalidations.Tests { + /// + /// Class for GitHub API client + /// public sealed class GitHubApiClient { private static GitHubApiClient _instance; + private static readonly object _lock = new object(); private readonly GitHubClient _client; private string _owner = "Azure"; @@ -14,42 +25,64 @@ public sealed class GitHubApiClient private int? _prNumber; private IReadOnlyList _cachedPullRequestFiles; - private GitHubApiClient() + /// + /// Initializes a new instance of the class. + /// + /// access token + private GitHubApiClient(string accessToken) { + var credentials = new Credentials(accessToken); _client = new GitHubClient(new ProductHeaderValue("MicrosoftSentinelValidationApp")); + _client.Credentials = credentials; } - public static GitHubApiClient Instance - { - get - { - if (_instance == null) - { - _instance = new GitHubApiClient(); - } - return _instance; - } - } - - public void SetRepositoryDetails(string owner, string repo) + private GitHubApiClient() { - _owner = owner; - _repo = repo; + _client = new GitHubClient(new ProductHeaderValue("MicrosoftSentinelValidationApp")); } - public int GetPullRequestNumber() + /// + /// Creates singleton instance of + /// + /// singleton instance of GitHub Client + /// Throws an exception if there is an issue with app id, installation id, private key. + public static GitHubApiClient Create() { - if (_prNumber == null) + if (_instance == null) { - int.TryParse(Environment.GetEnvironmentVariable("PRNUM"), out int prNumber); - _prNumber = prNumber; - //uncomment below for debugging with a PR - //_prNumber =8870; - } + lock (_lock) + { + if (_instance == null) + { + //var appId = Environment.GetEnvironmentVariable("GITHUBAPPID"); + //var installationId = Environment.GetEnvironmentVariable("GITHUBAPPINSTALLATIONID"); + //var privateKey = Environment.GetEnvironmentVariable("GITHUBAPPPRIVATEKEY"); + //if (string.IsNullOrEmpty(appId) || string.IsNullOrEmpty(installationId) || string.IsNullOrEmpty(privateKey)) + //{ + // throw new InvalidOperationException("GitHub App ID, Installation ID, or Private Key is missing."); + //} - return _prNumber.GetValueOrDefault(); + //try + //{ + // var jwtToken = GenerateJwtToken(appId, RemovePemHeaderAndFooter(privateKey)); + // var accessToken = GetInstallationAccessToken(installationId, jwtToken).Result; + // _instance = new GitHubApiClient(accessToken); + //} + //catch (Exception ex) + //{ + // throw new InvalidOperationException("Error occurred while creating GitHubApiClient instance.", ex); + //} + _instance = new GitHubApiClient(); + } + } + } + return _instance; } + /// + /// Gets the pull request files. + /// + /// returns pull request files. public IReadOnlyList GetPullRequestFiles() { if (_cachedPullRequestFiles == null) @@ -60,13 +93,139 @@ public IReadOnlyList GetPullRequestFiles() } catch (Exception ex) { - // Handle the exception as needed - Console.WriteLine($"Error occurred while getting PR files. Error message: {ex.Message}. Stack trace: {ex.StackTrace}"); + HandleException("Error occurred while getting PR files", ex); _cachedPullRequestFiles = new List(); } } - return _cachedPullRequestFiles; } + + /// + /// Adds PR comment. + /// + /// comment + public void AddPRComment(string comment) + { + try + { + int prNumber = GetPullRequestNumber(); + if (prNumber == 0) + { + Console.WriteLine("PR number not available. Cannot add comment."); + return; + } + + var pullRequestReviewCreate = new PullRequestReviewCreate + { + Body = comment, + Event = PullRequestReviewEvent.Comment + }; + + var newComment = _client.PullRequest.Review.Create(_owner, _repo, prNumber, pullRequestReviewCreate).Result; + } + catch (Exception ex) + { + HandleException("Error occurred while adding PR comment", ex); + } + } + + /// + /// Removes the Pem header and footer + /// + /// priavte key + /// returns private key without header and footer + private static string RemovePemHeaderAndFooter(string privateKey) + { + const string header = "-----BEGIN RSA PRIVATE KEY-----"; + const string footer = "-----END RSA PRIVATE KEY-----"; + + int start = privateKey.IndexOf(header) + header.Length; + int end = privateKey.IndexOf(footer, start); + + return privateKey.Substring(start, end - start).Replace("\r", "").Replace("\n", ""); + } + + /// + /// Generates the JWT token with app id and private key + /// + /// app id + /// private key + /// jwt token + private static string GenerateJwtToken(string appId, string privateKey) + { + using (RSA rsa = RSA.Create()) + { + rsa.ImportRSAPrivateKey(Convert.FromBase64String(privateKey), out _); + + var now = DateTimeOffset.UtcNow; + var expiration = now.AddMinutes(10); // Adjust the expiration time as needed + + var signingCredentials = new SigningCredentials(new RsaSecurityKey(rsa), SecurityAlgorithms.RsaSha256); + + var claims = new[] + { + new Claim("iat", now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer), + new Claim("exp", expiration.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer), + new Claim("iss", appId) + }; + + var token = new JwtSecurityToken(claims: claims, signingCredentials: signingCredentials); + var handler = new JwtSecurityTokenHandler(); + + return handler.WriteToken(token); + } + } + + /// + /// Gets the GitHub access token + /// + /// GitHub app id + /// app installation id + /// jwt token + /// GitHub access token + private static async Task GetInstallationAccessToken(string installationId, string jwtToken) + { + var installationUrl = $"https://api.github.com/app/installations/{installationId}/access_tokens"; + var httpClient = new HttpClient(); + + httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {jwtToken}"); + httpClient.DefaultRequestHeaders.Add("Accept", "application/vnd.github.v3+json"); + httpClient.DefaultRequestHeaders.Add("User-Agent", "MicrosoftSentinelValidationApp"); + + var response = await httpClient.PostAsync(installationUrl, null); + response.EnsureSuccessStatusCode(); + + var content = await response.Content.ReadAsStringAsync(); + dynamic json = JsonConvert.DeserializeObject(content); + + return json.token; + } + + /// + /// Handles the excpetion + /// + /// Error Message + /// Excpetion + private void HandleException(string errorMessage, Exception ex) + { + Console.WriteLine($"{errorMessage}. Error message: {ex.Message}. Stack trace: {ex.StackTrace}"); + } + + /// + /// Gets the pull request number. + /// + /// Pull request number. + public int GetPullRequestNumber() + { + if (_prNumber == null) + { + int.TryParse(Environment.GetEnvironmentVariable("PRNUM"), out int prNumber); + _prNumber = prNumber; + // Uncomment below for debugging with a PR + //_prNumber = 9476; + } + return _prNumber.GetValueOrDefault(); + } } + } diff --git a/.script/tests/KqlvalidationsTests/JsonFilesTestData/DataConnectorFilesLoader.cs b/.script/tests/KqlvalidationsTests/JsonFilesTestData/DataConnectorFilesLoader.cs index c1caae2e11..4ca57c6112 100644 --- a/.script/tests/KqlvalidationsTests/JsonFilesTestData/DataConnectorFilesLoader.cs +++ b/.script/tests/KqlvalidationsTests/JsonFilesTestData/DataConnectorFilesLoader.cs @@ -26,7 +26,7 @@ public override List GetFilesNames() try { var directoryPaths = GetDirectoryPaths(); - var gitHubApiClient = GitHubApiClient.Instance; + var gitHubApiClient = GitHubApiClient.Create(); // Fetch the PR number using the singleton instance int prNumber = gitHubApiClient.GetPullRequestNumber(); diff --git a/.script/tests/KqlvalidationsTests/JsonFilesTestData/JsonFilesLoader.cs b/.script/tests/KqlvalidationsTests/JsonFilesTestData/JsonFilesLoader.cs index 291cfdc5f7..1c4fb1b410 100644 --- a/.script/tests/KqlvalidationsTests/JsonFilesTestData/JsonFilesLoader.cs +++ b/.script/tests/KqlvalidationsTests/JsonFilesTestData/JsonFilesLoader.cs @@ -23,7 +23,7 @@ public virtual List GetFilesNames() return new List(); } - var gitHubApiClient = GitHubApiClient.Instance; + var gitHubApiClient = GitHubApiClient.Create(); var basePath = Utils.GetTestDirectory(TestFolderDepth); var prFilesListModified = GetModifiedFilePaths(gitHubApiClient, basePath); diff --git a/.script/tests/KqlvalidationsTests/KqlBestPracticesChecker.cs b/.script/tests/KqlvalidationsTests/KqlBestPracticesChecker.cs new file mode 100644 index 0000000000..3295f752b7 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/KqlBestPracticesChecker.cs @@ -0,0 +1,485 @@ +using System; +using System.Collections.Generic; + +namespace Kqlvalidations.Tests +{ + /// + /// Class for KQL Best practices checker + /// + public class KqlBestPracticesChecker + { + public static string CheckBestPractices(string queryStr, string fileName) + { + try + { + var suggestions = new List(); + + // Rule 1: Don't use the long data type for datetime columns. + CheckDontUseLongForDatetime(queryStr, suggestions); + + // Rule 2: Use the has operator instead of contains for string operators. + CheckUseHasInsteadOfContains(queryStr, suggestions); + + // Rule 3: Use == instead of =~ for case-insensitive comparisons. + CheckUseEqualsInsteadOfEqualsTilde(queryStr, suggestions); + + // Rule 4: Use in instead of in~ for case-sensitive comparisons. + CheckUseInInsteadOfInTilde(queryStr, suggestions); + + // Rule 5: Use contains_cs instead of contains for case-sensitive comparisons. + CheckUseContainsCSInsteadOfContains(queryStr, suggestions); + + // Rule 6: Don't use * for searching text. Look in a specific column. + CheckSearchTextInSpecificColumn(queryStr, suggestions); + + // Rule 7: Use materialize() for let statements with reused variables + CheckLetStatementReuse(queryStr, suggestions); + + // Rule 8: Use Col =~ "lowercasestring". + CheckCaseInsensitiveComparisons(queryStr, suggestions); + + // Rule 9: Filter on a table column. + CheckFilteringOnCalculatedColumn(queryStr, suggestions); + + // Rule 10: Usage of the summarize operator. + CheckSummarizeOperator(queryStr, suggestions); + + // Rule 11: Usage of the join operator. + CheckJoinOperator(queryStr, suggestions); + + // Rule 12: Usage of the materialize operator. + CheckMaterializeFunction(queryStr, suggestions); + + // Combine suggestions into a single string + return FormatSuggestionsWithDisclaimer(suggestions, fileName); + } + catch (Exception ex) + { + // Log the exception or handle it appropriately + Console.WriteLine($"Error occurred while checking KQL best practices. Error message: {ex.Message}. Stack trace: {ex.StackTrace}"); + return string.Empty; + } + } + + /// + /// Formats suggestions + /// + /// suggestions + /// filename + /// formatted suggestions + private static string FormatSuggestionsWithDisclaimer(List suggestions, string fileName) + { + if(suggestions.Count== 0) + { + return string.Empty; + } + var formattedSuggestions = new List + { + // Suggestions for the file comment + $"KQL Best Practices Suggestions for: **{fileName}**" + }; + + // Add numbered suggestions + for (int i = 0; i < suggestions.Count; i++) + { + formattedSuggestions.Add($"{i + 1}. {suggestions[i]}"); + } + + // Add the disclaimer + formattedSuggestions.Add("\n**Disclaimer:** These suggestions are offered to enhance query efficiency and adherence to best practices. It is recommended to consider applying them for improved code quality, but their application is optional and context-dependent."); + + return string.Join("\n", formattedSuggestions); + } + + + /// + /// Don't use the long data type for datetime columns. + /// + /// query string + /// suggestions list + private static void CheckDontUseLongForDatetime(string queryStr, List suggestions) + { + var functionsToCheck = new List + { + "unixtime_microseconds_todatetime", + "unixtime_milliseconds_todatetime", + "unixtime_nanoseconds_todatetime", + "unixtime_seconds_todatetime" + }; + + string[] lines = queryStr.Split('\n'); + + foreach (var function in functionsToCheck) + { + foreach (var line in lines) + { + // Skip commented lines + if (line.Trim().StartsWith("//")) + { + continue; + } + + // Example: Check if line contains the function and suggest not using long + if (line.Contains($"{function}(")) + { + suggestions.Add($"Consider using datetime columns directly instead of the long data type. " + + $"KQL works better with datetime than long. " + + $"You can use update policies to convert unix time to the datetime data type during ingestion. " + + $"Function causing the suggestion: {function}"); + break; // No need to check other lines once a suggestion is added + } + } + } + } + + + /// + /// Use the has operator instead of contains for string operators. + /// + /// query string + /// suggestions list + private static void CheckUseHasInsteadOfContains(string queryStr, List suggestions) + { + var lines = queryStr.Split('\n'); + + foreach (var line in lines) + { + var trimmedLine = line.Trim(); + + // Skip commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check for the use of contains and suggest using has + if (trimmedLine.Contains("contains", StringComparison.OrdinalIgnoreCase)) + { + suggestions.Add("Use the 'has' operator instead of 'contains' for string operators."); + break; // No need to continue checking once the pattern is found + } + } + } + + + /// + /// Use == instead of =~ for case-insensitive comparisons. + /// + /// query string + /// suggestions list + private static void CheckUseEqualsInsteadOfEqualsTilde(string queryStr, List suggestions) + { + var lines = queryStr.Split('\n'); + + foreach (var line in lines) + { + var trimmedLine = line.Trim(); + + // Skip commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check for the use of =~ and suggest using == for case-sensitive comparisons + if (trimmedLine.Contains("=~", StringComparison.OrdinalIgnoreCase)) + { + suggestions.Add("Use the '==' operator instead of '=~' for case-sensitive comparisons."); + break; // No need to continue checking once the pattern is found + } + } + } + + + /// + /// Use in instead of in~ for case-sensitive comparisons. + /// + /// query string + /// suggestions list + private static void CheckUseInInsteadOfInTilde(string queryStr, List suggestions) + { + var lines = queryStr.Split('\n'); + + foreach (var line in lines) + { + var trimmedLine = line.Trim(); + + // Skip commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check for the use of in~ and suggest using in operator for case-sensitive comparisons + if (trimmedLine.Contains("in~", StringComparison.OrdinalIgnoreCase)) + { + suggestions.Add("Use the 'in' operator instead of 'in~' for case-sensitive comparisons."); + break; // No need to continue checking once the pattern is found + } + } + } + + + /// + /// Use contains_cs instead of contains for case-sensitive comparisons. + /// + /// query string + /// suggestions list + private static void CheckUseContainsCSInsteadOfContains(string queryStr, List suggestions) + { + var lines = queryStr.Split('\n'); + + foreach (var line in lines) + { + var trimmedLine = line.Trim(); + + // Skip commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check for the use of contains and suggest using contains_cs operator for case-sensitive comparisons + if (trimmedLine.Contains("contains", StringComparison.OrdinalIgnoreCase)) + { + suggestions.Add("Use the 'contains_cs' operator instead of 'contains' for case-sensitive comparisons."); + break; // No need to continue checking once the pattern is found + } + } + } + + + /// + /// Don't use * for searching text. Look in a specific column. + /// + /// query string + /// suggestions list + private static void CheckSearchTextInSpecificColumn(string queryStr, List suggestions) + { + var lines = queryStr.Split('\n'); + + foreach (var line in lines) + { + var trimmedLine = line.Trim(); + + // Skip commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check for the presence of '*' in the query. + if (trimmedLine.Contains('*')) + { + suggestions.Add("Don't use '*' for searching text. Look in a specific column."); + break; // No need to continue checking once the pattern is found + } + } + } + + + /// + /// Check Let Statement Reuse + /// + /// query string + /// suggestions list + public static void CheckLetStatementReuse(string queryStr, List suggestions) + { + string[] lines = queryStr.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + string line = lines[i].Trim(); + + if (line.StartsWith("let ") && line.Contains('=')) + { + string variableName = line.Substring(4, line.IndexOf('=') - 4).Trim(); + + // Check if the variable is used more than once after its declaration + int variableUsageCount = CountVariableUsage(lines, variableName, i); + + if (variableUsageCount > 1) + { + suggestions.Add($"Consider using the materialize() function for the '{variableName}' variable if its assignment involves computation or calculation. This can improve performance."); + } + } + } + } + + /// + /// Count the number of times a variable is used after its declaration + /// + /// query lines + /// variable name + /// start index + /// returns count + private static int CountVariableUsage(string[] lines, string variableName, int startIndex) + { + int count = 0; + + for (int i = startIndex + 1; i < lines.Length; i++) + { + string line = lines[i].Trim(); + + if (line.Contains(variableName)) + { + count++; + } + } + + return count; + } + + /// + /// Check for case-insensitive comparisons + /// + /// query string + /// suggestions list + public static void CheckCaseInsensitiveComparisons(string queryStr, List suggestions) + { + string[] lines = queryStr.Split('\n'); + + foreach (string line in lines) + { + string trimmedLine = line.Trim(); + + // Ignore commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check for tolower() or toupper() in the query + if (trimmedLine.Contains("tolower(") || trimmedLine.Contains("toupper(")) + { + // Suggest using Col =~ "lowercasestring" instead of tolower(Col) == "lowercasestring" + suggestions.Add("Consider using Col =~ \"lowercasestring\" instead of tolower(Col) == \"lowercasestring\" for case-insensitive comparisons."); + break; // We only need one suggestion if the pattern is found + } + } + } + + /// + /// Check for Filter on a table column. + /// + /// query string + /// suggestions list + public static void CheckFilteringOnCalculatedColumn(string queryStr, List suggestions) + { + string[] lines = queryStr.Split('\n'); + string extendedColumn = ""; + + for (int i = 0; i < lines.Length; i++) + { + string line = lines[i].Trim(); + + if (line.StartsWith("| extend")) + { + // Extract the extended column name + int equalIndex = line.IndexOf('='); + + if (equalIndex != -1) + { + extendedColumn = line.Substring("| extend".Length, equalIndex - "| extend".Length).Trim(); + } + } + + if (line.Contains("| where") && line.Contains("==")) + { + // Check if filtering on a calculated column is used + int whereIndex = line.IndexOf("| where"); + + if (whereIndex != -1 && !string.IsNullOrEmpty(extendedColumn) && line.Contains(extendedColumn)) + { + suggestions.Add($"Avoid filtering on calculated columns like '{extendedColumn}'. Use in the format of 'T | where predicate(columnName == *value*)' instead of 'T | extend _value = *Expression* | where predicate(_value)'."); + } + } + } + } + + /// + /// Check for the use of summarize operator + /// + /// query string + /// suggestions list + public static void CheckSummarizeOperator(string queryStr, List suggestions) + { + string[] lines = queryStr.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + string line = lines[i].Trim(); + + // Check if the line is a comment + if (!line.StartsWith("//")) + { + // Check if the line contains the "summarize" keyword + if (line.Contains("summarize")) + { + suggestions.Add("Consider using hint.shufflekey=key with the summarize operator when group by keys have high cardinality."); + break; // No need to continue checking, as we've found a summarize operator + } + } + } + } + + /// + /// Check for the use of join operator + /// + /// query string + /// suggestions list + public static void CheckJoinOperator(string queryStr, List suggestions) + { + string[] lines = queryStr.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + string line = lines[i].Trim(); + + // Check for single-line comments + if (line.StartsWith("//")) + { + continue; + } + + // Check for join operator + if (line.Contains("join ")) + { + suggestions.Add("Consider using hint.strategy=broadcast when the left side is small and the right side is large."); + suggestions.Add("Consider using the lookup operator instead of join when the right side is small and the left side is large."); + suggestions.Add("Consider using hint.shufflekey= when both sides are too large."); + break; // No need to continue checking, as we've found a join operator + } + } + } + + /// + /// Check Usage of the materialize operator. + /// + /// query string + /// suggestions list + public static void CheckMaterializeFunction(string queryStr, List suggestions) + { + string[] lines = queryStr.Split('\n'); + + foreach (string line in lines) + { + string trimmedLine = line.Trim(); + + // Ignore commented lines + if (trimmedLine.StartsWith("//")) + { + continue; + } + + // Check if materialize() is present in the line + if (trimmedLine.Contains("materialize(")) + { + // Suggest using more specific operators before materialize + suggestions.Add("Consider using more specific operators before materialize() to reduce the materialized data set while preserving query semantics."); + break; // No need to continue checking once a materialize is found + } + } + } + } +} diff --git a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs index e3bb8f440d..a11eaae0b7 100644 --- a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs +++ b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs @@ -97,6 +97,7 @@ public void Validate_HuntingQueries_HaveValidKql(string fileName, string encoded var queryStr = (string)res["query"]; ValidateKql(id, queryStr); + ValidateKqlForBestPractices(queryStr, fileName); ValidateKqlForLatestTIData(id, queryStr); } @@ -121,9 +122,34 @@ public void Validate_DetectionQueries_HaveValidKql(string fileName, string encod var queryStr = (string)res["query"]; ValidateKql(id, queryStr); + ValidateKqlForBestPractices(queryStr,fileName); ValidateKqlForLatestTIData(id, queryStr); } + /// + /// Validates the KQL for the best practices + /// + /// Query string + /// KQL file name + private void ValidateKqlForBestPractices(string queryStr, string filename) + { + try + { + //var suggestions = KqlBestPracticesChecker.CheckBestPractices(queryStr, filename); + //if (!string.IsNullOrEmpty(suggestions)) + //{ + // var gitHubApiClient = GitHubApiClient.Create(); + // gitHubApiClient.AddPRComment(suggestions); + //} + } + catch (Exception ex) + { + // Log the exception or handle it appropriately + Console.WriteLine($"Error occurred while validating KQL for best practices. Error message: {ex.Message}. Stack trace: {ex.StackTrace}"); + } + } + + // We pass File name to test because in the result file we want to show an informative name for the test [Theory] @@ -202,6 +228,7 @@ public void Validate_ExplorationQueries_HaveValidKql(string fileName, string enc var queryStr = (string)res["query"]; ValidateKql(id, queryStr); + ValidateKqlForBestPractices(queryStr, fileName); } [Theory] @@ -249,6 +276,7 @@ public void Validate_ParsersFunctions_HaveValidKql(string fileName, string encod var queryStr = queryParamsAsLetStatements + (string)yaml["ParserQuery"]; var parserName = (string)yaml["ParserName"]; ValidateKql(parserName, queryStr, false); + ValidateKqlForBestPractices(queryStr, fileName); } // We pass File name to test because in the result file we want to show an informative name for the test @@ -274,6 +302,7 @@ public void Validate_CommonFunctions_HaveValidKql(string fileName, string encode var queryStr = queryParamsAsLetStatements + (string)yaml["FunctionQuery"]; var parserName = (string)yaml["EquivalentBuiltInFunction"]; ValidateKql(parserName, queryStr, false); + ValidateKqlForBestPractices(queryStr, fileName); } @@ -299,6 +328,7 @@ public void Validate_SolutionParsersFunctions_HaveValidKql(string fileName, stri var queryStr = queryParamsAsLetStatements + (string)yaml["FunctionQuery"]; var parserName = (string)yaml["FunctionName"]; ValidateKql(id.ToString(), queryStr, false); + ValidateKqlForBestPractices(queryStr, fileName); } //Will enable this test case once all txt files removed from the parsers folders @@ -320,7 +350,7 @@ public void Validate_SolutionParsersFunctions_HaveValidKql(string fileName, stri [Fact] public void Validate_AllSolutionParsersFoldersContainsYamlsORMarkdowns() { - var gitHubApiClient = GitHubApiClient.Instance; + var gitHubApiClient = GitHubApiClient.Create(); IReadOnlyList prFiles = gitHubApiClient.GetPullRequestFiles(); @@ -394,8 +424,8 @@ private bool ValidateKqlForLatestTI(string queryStr) bool match = Regex.IsMatch(queryStr, tiTablepattern); if (match) { - string queryPattern = @"ThreatIntelligenceIndicator\s*\|\s*where\s*TimeGenerated\s*>=\s*ago\(\w+\)\s*\|\s*summarize\s*LatestIndicatorTime\s*=\s*arg_max\(TimeGenerated,\s*\*\)\s*by\s*IndicatorId\s*\|\s*where\s*(?:ExpirationDateTime\s*>\s*now\(\)\s*and\s*Active\s*==\s*true|Active\s*==\s*true\s*and\s*ExpirationDateTime\s*>\s*now\(\))"; - return Regex.IsMatch(queryStr, queryPattern); + string queryPattern = @"ThreatIntelligenceIndicator\s*\|\s*where\s*TimeGenerated\s*>=\s*ago\(\w+\).*|\s*summarize\s*LatestIndicatorTime\s*=\s*arg_max\(TimeGenerated,\s*\*\)\s*by\s*IndicatorId\s*\|\s*where\s*(?:ExpirationDateTime\s*>\s*now\(\)\s*and\s*Active\s*==\s*true|Active\s*==\s*true\s*and\s*ExpirationDateTime\s*>\s*now\(\))"; + return Regex.IsMatch(queryStr, queryPattern, RegexOptions.Singleline); } return true; } @@ -442,7 +472,9 @@ private Dictionary ReadAndDeserializeYaml(string encodedFilePath private bool ShouldSkipTemplateValidation(string templateId) { return TemplatesToSkipValidationReader.WhiteListTemplates - .Where(template => template.id == templateId) + .Where(template => +template.id + == templateId) .Where(template => !string.IsNullOrWhiteSpace(template.validationFailReason)) .Where(template => !string.IsNullOrWhiteSpace(template.templateName)) .Any(); diff --git a/.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj b/.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj index cec4ab0c7b..02193e610e 100644 --- a/.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj +++ b/.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj @@ -6,9 +6,11 @@ + + all diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index 6739b96e26..237f21180f 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -1519,11 +1519,6 @@ "templateName": "EmailEntity_OfficeActivity.yaml", "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" }, - { - "id": "6bb63ef4-9083-4dc3-bc48-7aeb569b13b2", - "templateName": "EmailEntity_PaloAlto.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, { "id": "6db4b928-4029-454e-a4e3-cf761db681e8", "templateName": "EmailEntity_SecurityAlert.yaml", @@ -1534,11 +1529,6 @@ "templateName": "EmailEntity_SecurityEvent.yaml", "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" }, - { - "id": "6d33f647-149a-4339-9db7-0cbf7d7c4e60", - "templateName": "EmailEntity_SigninLogs.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, { "id": "6bbefa0a-d0f2-4a45-91a5-9b8f332edb41", "templateName": "FileHashEntity_CommonSecurityLog.yaml", @@ -2616,11 +2606,6 @@ "templateName": "imDns_DomainEntity_DnsEvents.yaml", "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" }, - { - "id": "cc0a1f32-5bad-412c-96cc-67319dbcd735", - "templateName": "imDns_IPEntity_DnsEvents.yaml", - "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" - }, // Temporarily adding Data connector template id's for KQL Validations - Start // Temporarily adding Data connector template id's for KQL Validations - End @@ -2628,181 +2613,16 @@ // Temporarily adding Analytic rules and hunting queries id's for TI KQL Validations - Start - { - "id": "b1832f60-6c3d-4722-a0a5-3d564ee61a63", - "templateName": "DomainEntity_imWebSession.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "cca3b4d9-ac39-4109-8b93-65bb284003e6", - "templateName": "EmailEntity_AzureActivity.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2", - "templateName": "EmailEntity_OfficeActivity.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63", - "templateName": "EmailEntity_PaloAlto.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc", - "templateName": "EmailEntity_SecurityAlert.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "2fc5d810-c9cc-491a-b564-841427ae0e50", - "templateName": "EmailEntity_SecurityEvent.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "30fa312c-31eb-43d8-b0cc-bcbdfb360822", - "templateName": "EmailEntity_SigninLogs.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "5d33fc63-b83b-4913-b95e-94d13f0d379f", - "templateName": "FileHashEntity_CommonSecurityLog.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf", - "templateName": "FileHashEntity_SecurityEvent.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, { "id": "7241740a-5280-4b74-820a-862312d721a8", "templateName": "GitLab_MaliciousIP.yaml", "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" }, - { - "id": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", - "templateName": "imDns_DomainEntity_DnsEvents.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "67775878-7f8b-4380-ac54-115e1e828901", - "templateName": "imDns_IPEntity_DnsEvents.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "57c7e832-64eb-411f-8928-4133f01f4a25", - "templateName": "IPEntity_AzureKeyVault.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "d23ed927-5be3-4902-a9c1-85f841eb4fa1", - "templateName": "IPEntity_DuoSecurity.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "e2399891-383c-4caf-ae67-68a008b9f89e", - "templateName": "IPEntity_imNetworkSession.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "f2eb15bd-8a88-4b24-9281-e133edfba315", - "templateName": "IPentity_SigninLogs.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "35a0792a-1269-431e-ac93-7ae2980d4dde", - "templateName": "ProofpointPODEmailSenderInTIList.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "78979d32-e63f-4740-b206-cfb300c735e0", - "templateName": "ProofpointPODEmailSenderIPinTIList.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "a1c02815-4248-4728-a9ae-dac73c67db23", - "templateName": "RecordedFutureDomainMalwareC2inDNSEvents.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "dffd068f-fdab-440e-bbc0-34c14b623c89", - "templateName": "RecordedFutureDomainMalwareC2inSyslogEvents.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "388e197d-ec9e-46b6-addb-947d74d2a5c4", - "templateName": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "aac495a9-feb1-446d-b08e-a1164a539452", - "templateName": "Threat Intel Matches to GitHub Audit Logs.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "2a723664-22c2-4d3e-bbec-5843b90166f3", - "templateName": "TIMapIPEntityToLastPass.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, { "id": "db60ca0b-b668-439b-b889-b63b57ef20fb", "templateName": "UbiquitiDestinationInTiList.yaml", "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" }, - { - "id": "712fab52-2a7d-401e-a08c-ff939cc7c25e", - "templateName": "URLEntity_AuditLogs.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b", - "templateName": "URLEntity_OfficeActivity.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "106813db-679e-4382-a51b-1bfc463befc3", - "templateName": "URLEntity_PaloAlto.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "f30a47c1-65fb-42b1-a7f4-00941c12550b", - "templateName": "URLEntity_SecurityAlerts.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf", - "templateName": "URLEntity_Syslog.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "410da56d-4a63-4d22-b68c-9fb1a303be6d", - "templateName": "FileEntity_OfficeActivity.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "233441b9-cc92-4c9b-87fa-73b855fcd4b8", - "templateName": "FileEntity_SecurityEvent.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "18f7de84-de55-4983-aca3-a18bc846b4e0", - "templateName": "FileEntity_Syslog.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "172a321b-c46b-4508-87c6-e2691c778107", - "templateName": "FileEntity_VMConnection.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "689a9475-440b-4e69-8ab1-a5e241685f39", - "templateName": "FileEntity_WireData.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, - { - "id": "388e197d-ec9e-46b6-addb-947d74d2a5c4", - "templateName": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml", - "validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation" - }, { "id": "0f872637-8817-44a0-bb9d-ceab3dbd4ecd", "templateName": "Brute Force Attack against GitHub Account.yaml", diff --git a/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs b/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs index 2288344521..3bcf3ffdac 100644 --- a/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs +++ b/.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs @@ -16,7 +16,7 @@ public abstract class YamlFilesLoader public List GetFilesNames(bool loadAllFiles = false) { - var gitHubApiClient = GitHubApiClient.Instance; + var gitHubApiClient = GitHubApiClient.Create(); if (loadAllFiles) { diff --git a/DataConnectors/PPInventory/azuredeploy_PowerPlatformInventory_API_FunctionApp.json b/DataConnectors/PPInventory/azuredeploy_PowerPlatformInventory_API_FunctionApp.json index 4ff4f55985..94bb31d755 100644 --- a/DataConnectors/PPInventory/azuredeploy_PowerPlatformInventory_API_FunctionApp.json +++ b/DataConnectors/PPInventory/azuredeploy_PowerPlatformInventory_API_FunctionApp.json @@ -33,10 +33,12 @@ "tagsByResource": { "type": "object", "defaultValue": {} + }, + "storageAccountName": { + "type": "string" } }, "variables": { - "storageAccountName": "[concat(replace(toLower(parameters('functionAppName')),'-',''),'sa')]", "storageSuffix": "[environment().suffixes.storage]", "serverFarmName": "[concat('serverfarm_', parameters('functionAppName'))]", "appInsightsLogName": "[concat(parameters('functionAppName'),'Logs')]", @@ -464,7 +466,7 @@ ] } } - } + } ], "outputs": {} } @@ -515,7 +517,7 @@ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2022-09-01", - "name": "[variables('storageAccountName')]", + "name": "[parameters('storageAccountName')]", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]", "location": "[parameters('location')]", "kind": "StorageV2", @@ -534,7 +536,7 @@ "kind": "functionapp,linux", "dependsOn": [ "[resourceId('Microsoft.Web/serverfarms', variables('serverFarmName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]", "[resourceId('Microsoft.Insights/components', variables('appInsightsLogName'))]", "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dataCollectionRuleName'))]" ], @@ -560,11 +562,11 @@ "appSettings": [ { "name": "AzureWebJobsStorage", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('storageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('storageAccountName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('storageSuffix')))]" + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('storageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('storageAccountName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('storageSuffix')))]" }, { "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('storageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('storageAccountName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('storageSuffix')))]" + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('storageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('storageAccountName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('storageSuffix')))]" }, { "name": "STORAGE_ACCOUNT_URL", diff --git a/DataConnectors/PPInventory/createUIDef.json b/DataConnectors/PPInventory/createUIDef.json index 52940e043a..a6a52c8134 100644 --- a/DataConnectors/PPInventory/createUIDef.json +++ b/DataConnectors/PPInventory/createUIDef.json @@ -63,7 +63,7 @@ "type": "Microsoft.Common.TextBlock", "visible": true, "options": { - "text": "Configure the Function App used to collect Power Platform Inventory data. As part of the deploymnet, the Function App and Storage Account resources will be created in the target resource group. Function App health logs and metrics will be sent to selected App Insights workspace." + "text": "Configure the Function App used to collect Power Platform Inventory data. As part of the deployment, the Function App and Storage Account resources will be created in the target resource group. Function App health logs and metrics will be sent to selected App Insights workspace." } }, { @@ -109,10 +109,10 @@ { "name": "newStorageAccountName", "type": "Microsoft.Common.TextBox", - "label": "Storage account name", + "label": "Function App storage account name", "visible": true, "defaultValue": "[toLower(concat('PPInventory', first(split(steps('basics').resourceScope.subscription.subscriptionId, '-')), 'sa'))]", - "toolTip": "Name of the Storage account", + "toolTip": "Name of the storage account used by the Function App (this is NOT the ADLSv2 account)", "constraints": { "required": true, "validations": [ @@ -128,7 +128,7 @@ "type": "Microsoft.Common.DropDown", "label": "App Insights workspace", "defaultValue": "[steps('basics').sentinelWorkspace.name]", - "toolTip": "Select the workspace used to send Function App health logs and metrics", + "toolTip": "Select the workspace used to send Function App health logs and metrics. You can use the Sentinel workspace.", "multiselect": false, "selectAll": true, "filter": true, diff --git a/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md b/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md index 68d9dc26cf..ab06e290f1 100644 --- a/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md +++ b/DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md @@ -42,8 +42,8 @@ output { } ``` Note: make sure that the path exists before creating the sample file. -2) Start Logstash. The plugin will write up to 10 records to a sample file named "sampleFile.json" in the configured path -(for example: "c:\temp\sampleFile1648453501.json") +2) Start Logstash. The plugin will collect up to 10 records to a sample. +3) The file named "sampleFile.json" in the configured path will be created once there are 10 events to sample or when the Logstash process exited gracefully. (for example: "c:\temp\sampleFile1648453501.json"). ### Configurations: diff --git a/Detections/ASimAuthentication/imAuthBruteForce.yaml b/Detections/ASimAuthentication/imAuthBruteForce.yaml index e6814f980b..8cdfe768b8 100644 --- a/Detections/ASimAuthentication/imAuthBruteForce.yaml +++ b/Detections/ASimAuthentication/imAuthBruteForce.yaml @@ -40,17 +40,32 @@ query: | | extend IpAddresses = strcat_array(IpAddresses, ", "), ReportedBy = strcat_array(ReportedBy, ", ") + | extend + Name = iif( + TargetUsername contains "@" + , tostring(split(TargetUsername, '@', 0)[0]) + , TargetUsername + ), + UPNSuffix = iif( + TargetUsername contains "@" + , tostring(split(TargetUsername, '@', 1)[0]) + , "" + ) entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: TargetUsername + columnName: TargetUserName + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix customDetails: IpAddresses: IpAddresses ReportedBy: ReportedBy -version: 1.2.2 +version: 1.2.4 kind: Scheduled metadata: source: diff --git a/Detections/ASimAuthentication/imAuthPasswordSpray.yaml b/Detections/ASimAuthentication/imAuthPasswordSpray.yaml index 13c38ad304..19ba7703fd 100644 --- a/Detections/ASimAuthentication/imAuthPasswordSpray.yaml +++ b/Detections/ASimAuthentication/imAuthPasswordSpray.yaml @@ -28,15 +28,13 @@ query: | , Users = make_set(TargetUserId,100) by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m) | where UserCount > FailureThreshold - | extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr - entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.2 + columnName: SrcDvcIpAddr +version: 1.1.3 kind: Scheduled metadata: source: diff --git a/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml b/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml index 88aeca3fc6..3131788658 100644 --- a/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml +++ b/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml @@ -49,11 +49,13 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetUserName - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 1.2.3 +version: 1.2.4 kind: Scheduled metadata: source: diff --git a/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml index ab6bd66c5d..9fa144ba6f 100644 --- a/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml +++ b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml @@ -42,14 +42,13 @@ query: | | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, successfulAccountSigninCount, successfulAccountSigninSet, Type | order by disabledAccountLoginAttempts - | extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.2 + columnName: SrcDvcIpAddr +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/ASimDNS/imDNS_Miners.yaml b/Detections/ASimDNS/imDNS_Miners.yaml index 241b11e79d..16965f5ee3 100644 --- a/Detections/ASimDNS/imDNS_Miners.yaml +++ b/Detections/ASimDNS/imDNS_Miners.yaml @@ -57,17 +57,27 @@ query: | "moneropool.ru", "cryptonotepool.org.uk", "extremepool.org", "extremehash.com", "hashinvest.net", "unipool.pro", "crypto-pools.org", "monero.net", "backup-pool.com", "mooo.com", "freeyy.me", "cryptonight.net", "shscrypto.net"]); _Im_Dns(domain_has_any=minersDomains) - | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.3.2 + columnName: SrcIpAddr + - entityType: AzureResource + fieldMappings: + - identifier: ResourceId + columnName: _ResourceId +version: 1.3.4 kind: Scheduled metadata: source: diff --git a/Detections/ASimDNS/imDNS_TorProxies.yaml b/Detections/ASimDNS/imDNS_TorProxies.yaml index 66a7dbf70e..bc433bcbb2 100644 --- a/Detections/ASimDNS/imDNS_TorProxies.yaml +++ b/Detections/ASimDNS/imDNS_TorProxies.yaml @@ -48,17 +48,23 @@ query: | "tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt", "s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net"]); _Im_Dns(domain_has_any=torProxies) - | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.3.2 + columnName: SrcIpAddr +version: 1.3.4 kind: Scheduled metadata: source: diff --git a/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml b/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml index 9166a4dc24..ef8bda283c 100644 --- a/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml +++ b/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml @@ -53,13 +53,12 @@ query: | | where count_ > threshold | join kind=inner (_Im_Dns(responsecodename='NXDOMAIN') ) on SrcIpAddr - | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.3.3 + columnName: SrcIpAddr +version: 1.3.4 kind: Scheduled metadata: source: diff --git a/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml b/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml index 4e2a1b15a2..cf708bac04 100644 --- a/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml +++ b/Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml @@ -57,7 +57,7 @@ query: | | where DnsQuery !contains "/" and DnsQuery contains "."}; nxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now()) | extend sld = tostring(split(DnsQuery, ".")[-2]) - | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr | where dcount_sld > threshold // Filter out previously seen IPs | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime)) @@ -66,14 +66,13 @@ query: | | where dcount_sld > threshold ) on SrcIpAddr // Pull out sample NXDomain responses for those remaining potentially infected IPs | join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr - | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld - | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr + | summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.3.2 + columnName: SrcIpAddr +version: 1.3.3 kind: Scheduled metadata: source: diff --git a/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml b/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml index 0454b49290..7d422bf7d1 100644 --- a/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml +++ b/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml @@ -27,29 +27,33 @@ query: | let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]); let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676"; imFileEvent - | where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5) - | extend - timestamp = TimeGenerated, - AccountCustomEntity = User, - HostCustomEntity = DvcHostname, - FileHashCustomEntity = TargetFileMD5, - AlgorithmCustomEntity = "MD5" + | where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5) + | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) + | extend AlgorithmType = "MD5" entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Dvc + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain - entityType: FileHash fieldMappings: - identifier: Algorithm - columnName: AlgorithmCustomEntity + columnName: AlgorithmType - identifier: Value - columnName: FileHashCustomEntity -version: 1.0.5 + columnName: TargetFileMD5 +version: 1.0.7 kind: Scheduled metadata: source: diff --git a/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml b/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml index 90c9dd7d80..e67e5984ef 100644 --- a/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml +++ b/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml @@ -32,18 +32,25 @@ query: | | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}") | where Process !in (known_processes) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname + | extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname) + | project-away DomainIndex entityMappings: - entityType: Host fieldMappings: - - identifier: HostName + - identifier: FullName columnName: DvcHostname -version: 1.0.3 + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.0.5 kind: Scheduled metadata: source: kind: Community author: - name: Pete Bryan + name: Microsoft Security Community support: tier: Community categories: diff --git a/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml b/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml index 0937313f7c..2ef8138529 100644 --- a/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml +++ b/Detections/ASimProcess/Potentialre-namedsdeleteusage(ASIMVersion).yaml @@ -18,29 +18,38 @@ relevantTechniques: - T1036 query: | imProcess - | where CommandLine has_all ("accepteula", "-s", "-r", "-q") - | where Process !endswith "sdelete.exe" - | where CommandLine !has "sdelete" + | where CommandLine has_all ("accepteula", "-s", "-r", "-q") + | where Process !endswith "sdelete.exe" + | where CommandLine !has "sdelete" + | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: ActorUsername + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName + columnName: Dvc + - identifier: HostName columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain - entityType: IP fieldMappings: - identifier: Address columnName: DvcIpAddr - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: ActorUsername -version: 1.0.4 +version: 1.0.6 kind: Scheduled metadata: source: kind: Community author: - name: Pete Bryan + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml b/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml index 258bd8e2f9..4f1fa5cfd2 100644 --- a/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml +++ b/Detections/ASimProcess/SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml @@ -17,38 +17,52 @@ tags: - query: | imProcess - | where EventType =~ "ProcessCreated" - | where Process endswith "svchost.exe" - | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc" - | extend timekey = bin(TimeGenerated, 1m) - | project timekey, ActingProcessId, Dvc - | join kind=inner (imProcess + | where EventType =~ "ProcessCreated" + | where Process endswith "svchost.exe" + | where CommandLine has "-k GPSvcGroup" or CommandLine has "-s gpsvc" + | extend timekey = bin(TimeGenerated, 1m) + | project timekey, ActingProcessId, Dvc + | join kind=inner ( + imProcess | where EventType =~ "ProcessCreated" | where Process =~ "sdelete.exe" or CommandLine has "sdelete" | where ActingProcessName endswith "svchost.exe" | where CommandLine has_all ("-s", "-r") | extend timekey = bin(TimeGenerated, 1m) - ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc + ) + on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc + | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: ActorUsername - - entityType: IP - fieldMappings: - - identifier: Address - columnName: DvcIpAddr + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName columnName: Dvc -version: 1.0.3 + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DvcIpAddr +version: 1.0.5 kind: Scheduled metadata: source: kind: Community author: - name: Pete Bryan + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml b/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml index 23a65beebe..e40d627b61 100644 --- a/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml +++ b/Detections/ASimProcess/imFileEvent_Dev-0228FilePathHashesNovember2021(ASIMVersion).yaml @@ -17,14 +17,15 @@ relevantTechniques: - T1569 - T1003 query: | - let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]); - let files2 = dynamic(["svchost.exe","wdmsvc.exe"]); - let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77", "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]); - let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]); - imProcessCreate - | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2))) - // Increase risk score if recent alerts for the host - | join kind=leftouter (SecurityAlert + let files1 = dynamic(["C:\\Windows\\TAPI\\lsa.exe", "C:\\Windows\\TAPI\\pa.exe", "C:\\Windows\\TAPI\\pc.exe", "C:\\Windows\\TAPI\\Rar.exe"]); + let files2 = dynamic(["svchost.exe","wdmsvc.exe"]); + let FileHash1 = dynamic(["43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3", "ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb", "010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77", "56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7"]); + let FileHash2 = dynamic(["2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7", "9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd", "18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b"]); + imProcessCreate + | where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2))) + // Increase risk score if recent alerts for the host + | join kind=leftouter ( + SecurityAlert | where ProviderName =~ "MDATP" | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName) | mv-expand todynamic(Entities) @@ -32,29 +33,41 @@ query: | | where isnotempty(DvcId) // Higher risk score are for Defender alerts related to threat actor | extend AlertRiskScore = iif(ThreatName has_any ("Backdoor:MSIL/ShellClient.A", "Backdoor:MSIL/ShellClient.A!dll", "Trojan:MSIL/Mimikatz.BA!MTB"), 1.0, 0.5) - | project DvcId, AlertRiskScore) on DvcId - | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) - | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername + | project DvcId, AlertRiskScore) + on DvcId + | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) + | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: HostCustomEntity - entityType: Account fieldMappings: + - identifier: FullName + columnName: ActorUsername - identifier: Name - columnName: AccountCustomEntity + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: File fieldMappings: - identifier: Name columnName: FileName -version: 1.2.0 +version: 1.2.2 kind: Scheduled metadata: source: kind: Community author: - name: Ajeet Prakash + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/ASimProcess/imProcess_AdFind_Usage.yaml b/Detections/ASimProcess/imProcess_AdFind_Usage.yaml index a33c28b633..c2add3eb0a 100644 --- a/Detections/ASimProcess/imProcess_AdFind_Usage.yaml +++ b/Detections/ASimProcess/imProcess_AdFind_Usage.yaml @@ -20,41 +20,51 @@ tags: SchemaVersion: 0.1.0 query: | - let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]); - let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]); - imProcessCreate - //looks for execution from a shell - | where ActingProcessName has_any (parentProcesses) - | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1]) - | where ActingProcessFileName in~ (parentProcesses) - // main filter - | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3" - // AdFind common Flags to check for from various threat actor TTPs - or CommandLine has_any (args) - | extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = TargetProcessSHA256 - + let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]); + let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]); + imProcessCreate + //looks for execution from a shell + | where ActingProcessName has_any (parentProcesses) + | extend ActingProcessFileName = tostring(split(ActingProcessName, '\\')[-1]) + | where ActingProcessFileName in~ (parentProcesses) + // main filter + | where Process hassuffix "AdFind.exe" or TargetProcessSHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3" + // AdFind common Flags to check for from various threat actor TTPs + or CommandLine has_any (args) + | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Dvc - identifier: HostName - columnName: HostCustomEntity + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: Process fieldMappings: - identifier: ProcessId - columnName: ProcessCustomEntity + columnName: ActingProcessName - identifier: CommandLine - columnName: CommandLineCustomEntity + columnName: CommandLine - entityType: FileHash fieldMappings: - identifier: Algorithm - columnName: AlgorithmCustomEntity + columnName: AlgorithmType - identifier: Value - columnName: FileHashCustomEntity -version: 1.1.3 + columnName: TargetProcessSHA256 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml b/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml index e250955423..6822e169f8 100644 --- a/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml +++ b/Detections/ASimProcess/imProcess_MidnightBlizzard_SuspiciousRundll32Exec.yaml @@ -26,17 +26,28 @@ query: | | where Process hassuffix 'rundll32.exe' | where CommandLine has_any ('Execute','RegRead','window.close') | project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct - | extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User + | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.1.3 + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.1.6 kind: Scheduled metadata: source: diff --git a/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml b/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml index 776ecafb1f..f313f42276 100644 --- a/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml +++ b/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml @@ -28,28 +28,34 @@ query: | imProcessCreate | where Process hassuffix 'solarwinds.businesslayerhost.exe' | where not(Process has_any (excludeProcs)) - | extend - timestamp = TimeGenerated, - AccountCustomEntity = ActorUsername, - HostCustomEntity = User, - AlgorithmCustomEntity = "MD5", - FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented + | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: ActorUsername + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain - entityType: FileHash fieldMappings: - identifier: Algorithm - columnName: AlgorithmCustomEntity + columnName: AlgorithmType - identifier: Value - columnName: FileHashCustomEntity -version: 1.1.3 + columnName: TargetFileMD5 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml b/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml index e2d5c26716..98bb3471c1 100644 --- a/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml +++ b/Detections/ASimProcess/imProcess_base64_encoded_pefile.yaml @@ -24,21 +24,32 @@ tags: query: | imProcessCreate - | where CommandLine contains "TVqQAAMAAAAEAAA" - | where isnotempty(Process) - | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct - | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc + | where CommandLine contains "TVqQAAMAAAAEAAA" + | where isnotempty(Process) + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct + | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: ActorUsername + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.1.2 + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.1.4 kind: Scheduled metadata: source: diff --git a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml index b4eb0952e2..43c3a73281 100644 --- a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml +++ b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml @@ -20,24 +20,35 @@ tags: SchemaVersion: 0.1.0 query: | - let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]); - imProcessCreate - | where CommandLine has "recycler" - | where Process has_any (procList) - | extend FileName = tostring(split(Process, '\\')[-1]) - | where FileName in~ (procList) - | project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct - | extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc + let procList = dynamic(["cmd.exe","ftp.exe","schtasks.exe","powershell.exe","rundll32.exe","regsvr32.exe","msiexec.exe"]); + imProcessCreate + | where CommandLine has "recycler" + | where Process has_any (procList) + | extend FileName = tostring(split(Process, '\\')[-1]) + | where FileName in~ (procList) + | project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct + | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0]) + | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.2.3 + columnName: Dvc + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.2.5 kind: Scheduled metadata: source: diff --git a/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml b/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml index 52c9b68066..276bcfc676 100644 --- a/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml +++ b/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml @@ -1,7 +1,8 @@ id: 01e8ffff-dc0c-43fe-aa22-d459c4204553 name: Discord CDN Risky File Download (ASIM Web Session Schema) description: | - 'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads. + 'Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. + Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' severity: Medium requiredDataConnectors: @@ -31,11 +32,16 @@ query: | | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url | where RequestURL has_any (".bin",".exe",".dll",".bin",".msi") + | extend AccountName = tostring(split(SourceUser, "@")[0]), AccountUPNSuffix = tostring(split(SourceUser, "@")[1]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: SourceUser + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: IP fieldMappings: - identifier: Address @@ -44,13 +50,13 @@ entityMappings: fieldMappings: - identifier: Url columnName: RequestURL -version: 1.1.2 +version: 1.1.4 kind: Scheduled metadata: source: kind: Community author: - name: Pete Bryan + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml b/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml index 5d3cc16f10..f6c5d54568 100644 --- a/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml +++ b/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml @@ -66,11 +66,13 @@ entityMappings: columnName: requestedFileName - entityType: Account fieldMappings: + - identifier: FullName + columnName: SrcUsername - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 1.1.2 +version: 1.1.3 kind: Scheduled metadata: source: diff --git a/Detections/ASimWebSession/UnusualUACryptoMiners.yaml b/Detections/ASimWebSession/UnusualUACryptoMiners.yaml index 0033d912a3..06faa19db8 100644 --- a/Detections/ASimWebSession/UnusualUACryptoMiners.yaml +++ b/Detections/ASimWebSession/UnusualUACryptoMiners.yaml @@ -31,8 +31,8 @@ query: | let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent)); let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) - | summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername - + | summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername + | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1]) entityMappings: - entityType: URL fieldMappings: @@ -44,8 +44,12 @@ entityMappings: columnName: SrcIpAddr - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: SrcUsername + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix alertDetailsOverride: alertDisplayNameFormat: The host {{SrcIpAddr}} is potentially running a crypto miner @@ -55,7 +59,7 @@ customDetails: eventGroupingSettings: aggregationKind: AlertPerResult -version: 1.1.1 +version: 1.1.3 kind: Scheduled metadata: source: diff --git a/Detections/ASimWebSession/UnusualUAHackTool.yaml b/Detections/ASimWebSession/UnusualUAHackTool.yaml index bad820bcdb..0a043631a0 100644 --- a/Detections/ASimWebSession/UnusualUAHackTool.yaml +++ b/Detections/ASimWebSession/UnusualUAHackTool.yaml @@ -32,7 +32,8 @@ query: | let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent)); let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) - | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername + | project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername + | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1]) entityMappings: - entityType: URL fieldMappings: @@ -44,8 +45,12 @@ entityMappings: columnName: SrcIpAddr - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: SrcUsername + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix alertDetailsOverride: alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running a hacking tool' @@ -55,7 +60,7 @@ customDetails: eventGroupingSettings: aggregationKind: AlertPerResult -version: 1.1.1 +version: 1.1.3 kind: Scheduled metadata: source: diff --git a/Detections/ASimWebSession/UnusualUAPowershell.yaml b/Detections/ASimWebSession/UnusualUAPowershell.yaml index af1726f5ff..4cc6e3b997 100644 --- a/Detections/ASimWebSession/UnusualUAPowershell.yaml +++ b/Detections/ASimWebSession/UnusualUAPowershell.yaml @@ -33,8 +33,8 @@ query: | let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent)); let fullUAList = array_concat(knownUserAgents,customUserAgents); _Im_WebSession(httpuseragent_has_any=fullUAList) - | project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername - + | project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername + | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1]) entityMappings: - entityType: URL fieldMappings: @@ -46,8 +46,12 @@ entityMappings: columnName: SrcIpAddr - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: SrcUsername + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix alertDetailsOverride: alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running PowerShell' @@ -57,7 +61,7 @@ customDetails: eventGroupingSettings: aggregationKind: AlertPerResult -version: 1.1.1 +version: 1.1.3 kind: Scheduled metadata: source: diff --git a/Detections/Anomalies/UnusualAnomaly.yaml b/Detections/Anomalies/UnusualAnomaly.yaml index 010f4bd492..95baf4f747 100644 --- a/Detections/Anomalies/UnusualAnomaly.yaml +++ b/Detections/Anomalies/UnusualAnomaly.yaml @@ -27,6 +27,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -39,5 +41,5 @@ alertDetailsOverride: alertDynamicProperties: - alertProperty: Techniques value: Techniques -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml b/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml index 33ae3ce58b..3991b429d7 100644 --- a/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml +++ b/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml @@ -43,25 +43,33 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetUserPrincipalName - identifier: Name columnName: TargetAccountName - identifier: UPNSuffix columnName: TargetAccountUPNSuffix - - identifier: AadUserId - columnName: TargetAadUserId - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: TargetAadUserId + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address columnName: InitiatingIPAddress -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/ApplicationIDURIChanged.yaml b/Detections/AuditLogs/ApplicationIDURIChanged.yaml index 3a560e4199..0a2f09f5a8 100644 --- a/Detections/AuditLogs/ApplicationIDURIChanged.yaml +++ b/Detections/AuditLogs/ApplicationIDURIChanged.yaml @@ -43,16 +43,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix - - identifier: AadUserId - columnName: InitiatingAadUserId - entityType: Account fieldMappings: - identifier: AadUserId - columnName: InitiatingAppServicePrincipalId + columnName: InitiatingAadUserId - entityType: URL fieldMappings: - identifier: Url @@ -65,7 +65,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatingIPAddress -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml b/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml index 7efb2be37e..0b6ce99994 100644 --- a/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml +++ b/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml @@ -55,10 +55,14 @@ entityMappings: columnName: AddedUrls - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId - entityType: Account @@ -69,7 +73,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatingIPAddress -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml b/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml index dbbe815d3e..6e5fa7893d 100644 --- a/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml +++ b/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml @@ -42,16 +42,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix - - identifier: AadUserId - columnName: InitiatingAadUserId - entityType: Account fieldMappings: - identifier: AadUserId - columnName: InitiatingAppServicePrincipalId + columnName: InitiatingAadUserId - entityType: URL fieldMappings: - identifier: Url @@ -64,7 +64,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatingIPAddress -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/ChangestoApplicationOwnership.yaml b/Detections/AuditLogs/ChangestoApplicationOwnership.yaml index 7c380d9468..6ef26210ca 100644 --- a/Detections/AuditLogs/ChangestoApplicationOwnership.yaml +++ b/Detections/AuditLogs/ChangestoApplicationOwnership.yaml @@ -43,21 +43,29 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetUserPrincipalName - identifier: Name columnName: TargetAccountName - identifier: UPNSuffix columnName: TargetAccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: TargetAadUserId -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/ChangestoPIMSettings.yaml b/Detections/AuditLogs/ChangestoPIMSettings.yaml index 55252f11a0..cd2c606fdb 100644 --- a/Detections/AuditLogs/ChangestoPIMSettings.yaml +++ b/Detections/AuditLogs/ChangestoPIMSettings.yaml @@ -31,17 +31,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId - entityType: IP fieldMappings: - identifier: Address columnName: InitiatingIPAddress -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml b/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml index 1881710496..1935191422 100644 --- a/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml +++ b/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml @@ -46,10 +46,14 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId - entityType: IP @@ -62,7 +66,7 @@ entityMappings: columnName: InitiatingAppId - identifier: Name columnName: InitiatingAppName -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml b/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml index b7434f7c4d..bdf331eb8a 100644 --- a/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml +++ b/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml @@ -43,10 +43,14 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: InitiatingAadUserId - entityType: IP @@ -59,7 +63,7 @@ entityMappings: columnName: TargetAppId - identifier: Name columnName: TargetAppName -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml b/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml index 2192ede29a..6040cfb0d1 100644 --- a/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml +++ b/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml @@ -45,25 +45,33 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingUserPrincipalName - identifier: Name columnName: InitiatingAccountName - identifier: UPNSuffix columnName: InitiatingAccountUPNSuffix - - identifier: AadUserId - columnName: InitiatingAadUserId - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetUserPrincipalName - identifier: Name columnName: TargetAccountName - identifier: UPNSuffix columnName: TargetAccountUPNSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatingAadUserId + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: TargetAadUserId - entityType: IP fieldMappings: - identifier: Address columnName: InitiatingIPAddress -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/AzureActivity/AzDiagSettingsDeleted.yaml b/Detections/AzureActivity/AzDiagSettingsDeleted.yaml index 18a3ab4266..e207d8a34e 100644 --- a/Detections/AzureActivity/AzDiagSettingsDeleted.yaml +++ b/Detections/AzureActivity/AzDiagSettingsDeleted.yaml @@ -40,17 +40,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Caller - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: AadUserId - entityType: IP fieldMappings: - identifier: Address columnName: CallerIpAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml b/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml index 68afe122a0..8f2ec97c01 100644 --- a/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml +++ b/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml @@ -89,6 +89,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Caller - identifier: Name columnName: CallerName - identifier: UPNSuffix @@ -103,7 +105,7 @@ entityMappings: columnName: VirtualMachineName - identifier: AzureID columnName: Scope -version: 1.0.6 +version: 1.0.7 kind: Scheduled metadata: source: diff --git a/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml b/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml index 8d2ab44a02..4e65dea083 100644 --- a/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml +++ b/Detections/BehaviorAnalytics/SuspiciousSigninByAADConnectAccount.yaml @@ -31,6 +31,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -51,13 +53,13 @@ alertDetailsOverride: A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be reviewed to ensure that the log in came was from a legitimate source. In this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}. -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: kind: Community author: - name: Pete Bryan + name: Microsoft Security Community support: tier: Community categories: diff --git a/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml b/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml index ca56069660..9a8ccd8360 100644 --- a/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml +++ b/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml @@ -93,23 +93,29 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain + - entityType: Host + fieldMappings: - identifier: AzureID columnName: _ResourceId - entityType: IP fieldMappings: - identifier: Address columnName: IpAddress -version: 1.3.0 +version: 1.3.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml index c2508cf310..f3fca03815 100644 --- a/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml +++ b/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml @@ -67,9 +67,12 @@ query: | | extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain ) ) + | extend Account = strcat(AccountDomain, "\\", AccountName) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain @@ -82,7 +85,7 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: _ResourceId -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml b/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml index 4df4795c2d..7655388944 100644 --- a/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml +++ b/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml @@ -43,17 +43,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: UserId - entityType: IP fieldMappings: - identifier: Address columnName: IPAddress -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml b/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml index 5864e15c95..f7bbd2276e 100644 --- a/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml +++ b/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml @@ -65,19 +65,25 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: AddingUser - identifier: Name columnName: AddedByName - identifier: UPNSuffix columnName: AddedByUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: AddedByAzureId - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserAdded - identifier: Name columnName: UserAddedName - identifier: UPNSuffix columnName: UserAddedDomain -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml b/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml index bc15c7adfa..9ec2ed46c6 100644 --- a/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml +++ b/Detections/MultipleDataSources/AnomalousIPUsageFollowedByTeamsAction.yaml @@ -103,6 +103,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -111,7 +113,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: SuspiciousIP -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/AquaBlizzardFeb2022.yaml b/Detections/MultipleDataSources/AquaBlizzardFeb2022.yaml index 0623151fc7..2408bceae8 100644 --- a/Detections/MultipleDataSources/AquaBlizzardFeb2022.yaml +++ b/Detections/MultipleDataSources/AquaBlizzardFeb2022.yaml @@ -1,5 +1,5 @@ id: 38f9d721-70a9-4570-9aff-1471eae7c844 name: Aqua Blizzard Actor IOCs - Feb 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/AquaBlizzardFeb2022.yaml' -version: 1.1.3 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/AquaBlizzardFeb2022.yaml' +version: 1.1.4 diff --git a/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml b/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml index 294b246981..a0def5e6f8 100644 --- a/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml +++ b/Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml @@ -80,9 +80,12 @@ query: | | extend timestamp = TimeGenerated, AccountName = tostring(split(User, @'\')[1]), AccountUPNSuffix = tostring(split(User, @'\')[0]), DeviceName = Computer ) ) + | extend Account = strcat(AccountDomain, "\\", AccountName) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain @@ -91,7 +94,7 @@ entityMappings: fieldMappings: - identifier: HostName columnName: DeviceName -version: 1.2.0 +version: 1.2.2 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/BariumDomainIOC112020.yaml b/Detections/MultipleDataSources/BariumDomainIOC112020.yaml index 26e205253d..d655b3d32d 100644 --- a/Detections/MultipleDataSources/BariumDomainIOC112020.yaml +++ b/Detections/MultipleDataSources/BariumDomainIOC112020.yaml @@ -1,5 +1,5 @@ id: 54f3e0f1-7ab4-45c6-87b0-1cf774d54588 name: Known Barium domains description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/BariumDomainIOC112020.yaml' -version: 1.7.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/BariumDomainIOC112020.yaml' +version: 1.7.2 diff --git a/Detections/MultipleDataSources/BariumIPIOC112020.yaml b/Detections/MultipleDataSources/BariumIPIOC112020.yaml index 3d2162e954..da85fe9a50 100644 --- a/Detections/MultipleDataSources/BariumIPIOC112020.yaml +++ b/Detections/MultipleDataSources/BariumIPIOC112020.yaml @@ -1,5 +1,5 @@ id: f9017237-af8a-455c-a7e6-a54f3fb039c5 name: Known Barium IP description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/BariumIPIOC112020.yaml' -version: 1.4.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/BariumIPIOC112020.yaml' +version: 1.4.2 diff --git a/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml b/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml index 22e9158896..7ebfcf9d8c 100644 --- a/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml +++ b/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml @@ -45,6 +45,8 @@ entityMappings: columnName: RegistryKey - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: NTDomain @@ -59,7 +61,7 @@ entityMappings: columnName: InitiatingProcessAccountName - identifier: NTDomain columnName: InitiatingProcessAccountName -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/CadetBlizzard_Jan2022_IOC.yaml b/Detections/MultipleDataSources/CadetBlizzard_Jan2022_IOC.yaml index dea58fef5b..094f34ae8d 100644 --- a/Detections/MultipleDataSources/CadetBlizzard_Jan2022_IOC.yaml +++ b/Detections/MultipleDataSources/CadetBlizzard_Jan2022_IOC.yaml @@ -1,5 +1,5 @@ id: d0edc52e-2f0a-4183-b5fb-9a73b3cd0393 name: Cadet Blizzard Actor IOC - January 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CadetBlizzard_Jan2022_IOC.yaml' -version: 1.0.4 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/CadetBlizzard_Jan2022_IOC.yaml' +version: 1.0.5 \ No newline at end of file diff --git a/Detections/MultipleDataSources/CaramelTsunami_IOC.yaml b/Detections/MultipleDataSources/CaramelTsunami_IOC.yaml index 23c128d1f2..2c780a007e 100644 --- a/Detections/MultipleDataSources/CaramelTsunami_IOC.yaml +++ b/Detections/MultipleDataSources/CaramelTsunami_IOC.yaml @@ -1,5 +1,5 @@ id: 2b68903a-cb95-4e31-a2db-4a0a15803761 name: Caramel Tsunami Actor IOC - July 2021 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/CaramelTsunami_IOC.yaml' -version: 1.2.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/CaramelTsunami_IOC.yaml' +version: 1.2.3 diff --git a/Detections/MultipleDataSources/ChiaCryptoMining.yaml b/Detections/MultipleDataSources/ChiaCryptoMining.yaml index 80c292c17d..2db80ee654 100644 --- a/Detections/MultipleDataSources/ChiaCryptoMining.yaml +++ b/Detections/MultipleDataSources/ChiaCryptoMining.yaml @@ -1,5 +1,5 @@ id: 886024e0-e38e-4fae-aa3b-e30a0b8ee2c0 name: Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ChiaCryptoMining.yaml' -version: 1.2.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/ChiaCryptoMining.yaml' +version: 1.2.2 diff --git a/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml b/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml index 77fe6b60df..4149287b51 100644 --- a/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml +++ b/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml @@ -1,5 +1,5 @@ id: 6688d4c9-16e2-46a9-b2b6-564d9367a8b1 name: DEV-0322 Serv-U related IOCs - July 2021 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml' -version: 1.1.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml' +version: 1.1.2 diff --git a/Detections/MultipleDataSources/DenimTsunamiAVDetection.yaml b/Detections/MultipleDataSources/DenimTsunamiAVDetection.yaml index d6c93bc5ff..91f13b7d5c 100644 --- a/Detections/MultipleDataSources/DenimTsunamiAVDetection.yaml +++ b/Detections/MultipleDataSources/DenimTsunamiAVDetection.yaml @@ -1,5 +1,5 @@ id: 69fe6e85-8867-4872-a707-f589d3554375 name: Denim Tsunami AV Detection description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiAVDetection.yaml' -version: 1.0.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/DenimTsunamiAVDetection.yaml' +version: 1.0.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/DenimTsunamiC2DomainsJuly2022.yaml b/Detections/MultipleDataSources/DenimTsunamiC2DomainsJuly2022.yaml index 4e5f822a92..5e7fc07b66 100644 --- a/Detections/MultipleDataSources/DenimTsunamiC2DomainsJuly2022.yaml +++ b/Detections/MultipleDataSources/DenimTsunamiC2DomainsJuly2022.yaml @@ -1,5 +1,5 @@ id: 357ce603-e6ac-4afe-a2d8-b3dd8ab1d6e8 name: Denim Tsunami C2 Domains July 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiC2DomainsJuly2022.yaml' -version: 1.0.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/DenimTsunamiC2DomainsJuly2022.yaml' +version: 1.0.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/DenimTsunamiFileHashesJuly2022.yaml b/Detections/MultipleDataSources/DenimTsunamiFileHashesJuly2022.yaml index bac861f7ac..03507209a5 100644 --- a/Detections/MultipleDataSources/DenimTsunamiFileHashesJuly2022.yaml +++ b/Detections/MultipleDataSources/DenimTsunamiFileHashesJuly2022.yaml @@ -1,5 +1,5 @@ id: 24e91fb1-01e5-47d0-845d-75d74e9b8a61 name: Denim Tsunami File Hashes July 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DenimTsunamiFileHashesJuly2022.yaml' -version: 1.0.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/DenimTsunamiFileHashesJuly2022.yaml' +version: 1.0.3 diff --git a/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml b/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml index 56b9703bf2..1bc08531a6 100644 --- a/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml +++ b/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml @@ -39,33 +39,38 @@ query: | | extend AlertRiskScore = iif(ThreatName has_any ("Backdoor:MSIL/ShellClient.A", "Backdoor:MSIL/ShellClient.A!dll", "Trojan:MSIL/Mimikatz.BA!MTB"), 1.0, 0.5) | project DvcId, AlertRiskScore) on DvcId | extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore) + | extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, "\\", InitiatingProcessAccountName) | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) | extend timestamp = TimeGenerated entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccount - identifier: Name columnName: InitiatingProcessAccountName - identifier: NTDomain - columnName: InitiatingProcessAccountName + columnName: InitiatingProcessAccountDomain - entityType: File fieldMappings: - identifier: Name columnName: FileName -version: 1.1.0 +version: 1.1.2 kind: Scheduled metadata: source: kind: Community author: - name: Ajeet Prakash + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml b/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml index d079d63844..1628ad0836 100644 --- a/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml +++ b/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml @@ -59,19 +59,24 @@ query: | AlgorithmCustomEntity = "SHA256" | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountDomain = tostring(split(ActorUsername, @'\')[0]) | extend HostName = DvcHostname, HostNameDomain = DvcDomain + | extend DeviceName = strcat(DvcHostname, ".", DvcDomain ) ) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: ActorUserName - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - - identifier: NTDomain + - identifier: DnsDomain columnName: HostNameDomain - entityType: FileHash fieldMappings: @@ -79,13 +84,13 @@ entityMappings: columnName: AlgorithmCustomEntity - identifier: Value columnName: FileHashCustomEntity -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: kind: Community author: - name: Ashwin Patil + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/MultipleDataSources/Dev-0530_July2022.yaml b/Detections/MultipleDataSources/Dev-0530_July2022.yaml index 1ff46ef0c7..e3357194c7 100644 --- a/Detections/MultipleDataSources/Dev-0530_July2022.yaml +++ b/Detections/MultipleDataSources/Dev-0530_July2022.yaml @@ -1,5 +1,5 @@ id: 1028a99a-a549-4843-abfb-f83c9d4fff79 name: Dev-0530 IOC - July 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Dev-0530_July2022.yaml' -version: 1.1.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/Dev-0530_July2022.yaml' +version: 1.1.2 diff --git a/Detections/MultipleDataSources/DiamondSleetJan272021IOCs.yaml b/Detections/MultipleDataSources/DiamondSleetJan272021IOCs.yaml index ac92e85884..76b4f09201 100644 --- a/Detections/MultipleDataSources/DiamondSleetJan272021IOCs.yaml +++ b/Detections/MultipleDataSources/DiamondSleetJan272021IOCs.yaml @@ -1,5 +1,5 @@ id: 17184571-f7cd-42fb-a6a5-3478f09f5fa0 name: Known Diamond Sleet Comebacker and Klackring malware hashes description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetJan272021IOCs.yaml' -version: 1.7.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/DiamondSleetJan272021IOCs.yaml' +version: 1.7.3 diff --git a/Detections/MultipleDataSources/DiamondSleetOct292020IOCs.yaml b/Detections/MultipleDataSources/DiamondSleetOct292020IOCs.yaml index 1f348afae9..b963b3216e 100644 --- a/Detections/MultipleDataSources/DiamondSleetOct292020IOCs.yaml +++ b/Detections/MultipleDataSources/DiamondSleetOct292020IOCs.yaml @@ -1,5 +1,5 @@ id: ba2433b7-da6b-4faa-bdf1-1eae065ef7e9 name: Known Diamond Sleet related maldoc hash description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/DiamondSleetOct292020IOCs.yaml' -version: 1.0.3 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/DiamondSleetOct292020IOCs.yaml' +version: 1.0.4 \ No newline at end of file diff --git a/Detections/MultipleDataSources/EUROPIUM _September2022.yaml b/Detections/MultipleDataSources/EUROPIUM _September2022.yaml index 4b84fca117..1185f1752f 100644 --- a/Detections/MultipleDataSources/EUROPIUM _September2022.yaml +++ b/Detections/MultipleDataSources/EUROPIUM _September2022.yaml @@ -95,17 +95,20 @@ query: | | extend IPMatch = case( SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "None") | extend timestamp = TimeGenerated, File = tostring(split(Image, '\\', -1)[-1]), IPEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None"), HostEntity = Computer, AccountName = tostring(split(UserName, @'\')[1]), AccountDomain = tostring(split(UserName, @'\')[0]) + | extend InitiatingProcessAccount = UserName ), (OfficeActivity | where ClientIP in (IPList) | project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type | extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountName = tostring(split(UserId, "@")[0]), AccountDomain = tostring(split(UserId, "@")[1]) + | extend InitiatingProcessAccount = UserId ), (DeviceNetworkEvents | where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) | project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type | extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = Computer, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain + | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName) ), (WindowsFirewall | where SourceIP in (IPList) or DestinationIP in (IPList) @@ -119,6 +122,7 @@ query: | | project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash | extend timestamp = TimeGenerated, IPEntity = IPAddress, HostEntity = Computer, Algorithm = "SHA256", FileHash = tostring(FileHash) | extend AccountName = tostring(split(Account, @'\')[1]), AccountDomain = tostring(split(Account, @'\')[0]) + | extend InitiatingProcessAccount = Account ), (DeviceFileEvents | where SHA256 has_any (sha256Hashes) @@ -126,6 +130,7 @@ query: | InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type | extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, Algorithm = "SHA256", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath + | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName) ), (DeviceImageLoadEvents | where SHA256 has_any (sha256Hashes) @@ -133,6 +138,7 @@ query: | InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type | extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, Algorithm = "SHA256", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath + | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName) ), (Event | where Source =~ "Microsoft-Windows-Sysmon" @@ -147,6 +153,7 @@ query: | | project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image | extend Type = strcat(Type, ": ", Source) | extend timestamp = TimeGenerated, HostEntity = Computer, AccountName = tostring(split(UserName, @'\')[1]), AccountUPNSuffix = tostring(split(UserName, @'\')[0]), FileHash = tostring(Hashes[1]) + | extend InitiatingProcessAccount = UserName ) ) | extend HostName = tostring(split(HostEntity, ".")[0]), DomainIndex = toint(indexof(HostEntity, '.')) @@ -154,12 +161,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccount - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: HostEntity - identifier: HostName columnName: HostName - identifier: NTDomain @@ -174,7 +185,7 @@ entityMappings: columnName: Algorithm - identifier: Value columnName: FileHash -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml b/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml index 7adc0c773d..7cdc627be0 100644 --- a/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml +++ b/Detections/MultipleDataSources/EmailAccessviaActiveSync.yaml @@ -89,17 +89,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountEntity - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: HostEntity - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/EmeraldSleetIOCs.yaml b/Detections/MultipleDataSources/EmeraldSleetIOCs.yaml index a53f56d0ef..dcc334ac6c 100644 --- a/Detections/MultipleDataSources/EmeraldSleetIOCs.yaml +++ b/Detections/MultipleDataSources/EmeraldSleetIOCs.yaml @@ -1,5 +1,5 @@ id: 993b32e3-f097-4fcb-b555-3078a4af63be name: Emerald Sleet domains included in DCU takedown description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/EmeraldSleetIOCs.yaml' -version: 1.5.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/EmeraldSleetIOCs.yaml' +version: 1.5.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml b/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml index 2764a66ac2..a90ff88941 100644 --- a/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml +++ b/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml @@ -27,10 +27,12 @@ query: | | where EventID==4688 | where CommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and CommandLine has "HealthMailbox55x2yq" | project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type + | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName) ), (DeviceProcessEvents | where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq" | extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName + | extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName) ) ) | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) @@ -38,17 +40,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatingProcessAccount - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml b/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml index dea77aff7e..afa1c3d981 100644 --- a/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml +++ b/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml @@ -1,5 +1,5 @@ id: 698afbd8-2fc5-48b1-b701-00294e26b510 name: Exchange Server Vulnerabilities Disclosed March 2021 IoC Match description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml' -version: 1.7.4 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml' +version: 1.7.5 \ No newline at end of file diff --git a/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml b/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml index c095ac05bd..7d87078cd3 100644 --- a/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml +++ b/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml @@ -39,28 +39,33 @@ query: | // Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation | where ProcessCommandLine has_any(suspiciousCmdLineKeywords) | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName + | extend Account = strcat(AccountDomain, "\\", AccountName) | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: kind: Community author: - name: petebryan + name: Microsoft Security Community support: tier: Community categories: diff --git a/Detections/MultipleDataSources/ForestBlizzardJuly2019IOCs.yaml b/Detections/MultipleDataSources/ForestBlizzardJuly2019IOCs.yaml index b673311431..781a9ccd70 100644 --- a/Detections/MultipleDataSources/ForestBlizzardJuly2019IOCs.yaml +++ b/Detections/MultipleDataSources/ForestBlizzardJuly2019IOCs.yaml @@ -112,12 +112,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: User - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: NTDomain @@ -126,7 +130,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.6.0 +version: 1.6.1 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/ForestBlizzardOct292020IOCs.yaml b/Detections/MultipleDataSources/ForestBlizzardOct292020IOCs.yaml index f665977bf1..5fbd999e3c 100644 --- a/Detections/MultipleDataSources/ForestBlizzardOct292020IOCs.yaml +++ b/Detections/MultipleDataSources/ForestBlizzardOct292020IOCs.yaml @@ -1,5 +1,5 @@ id: 9fc7eaad-3cff-4ed0-837a-868ceb3e0886 name: Possible Forest Blizzard attempted credential harvesting - Oct 2020 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/ForestBlizzardOct292020IOCs.yaml' -version: 1.0.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/ForestBlizzardOct292020IOCs.yaml' +version: 1.0.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/GraniteTyphoonIOCs.yaml b/Detections/MultipleDataSources/GraniteTyphoonIOCs.yaml index 477e0913e4..fe35ca81e6 100644 --- a/Detections/MultipleDataSources/GraniteTyphoonIOCs.yaml +++ b/Detections/MultipleDataSources/GraniteTyphoonIOCs.yaml @@ -1,5 +1,5 @@ id: 00f44734-35a9-4103-b6b9-fd7752e70385 name: Known Granite Typhoon domains and hashes description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GraniteTyphoonIOCs.yaml' -version: 1.6.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/GraniteTyphoonIOCs.yaml' +version: 1.6.3 diff --git a/Detections/MultipleDataSources/HiveRansomwareJuly2022.yaml b/Detections/MultipleDataSources/HiveRansomwareJuly2022.yaml index a0e1d0b0a0..60984c3e9f 100644 --- a/Detections/MultipleDataSources/HiveRansomwareJuly2022.yaml +++ b/Detections/MultipleDataSources/HiveRansomwareJuly2022.yaml @@ -1,5 +1,5 @@ id: 5e343198-38c7-4057-ac53-2f306c6cb1c3 name: Hive Ransomware IOC - July 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/HiveRansomwareJuly2022.yaml' -version: 1.0.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/HiveRansomwareJuly2022.yaml' +version: 1.0.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/KnownMintSandstormDomainsIP-October2020.yaml b/Detections/MultipleDataSources/KnownMintSandstormDomainsIP-October2020.yaml index d3d2bffb9d..feb650568e 100644 --- a/Detections/MultipleDataSources/KnownMintSandstormDomainsIP-October2020.yaml +++ b/Detections/MultipleDataSources/KnownMintSandstormDomainsIP-October2020.yaml @@ -1,5 +1,5 @@ id: 1bcfc5db-042d-4009-9989-45c3abd61352 name: Known Mint Sandstorm group domains/IP - October 2020 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/KnownMintSandstormDomainsIP-October2020.yaml' -version: 1.1.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/KnownMintSandstormDomainsIP-October2020.yaml' +version: 1.1.3 diff --git a/Detections/MultipleDataSources/MSHTMLVuln.yaml b/Detections/MultipleDataSources/MSHTMLVuln.yaml index 10f68d1041..205404ad0a 100644 --- a/Detections/MultipleDataSources/MSHTMLVuln.yaml +++ b/Detections/MultipleDataSources/MSHTMLVuln.yaml @@ -1,5 +1,5 @@ id: 15223e74-d05a-4d76-8932-f5598d09118b name: MSHTML vulnerability CVE-2021-40444 attack description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MSHTMLVuln.yaml' -version: 1.0.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/MSHTMLVuln.yaml' +version: 1.0.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/MalformedUserAgents.yaml b/Detections/MultipleDataSources/MalformedUserAgents.yaml index 39fe122204..408e9186f8 100644 --- a/Detections/MultipleDataSources/MalformedUserAgents.yaml +++ b/Detections/MultipleDataSources/MalformedUserAgents.yaml @@ -88,6 +88,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: Name - identifier: UPNSuffix @@ -96,13 +98,13 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: kind: Community author: - name: timbMSFT + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml b/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml index 858aa22bb4..f49da03bb9 100644 --- a/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml +++ b/Detections/MultipleDataSources/Manganese_VPN-IOCs.yaml @@ -1,5 +1,5 @@ id: 416239cd-d0d1-4a91-90f9-b1f0b95e0663 name: Known Manganese IP and UserAgent activity description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Manganese_VPN-IOCs.yaml' -version: 1.1.1 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/Manganese_VPN-IOCs.yaml' +version: 1.1.2 \ No newline at end of file diff --git a/Detections/MultipleDataSources/MidnightBlizzard_DomainIOCsMarch2021.yaml b/Detections/MultipleDataSources/MidnightBlizzard_DomainIOCsMarch2021.yaml index 1557a40200..d33ace0a8a 100644 --- a/Detections/MultipleDataSources/MidnightBlizzard_DomainIOCsMarch2021.yaml +++ b/Detections/MultipleDataSources/MidnightBlizzard_DomainIOCsMarch2021.yaml @@ -1,5 +1,5 @@ id: 943923cb-1b6d-4a44-aeee-b0cf393748b3 name: Midnight Blizzard - Domain and IP IOCs - March 2021 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml' -version: 1.4.3 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml' +version: 1.4.4 diff --git a/Detections/MultipleDataSources/MidnightBlizzard_FoggyWeb.yaml b/Detections/MultipleDataSources/MidnightBlizzard_FoggyWeb.yaml index 35bcd0af6e..315c800fb5 100644 --- a/Detections/MultipleDataSources/MidnightBlizzard_FoggyWeb.yaml +++ b/Detections/MultipleDataSources/MidnightBlizzard_FoggyWeb.yaml @@ -1,5 +1,5 @@ id: 18119187-a22f-4042-8941-ffcaf62b730f name: Midnight Blizzard IOCs related to FoggyWeb backdoor description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_FoggyWeb.yaml' -version: 2.1.4 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/MidnightBlizzard_FoggyWeb.yaml' +version: 2.1.5 diff --git a/Detections/MultipleDataSources/MidnightBlizzard_IOCsMay2021.yaml b/Detections/MultipleDataSources/MidnightBlizzard_IOCsMay2021.yaml index d66aa480f4..02f4bd6560 100644 --- a/Detections/MultipleDataSources/MidnightBlizzard_IOCsMay2021.yaml +++ b/Detections/MultipleDataSources/MidnightBlizzard_IOCsMay2021.yaml @@ -1,5 +1,5 @@ id: 173be96f-c41a-4f83-a8c0-0bd2609cda14 name: Midnight Blizzard - Domain, Hash and IP IOCs - May 2021 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/MidnightBlizzard_IOCsMay2021.yaml' -version: 1.6.3 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/MidnightBlizzard_IOCsMay2021.yaml' +version: 1.6.4 diff --git a/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml b/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml index c775cded96..b63c2a0d02 100644 --- a/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml +++ b/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml @@ -102,29 +102,35 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: DnsDomain - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetUserName - identifier: Name columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 2.1.4 +version: 2.1.5 kind: Scheduled metadata: source: kind: Community author: - name: Shain + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/MultipleDataSources/NylonTyphoonIOCsNov2021.yaml b/Detections/MultipleDataSources/NylonTyphoonIOCsNov2021.yaml index 2d7d2d3d0e..d2ccf36261 100644 --- a/Detections/MultipleDataSources/NylonTyphoonIOCsNov2021.yaml +++ b/Detections/MultipleDataSources/NylonTyphoonIOCsNov2021.yaml @@ -1,5 +1,5 @@ id: 286559b0-d88d-4c9f-bbc4-3b4a57485e5d name: Known Nylon Typhoon domains and hashes description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/NylonTyphoonIOCsNov2021.yaml' -version: 1.3.3 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/NylonTyphoonIOCsNov2021.yaml' +version: 1.3.4 diff --git a/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml b/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml index e230156def..9f6ffbfc19 100644 --- a/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml +++ b/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml @@ -1,5 +1,5 @@ id: 4f9ac632-7153-4545-9c3d-3e6354c62149 name: Known Phosphorus group domains/IP description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/PHOSPHORUSMarch2019IOCs.yaml' -version: 1.5.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/PHOSPHORUSMarch2019IOCs.yaml' +version: 1.5.2 diff --git a/Detections/MultipleDataSources/PhishinglinkExecutionObserved.yaml b/Detections/MultipleDataSources/PhishinglinkExecutionObserved.yaml index bca5dfbda2..9212180518 100644 --- a/Detections/MultipleDataSources/PhishinglinkExecutionObserved.yaml +++ b/Detections/MultipleDataSources/PhishinglinkExecutionObserved.yaml @@ -85,6 +85,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SourceUserName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -98,12 +100,12 @@ entityMappings: - identifier: DomainName columnName: DestinationHostName kind: Scheduled -version: 1.0.3 +version: 1.0.4 metadata: source: kind: Community author: - name: Arjun Trivedi + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/MultipleDataSources/PlaidRainIPIoC.yaml b/Detections/MultipleDataSources/PlaidRainIPIoC.yaml index 510e434547..04c55d4683 100644 --- a/Detections/MultipleDataSources/PlaidRainIPIoC.yaml +++ b/Detections/MultipleDataSources/PlaidRainIPIoC.yaml @@ -1,5 +1,5 @@ id: a514564b-b010-4c0b-bd71-20e0ce814c66 name: Known Plaid Rain IP description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/PlaidRainIPIoC.yaml' -version: 1.1.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/PlaidRainIPIoC.yaml' +version: 1.1.3 diff --git a/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml b/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml index 5093530ccb..c213e2bef1 100644 --- a/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml +++ b/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml @@ -73,6 +73,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -85,12 +87,8 @@ entityMappings: fieldMappings: - identifier: DomainName columnName: DestinationHostName - - entityType: Host - fieldMappings: - - identifier: FullName - columnName: SourceSystem kind: Scheduled -version: 1.0.3 +version: 1.0.5 metadata: source: kind: Community diff --git a/Detections/MultipleDataSources/RubySleetOct292020IOCs.yaml b/Detections/MultipleDataSources/RubySleetOct292020IOCs.yaml index e4643f3edd..83fe01ec76 100644 --- a/Detections/MultipleDataSources/RubySleetOct292020IOCs.yaml +++ b/Detections/MultipleDataSources/RubySleetOct292020IOCs.yaml @@ -1,5 +1,5 @@ id: 50bf97ef-43f9-470a-a3cd-de15a9204050 name: Known Ruby Sleet domains and hashes description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/RubySleetOct292020IOCs.yaml' -version: 1.3.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/RubySleetOct292020IOCs.yaml' +version: 1.3.3 diff --git a/Detections/MultipleDataSources/SUNSPOTLogFile.yaml b/Detections/MultipleDataSources/SUNSPOTLogFile.yaml index 954ba465f9..ea30036104 100644 --- a/Detections/MultipleDataSources/SUNSPOTLogFile.yaml +++ b/Detections/MultipleDataSources/SUNSPOTLogFile.yaml @@ -1,5 +1,5 @@ id: a36b1ebf-41c9-43a3-9913-edcc0675bab5 name: SUNSPOT log file creation description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SUNSPOTLogFile.yaml' -version: 1.2.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/SUNSPOTLogFile.yaml' +version: 1.2.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/SeashellBlizzardIOCs.yaml b/Detections/MultipleDataSources/SeashellBlizzardIOCs.yaml index 08277653ed..4cbb0b3c9e 100644 --- a/Detections/MultipleDataSources/SeashellBlizzardIOCs.yaml +++ b/Detections/MultipleDataSources/SeashellBlizzardIOCs.yaml @@ -1,5 +1,5 @@ id: d9fabf56-2688-454e-a2f3-d0a28c6ff0b8 name: Known Seashell Blizzard IP description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SeashellBlizzardIOCs.yaml' -version: 1.5.2 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/SeashellBlizzardIOCs.yaml' +version: 1.5.3 diff --git a/Detections/MultipleDataSources/SilkTyphoonUmServiceSuspiciousFile.yaml b/Detections/MultipleDataSources/SilkTyphoonUmServiceSuspiciousFile.yaml index aafe417aa0..d9aa5b54de 100644 --- a/Detections/MultipleDataSources/SilkTyphoonUmServiceSuspiciousFile.yaml +++ b/Detections/MultipleDataSources/SilkTyphoonUmServiceSuspiciousFile.yaml @@ -1,5 +1,5 @@ id: dd7201f2-8e9b-4f9d-ba2a-1e97a785caa7 name: Silk Typhoon UM Service writing suspicious file description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/SilkTyphoonUmServiceSuspiciousFile.yaml' -version: 1.2.4 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/SilkTyphoonUmServiceSuspiciousFile.yaml' +version: 1.2.5 \ No newline at end of file diff --git a/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml b/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml index 3b650fde8d..40a32c3bd1 100644 --- a/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml +++ b/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml @@ -1,5 +1,5 @@ id: 618edc72-5dd3-4147-94af-78689c30ca03 name: Solorigate Network Beacon description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Solorigate-Network-Beacon.yaml' -version: 1.5.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/Solorigate-Network-Beacon.yaml' +version: 1.5.2 diff --git a/Detections/MultipleDataSources/Solorigate-VM-Network.yaml b/Detections/MultipleDataSources/Solorigate-VM-Network.yaml index b62d9821b0..9146e64557 100644 --- a/Detections/MultipleDataSources/Solorigate-VM-Network.yaml +++ b/Detections/MultipleDataSources/Solorigate-VM-Network.yaml @@ -1,5 +1,5 @@ id: 2fe07162-8988-41b2-9aaa-462e5eef61d3 name: Solorigate Domains Found in VM Insights description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/Solorigate-VM-Network.yaml' -version: 1.0.1 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/Solorigate-VM-Network.yaml' +version: 1.0.2 \ No newline at end of file diff --git a/Detections/MultipleDataSources/SucessfullSiginFromPhingLink.yaml b/Detections/MultipleDataSources/SucessfullSiginFromPhingLink.yaml index 9f9be828d4..5e412c6b72 100644 --- a/Detections/MultipleDataSources/SucessfullSiginFromPhingLink.yaml +++ b/Detections/MultipleDataSources/SucessfullSiginFromPhingLink.yaml @@ -103,6 +103,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -124,7 +126,7 @@ entityMappings: - identifier: Url columnName: RequestURL kind: Scheduled -version: 1.0.4 +version: 1.0.5 metadata: source: kind: Community diff --git a/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml b/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml index 97fe057b00..7fd85944c6 100644 --- a/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml +++ b/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml @@ -51,6 +51,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -59,7 +61,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml b/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml index 6728cc9958..055c6adbf8 100644 --- a/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml +++ b/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml @@ -57,12 +57,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Initiator - identifier: Name columnName: InitiatorName - identifier: UPNSuffix columnName: InitiatorUPNSuffix - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountUPN - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -71,13 +75,13 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: kind: Community author: - name: Ashwin Patil + name: Microsoft Security Research support: tier: Community categories: diff --git a/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml b/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml index 7b35bef98f..8ce6fa2be9 100644 --- a/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml +++ b/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml @@ -110,6 +110,8 @@ entityMappings: columnName: GCPUserIp - entityType: Account fieldMappings: + - identifier: FullName + columnName: GCPUserUPN - identifier: Name columnName: Name - identifier: UPNSuffix @@ -138,4 +140,4 @@ alertDetailsOverride: - alertProperty: ProductComponentName value: "Microsoft Defender" kind: Scheduled -version: 1.0.2 +version: 1.0.3 diff --git a/Detections/MultipleDataSources/TarraskHashIoC.yaml b/Detections/MultipleDataSources/TarraskHashIoC.yaml index 74b79a898a..fe6a7bf39d 100644 --- a/Detections/MultipleDataSources/TarraskHashIoC.yaml +++ b/Detections/MultipleDataSources/TarraskHashIoC.yaml @@ -1,5 +1,5 @@ id: 09446fbf-8873-4f97-b834-43b4f211a77b name: Tarrask malware IOC - April 2022 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/TarraskHashIoC.yaml' -version: 1.0.2 \ No newline at end of file + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/TarraskHashIoC.yaml' +version: 1.0.3 \ No newline at end of file diff --git a/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml b/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml index 4c17c7cb89..f6a0172b94 100644 --- a/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml +++ b/Detections/MultipleDataSources/WSLMalwareCorrelation.yaml @@ -1,5 +1,5 @@ id: 98e912e2-9e9c-4b95-8989-c5aedd1fd09d name: Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021 description: | - 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/WSLMalwareCorrelation.yaml' -version: 1.2.1 + 'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Deprecated%20Analytic%20Rules/WSLMalwareCorrelation.yaml' +version: 1.2.3 diff --git a/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml b/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml index c28233d148..3fb8fab8cc 100644 --- a/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml +++ b/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml @@ -34,6 +34,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: InitiatedBy - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -46,7 +48,7 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/Dev-0530AVHits.yaml b/Detections/SecurityAlert/Dev-0530AVHits.yaml index 799643ba14..22e551342e 100644 --- a/Detections/SecurityAlert/Dev-0530AVHits.yaml +++ b/Detections/SecurityAlert/Dev-0530AVHits.yaml @@ -36,6 +36,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -44,7 +46,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/EuropiumAVHits.yaml b/Detections/SecurityAlert/EuropiumAVHits.yaml index 01bce107ff..153b390d3a 100644 --- a/Detections/SecurityAlert/EuropiumAVHits.yaml +++ b/Detections/SecurityAlert/EuropiumAVHits.yaml @@ -37,6 +37,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: NTDomain @@ -45,7 +47,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.1.0 +version: 1.1.1 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/HiveRansomwareAVHits.yaml b/Detections/SecurityAlert/HiveRansomwareAVHits.yaml index 6be9d3ff9f..1df9d2dea1 100644 --- a/Detections/SecurityAlert/HiveRansomwareAVHits.yaml +++ b/Detections/SecurityAlert/HiveRansomwareAVHits.yaml @@ -36,6 +36,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -44,7 +46,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml b/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml index 2f3e364034..7b66b0cc2d 100644 --- a/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml +++ b/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml @@ -39,6 +39,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -47,7 +49,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.4 +version: 1.0.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml b/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml index 67695bd844..f2282e2d9a 100644 --- a/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml +++ b/Detections/SecurityAlert/Massdownload_USBFileCopy.yaml @@ -90,10 +90,14 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserId - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix + - entityType: Account + fieldMappings: - identifier: AadUserId columnName: AADUserId - entityType: IP @@ -102,6 +106,8 @@ entityMappings: columnName: IPAddress - entityType: Host fieldMappings: + - identifier: FullName + columnName: DeviceName - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -112,7 +118,7 @@ entityMappings: columnName: InitiatingProcessFileName - identifier: Directory columnName: InitiatingProcessFolderPath -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml b/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml index 254f2b8f79..4099c5ca99 100644 --- a/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml +++ b/Detections/SecurityAlert/Solorigate-Defender-Detections.yaml @@ -37,6 +37,8 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: CompromisedEntity - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -45,7 +47,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: PublicIP -version: 1.0.4 +version: 1.0.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml b/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml index 17139601fd..cd3307a99a 100644 --- a/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml +++ b/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml @@ -63,6 +63,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserAccount - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -75,7 +77,7 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: _ResourceId -version: 1.0.7 +version: 1.0.8 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml b/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml index 19774a33b0..7470ad6cc0 100644 --- a/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml +++ b/Detections/SecurityEvent/AADHealthMonAgentRegKeyAccess.yaml @@ -108,20 +108,25 @@ query: | | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend Name = tostring(split(Account, "\\")[1]), NTDomain = tostring(split(Account, "\\")[0]) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: Name - identifier: NTDomain columnName: NTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.1.4 +version: 1.1.6 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml b/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml index 371309bfc3..4ae2d12722 100644 --- a/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml +++ b/Detections/SecurityEvent/AADHealthSvcAgentRegKeyAccess.yaml @@ -110,17 +110,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: Name - identifier: NTDomain columnName: NTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.1.4 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml b/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml index 8be5159bd7..86cb67bed8 100644 --- a/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml +++ b/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml @@ -53,11 +53,13 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/AccessibilityFeaturesModification.yaml b/Detections/SecurityEvent/AccessibilityFeaturesModification.yaml index b48d54e121..e57300fec5 100644 --- a/Detections/SecurityEvent/AccessibilityFeaturesModification.yaml +++ b/Detections/SecurityEvent/AccessibilityFeaturesModification.yaml @@ -41,12 +41,16 @@ entityMappings: columnName: ProcessId - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain - entityType: Account fieldMappings: + - identifier: FullName + columnName: User - identifier: Name columnName: AccountName - identifier: NTDomain @@ -57,7 +61,7 @@ entityMappings: columnName: ImageFileName - identifier: Directory columnName: ImageDirectory -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml b/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml index 91124f842f..1024470312 100644 --- a/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml +++ b/Detections/SecurityEvent/AdminSDHolder_Modifications.yaml @@ -29,17 +29,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: Name - identifier: NTDomain columnName: NTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/COMEventSystemLoadingNewDLL.yaml b/Detections/SecurityEvent/COMEventSystemLoadingNewDLL.yaml index 63903a417f..9140f4a3c5 100644 --- a/Detections/SecurityEvent/COMEventSystemLoadingNewDLL.yaml +++ b/Detections/SecurityEvent/COMEventSystemLoadingNewDLL.yaml @@ -84,12 +84,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserName - identifier: Name columnName: Name - identifier: NTDomain columnName: NTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -100,7 +104,7 @@ entityMappings: columnName: SHA1 - identifier: Algorithm columnName: HashAlgo -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/DSRMAccountAbuse.yaml b/Detections/SecurityEvent/DSRMAccountAbuse.yaml index 99885c89c1..81a1295438 100644 --- a/Detections/SecurityEvent/DSRMAccountAbuse.yaml +++ b/Detections/SecurityEvent/DSRMAccountAbuse.yaml @@ -31,12 +31,16 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain - entityType: Account fieldMappings: + - identifier: FullName + columnName: User - identifier: Name columnName: AccountName - identifier: NTDomain @@ -55,7 +59,7 @@ entityMappings: fieldMappings: - identifier: Key columnName: TargetObject -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/FakeComputerAccountCreated.yaml b/Detections/SecurityEvent/FakeComputerAccountCreated.yaml index 40aee5a8ee..9640965d21 100644 --- a/Detections/SecurityEvent/FakeComputerAccountCreated.yaml +++ b/Detections/SecurityEvent/FakeComputerAccountCreated.yaml @@ -28,27 +28,37 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: SubjectUserSid - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetAccount - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: TargetSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml b/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml index f6a954118e..c9aeb29bfb 100644 --- a/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml +++ b/Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml @@ -108,33 +108,37 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: GroupCreateSubjectAccount - identifier: Name columnName: GroupCreateSubjectUserName - identifier: NTDomain columnName: GroupCreateSubjectDomainName - - identifier: Sid - columnName: GroupCreateSubjectUserSid - entityType: Account fieldMappings: + - identifier: FullName + columnName: GroupCreateTargetAccount - identifier: Name columnName: GroupAddSubjectUserName - identifier: NTDomain columnName: GroupAddSubjectDomainName - - identifier: Sid - columnName: GroupAddSubjectUserSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: GroupCreateComputer - identifier: HostName columnName: GroupCreateHostName - identifier: DnsDomain columnName: GroupCreateHostNameDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: GroupAddComputer - identifier: HostName columnName: GroupAddHostName - identifier: DnsDomain columnName: GroupAddHostNameDomain -version: 1.1.4 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml b/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml index 9205197f93..b039031efc 100644 --- a/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml +++ b/Detections/SecurityEvent/MidnightBlizzard_SuspiciousRundll32Exec.yaml @@ -53,19 +53,25 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: SubjectUserSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.1.4 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/MidnightBlizzard_SuspiciousScriptRegistryWrite.yaml b/Detections/SecurityEvent/MidnightBlizzard_SuspiciousScriptRegistryWrite.yaml index bc813a5742..523b5071f2 100644 --- a/Detections/SecurityEvent/MidnightBlizzard_SuspiciousScriptRegistryWrite.yaml +++ b/Detections/SecurityEvent/MidnightBlizzard_SuspiciousScriptRegistryWrite.yaml @@ -64,17 +64,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: Name - identifier: NTDomain columnName: NTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: DnsDomain -version: 1.1.4 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml b/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml index 5b72fef241..5bb0563325 100644 --- a/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml +++ b/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml @@ -31,19 +31,25 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: SubjectUserSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml b/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml index e051470ef9..08fe4352a6 100644 --- a/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml +++ b/Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml @@ -102,11 +102,13 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.1.3 +version: 1.1.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/PotentialKerberoast.yaml b/Detections/SecurityEvent/PotentialKerberoast.yaml index 128a511bc3..65b5e0ee84 100644 --- a/Detections/SecurityEvent/PotentialKerberoast.yaml +++ b/Detections/SecurityEvent/PotentialKerberoast.yaml @@ -84,16 +84,21 @@ query: | TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) + | extend TargetAccount = strcat(TargetDomainName, "\\", TargetUserName) | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetAccount - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain @@ -102,7 +107,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIPAddress -version: 1.1.5 +version: 1.1.6 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml b/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml index 766d6facf7..dc23616680 100644 --- a/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml +++ b/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml @@ -73,6 +73,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain @@ -81,7 +83,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.2.4 +version: 1.2.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/RDP_Nesting.yaml b/Detections/SecurityEvent/RDP_Nesting.yaml index 2e3072de1e..3fa6436044 100644 --- a/Detections/SecurityEvent/RDP_Nesting.yaml +++ b/Detections/SecurityEvent/RDP_Nesting.yaml @@ -107,18 +107,24 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountNTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: FirstComputer - identifier: HostName columnName: HostName1 - identifier: NTDomain columnName: HostNameDomain1 - entityType: Host fieldMappings: + - identifier: FullName + columnName: SecondComputer - identifier: HostName columnName: HostName2 - identifier: NTDomain @@ -127,7 +133,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: FirstIPAddress -version: 1.2.4 +version: 1.2.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/RDP_RareConnection.yaml b/Detections/SecurityEvent/RDP_RareConnection.yaml index 578e7bd7d1..5e08576557 100644 --- a/Detections/SecurityEvent/RDP_RareConnection.yaml +++ b/Detections/SecurityEvent/RDP_RareConnection.yaml @@ -72,12 +72,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountNTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain @@ -86,7 +90,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.2.4 +version: 1.2.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml b/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml index 0e7110f394..ebf685b29c 100644 --- a/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml +++ b/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml @@ -64,12 +64,16 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain @@ -78,7 +82,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.1.4 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml b/Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml index 7c33f817e5..10657cf392 100644 --- a/Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml +++ b/Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml @@ -26,11 +26,13 @@ query: | entityMappings: - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/SolorigateNamedPipe.yaml b/Detections/SecurityEvent/SolorigateNamedPipe.yaml index 9060bceb47..2d53973375 100644 --- a/Detections/SecurityEvent/SolorigateNamedPipe.yaml +++ b/Detections/SecurityEvent/SolorigateNamedPipe.yaml @@ -68,17 +68,21 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: Account - identifier: Name columnName: AccountName - identifier: NTDomain columnName: AccountNTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.2.4 +version: 1.2.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/UserAccountAdd-Removed.yaml b/Detections/SecurityEvent/UserAccountAdd-Removed.yaml index 7d3ca8d259..83943c6226 100644 --- a/Detections/SecurityEvent/UserAccountAdd-Removed.yaml +++ b/Detections/SecurityEvent/UserAccountAdd-Removed.yaml @@ -94,23 +94,29 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountRemoved - identifier: Name columnName: RemovedAccountName - identifier: NTDomain columnName: RemovedAccountNTDomain - entityType: Account fieldMappings: + - identifier: FullName + columnName: RemovingAccount - identifier: Name columnName: RemovingAccountName - identifier: NTDomain columnName: RemovingAccountNTDomain - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.1.4 +version: 1.1.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml index 7402ab122a..7ccac11956 100644 --- a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml +++ b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml @@ -76,10 +76,14 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: SubjectUserSid - entityType: Account @@ -90,11 +94,13 @@ entityMappings: columnName: AddedMemberSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.3.6 +version: 1.3.7 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml b/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml index d27cd88c44..2473d3098b 100644 --- a/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml +++ b/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml @@ -102,35 +102,41 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountUsedToCreate - identifier: Name columnName: CreatedBySubjectUserName - identifier: NTDomain columnName: CreatedBySubjectDomainName - - identifier: Sid - columnName: SIDofAccountUsedToCreate - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountUsedToDelete - identifier: Name columnName: DeletedBySubjectUserName - identifier: NTDomain columnName: DeletedBySubjectDomainName - - identifier: Sid - columnName: SIDofAccountUsedToDelete - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetAccount - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: TargetSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml b/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml index 668ff9be1e..295aacb4f1 100644 --- a/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml +++ b/Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml @@ -103,35 +103,41 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountUsedToEnable - identifier: Name columnName: EnabledBySubjectUserName - identifier: NTDomain columnName: EnabledBySubjectDomainName - - identifier: Sid - columnName: SIDofAccountUsedToEnable - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountUsedToDisable - identifier: Name columnName: DisabledBySubjectUserName - identifier: NTDomain columnName: DisabledBySubjectDomainName - - identifier: Sid - columnName: SIDofAccountUsedToDisable - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetAccount - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: TargetSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml b/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml index abc5e23e6f..2f1156ff30 100644 --- a/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml +++ b/Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml @@ -94,35 +94,41 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountUsedToCreateUser - identifier: Name columnName: CreatedByAccountName - identifier: NTDomain columnName: CreatedByDomainName - - identifier: Sid - columnName: SidofAccountUsedToCreateUser - entityType: Account fieldMappings: + - identifier: FullName + columnName: AccountThatAddedUser - identifier: Name columnName: AddedByAccountName - identifier: NTDomain columnName: AddedByDomainName - - identifier: Sid - columnName: SIDofAccountThatAddedUser - entityType: Account fieldMappings: + - identifier: FullName + columnName: CreatedUser - identifier: Name columnName: CreatedUserAccountName - identifier: NTDomain columnName: CreatedUserDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: CreatedUserSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml b/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml index 9a7b05e6be..49e3e5e4c7 100644 --- a/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml +++ b/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml @@ -32,19 +32,25 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: SubjectUserSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain columnName: HostNameDomain -version: 1.0.3 +version: 1.0.4 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml b/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml index 1a9ee94449..655c4d753e 100644 --- a/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml +++ b/Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml @@ -103,18 +103,22 @@ query: | LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress | where FailedLogonCount >= threshold ))) - | summarize arg_max(TimeGenerated, *) by Computer, TargetUserName, TargetDomainName + | summarize arg_max(TimeGenerated, *) by Computer, TargetAccount, TargetUserName, TargetDomainName | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetAccount - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: NTDomain @@ -123,7 +127,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.2.4 +version: 1.2.5 kind: Scheduled metadata: source: diff --git a/Detections/SecurityEvent/password_never_expires.yaml b/Detections/SecurityEvent/password_never_expires.yaml index 3d0afbdef1..0deea790f6 100644 --- a/Detections/SecurityEvent/password_never_expires.yaml +++ b/Detections/SecurityEvent/password_never_expires.yaml @@ -64,27 +64,37 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: TargetAccount - identifier: Name columnName: TargetUserName - identifier: NTDomain columnName: TargetDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: TargetSid - entityType: Account fieldMappings: + - identifier: FullName + columnName: SubjectAccount - identifier: Name columnName: SubjectUserName - identifier: NTDomain columnName: SubjectDomainName + - entityType: Account + fieldMappings: - identifier: Sid columnName: SubjectUserSid - entityType: Host fieldMappings: + - identifier: FullName + columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: HostNameDomain -version: 1.2.0 +version: 1.2.1 kind: Scheduled metadata: source: diff --git a/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml b/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml index 5c73aae557..b5d19bd47f 100644 --- a/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml +++ b/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml @@ -39,13 +39,13 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: Name + - identifier: FullName columnName: UserPrincipalName - entityType: IP fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: diff --git a/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml b/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml index a10cb846f6..1bb354633e 100644 --- a/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml +++ b/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml @@ -84,6 +84,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: UPNSuffix @@ -92,7 +94,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IP -version: 1.1.1 +version: 1.1.2 kind: Scheduled metadata: source: diff --git a/Detections/SigninLogs/NewCountryValidCreds.yaml b/Detections/SigninLogs/NewCountryValidCreds.yaml index b50d819c90..3a15bd4166 100644 --- a/Detections/SigninLogs/NewCountryValidCreds.yaml +++ b/Detections/SigninLogs/NewCountryValidCreds.yaml @@ -52,6 +52,8 @@ query: | entityMappings: - entityType: Account fieldMappings: + - identifier: FullName + columnName: UserPrincipalName - identifier: Name columnName: Name - identifier: NTDomain @@ -65,7 +67,7 @@ customDetails: failureReason: failureReason eventGroupingSettings: aggregationKind: SingleAlert -version: 1.0.1 +version: 1.0.2 kind: Scheduled metadata: source: diff --git a/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml b/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml index 9152834ffc..2f79c5b00e 100644 --- a/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml +++ b/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml @@ -26,7 +26,7 @@ tags: - AADSecOpsGuide query: | let admins=(IdentityInfo - | where AssignedRoles contains "admin" + | where AssignedRoles contains "admin" or GroupMembership has "Admin" | summarize by tolower(AccountUPN)); let known_asns = ( SigninLogs @@ -49,7 +49,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.5 +version: 1.1.0 kind: Scheduled metadata: source: @@ -59,4 +59,4 @@ metadata: support: tier: Community categories: - domains: [ "Identity", "Security - Others" ] \ No newline at end of file + domains: [ "Identity", "Security - Others" ] diff --git a/Hunting Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml b/Hunting Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml index 2f55153838..fce557fb67 100644 --- a/Hunting Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml +++ b/Hunting Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml @@ -17,7 +17,7 @@ relevantTechniques: query: | let priority_threshold = 5; let admins = (IdentityInfo - | where AssignedRoles contains "Admin" + | where AssignedRoles contains "Admin" or GroupMembership has "Admin" | summarize by tolower(AccountUPN)); AuditLogs | where Category =~ "UserManagement" @@ -31,4 +31,4 @@ entityMappings: fieldMappings: - identifier: FullName columnName: AccountCustomEntity -version: 1.0.1 \ No newline at end of file +version: 1.1.0 diff --git a/Hunting Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml b/Hunting Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml index 0f9aab07d4..c2d5a6462f 100644 --- a/Hunting Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml +++ b/Hunting Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml @@ -16,7 +16,7 @@ relevantTechniques: - T1078.004 query: | let admins = (IdentityInfo - | where AssignedRoles contains "Admin" + | where AssignedRoles contains "Admin" or GroupMembership has "Admin" | summarize by tolower(AccountUPN)); SigninLogs | where ResultType == 50053 @@ -33,4 +33,4 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 \ No newline at end of file +version: 1.1.0 diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json index 04650151c6..8ca840aeca 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json @@ -35,7 +35,7 @@ "displayName": "File event ASIM parser", "category": "ASIM", "FunctionAlias": "ASimFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..d2da0aaf94 --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimFileEventVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "File Event Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimFileEventVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n | where action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/README.md b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..ec888f6831 --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM FileEvent Normalization Parser + +ARM template for ASIM FileEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM File Event normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventVMwareCarbonBlackCloud%2FASimFileEventVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventVMwareCarbonBlackCloud%2FASimFileEventVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json b/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json index 2a32fcafeb..8a8d505c6d 100644 --- a/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json @@ -278,6 +278,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimFileEventVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -557,6 +577,26 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimFileEventVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } } ], "outputs": {} diff --git a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json index b76464fbb0..022fc312d7 100644 --- a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json @@ -35,7 +35,7 @@ "displayName": "ASIM Source Agnostic File Events Parser", "category": "ASIM", "FunctionAlias": "imFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" } diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/README.md b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..d48aefd971 --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM FileEvent Normalization Parser + +ARM template for ASIM FileEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM File Event normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FvimFileEventVMwareCarbonBlackCloud%2FvimFileEventVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FvimFileEventVMwareCarbonBlackCloud%2FvimFileEventVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..17adb843be --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimFileEventVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "File Event Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimFileEventVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n targetfilepath_has_any: dynamic=dynamic([]), \n srcfilepath_has_any: dynamic=dynamic([]), \n hashes_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n and action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | where array_length(srcfilepath_has_any) == 0\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(targetfilepath_has_any) == 0 or filemod_name_s has_any (targetfilepath_has_any))\n and (array_length(hashes_has_any) == 0 or filemod_hash_s has_any (hashes_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n actorusername_has_any=actorusername_has_any, \n targetfilepath_has_any=targetfilepath_has_any, \n srcfilepath_has_any=srcfilepath_has_any, \n hashes_has_any=hashes_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimFileEvent/Parsers/ASimFileEventVMwareCarbonBlackCloud.yaml b/Parsers/ASimFileEvent/Parsers/ASimFileEventVMwareCarbonBlackCloud.yaml index 874b9a7f2c..14a8c6dc0d 100644 --- a/Parsers/ASimFileEvent/Parsers/ASimFileEventVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimFileEvent/Parsers/ASimFileEventVMwareCarbonBlackCloud.yaml @@ -1,6 +1,6 @@ Parser: Title: File Event Parser for VMware Carbon Black Cloud - Version: '0.1.0' + Version: '0.1.1' LastUpdated: Oct 10, 2023 Product: Name: VMware Carbon Black Cloud diff --git a/Parsers/ASimFileEvent/Parsers/vimFileEventVMwareCarbonBlackCloud.yaml b/Parsers/ASimFileEvent/Parsers/vimFileEventVMwareCarbonBlackCloud.yaml index 11031faea2..5caf22fa07 100644 --- a/Parsers/ASimFileEvent/Parsers/vimFileEventVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimFileEvent/Parsers/vimFileEventVMwareCarbonBlackCloud.yaml @@ -1,6 +1,6 @@ Parser: Title: File Event Parser for VMware Carbon Black Cloud - Version: '0.1.0' + Version: '0.1.1' LastUpdated: Oct 10, 2023 Product: Name: VMware Carbon Black Cloud diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index 37dcd60e84..84c697a670 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser", "category": "ASIM", "FunctionAlias": "ASimNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json new file mode 100644 index 0000000000..fd48752c1d --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimNetworkSessionCiscoFirepower", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoFirepower", + "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n [\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (disabled: bool=false) {\n let AllLogs = CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/README.md new file mode 100644 index 0000000000..e44b57ee47 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/README.md @@ -0,0 +1,18 @@ +# Cisco Firepower ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Cisco Firepower. + +This ASIM parser supports normalizing commonly used Cisco Firepower messages collected using the CEF Data Connector to the ASIM Network Session normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionCiscoFirepower%2FASimNetworkSessionCiscoFirepower.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionCiscoFirepower%2FASimNetworkSessionCiscoFirepower.json) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json new file mode 100644 index 0000000000..62cca46cbd --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimNetworkSessionCrowdStrikeFalconHost", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (disabled: bool=false) {\n let alldata = CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"CrowdStrike\"\n and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\");\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n ),\n deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | lookup EventFieldsLookup on ruleAction\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup ActionLookup on EventOutcome\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(DestinationNTDomain, SrcDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/README.md new file mode 100644 index 0000000000..c5157c4214 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/README.md @@ -0,0 +1,18 @@ +# CrowdStrike Falcon Endpoint Protection ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for CrowdStrike Falcon Endpoint Protection. + +This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Network Session normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionCrowdStrikeFalconHost%2FASimNetworkSessionCrowdStrikeFalconHost.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionCrowdStrikeFalconHost%2FASimNetworkSessionCrowdStrikeFalconHost.json) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json new file mode 100644 index 0000000000..23bd6190fe --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimNetworkSessionSentinelOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionSentinelOne", + "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"TCPV4\"\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/README.md new file mode 100644 index 0000000000..8f1e18c710 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/README.md @@ -0,0 +1,18 @@ +# SentinelOne ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for SentinelOne. + +This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionSentinelOne%2FASimNetworkSessionSentinelOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionSentinelOne%2FASimNetworkSessionSentinelOne.json) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..70e4648088 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimNetworkSessionVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVMwareCarbonBlackCloud", + "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n ];\n let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n ];\n let EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n ];\n let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n ];\n let parser=(disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string,\n )[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n )[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.netconn\"\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction;\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcProcessName = process_path_s,\n SrcUsername = process_username_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n DvcOriginalAction == \"ACTION_ALLOW\" or isempty(DvcOriginalAction),\n \"Success\",\n \"Failure\"\n ),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n };\n parser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..29af4a4f66 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM NetworkSession normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionVMwareCarbonBlackCloud%2FASimNetworkSessionVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionVMwareCarbonBlackCloud%2FASimNetworkSessionVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json index 6b1932a6d3..018ce3d14b 100644 --- a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json @@ -178,6 +178,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionCiscoFirepower", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -238,6 +258,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionCrowdStrikeFalconHost", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -438,6 +478,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionSentinelOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -458,6 +518,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -678,6 +758,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionCiscoFirepower", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -738,6 +838,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionCrowdStrikeFalconHost", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -938,6 +1058,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionSentinelOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -958,6 +1098,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index 43136a94c5..3a2bb70398 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/README.md new file mode 100644 index 0000000000..d44ba9da9f --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/README.md @@ -0,0 +1,18 @@ +# Cisco Firepower ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Cisco Firepower. + +This ASIM parser supports normalizing commonly used Cisco Firepower messages collected using the CEF Data Connector to the ASIM Network Session normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionCiscoFirepower%2FvimNetworkSessionCiscoFirepower.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionCiscoFirepower%2FvimNetworkSessionCiscoFirepower.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json new file mode 100644 index 0000000000..d8c98d66d5 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimNetworkSessionCiscoFirepower", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoFirepower", + "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n[\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let AllLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n and (array_length(hostname_has_any) == 0 or DestinationDnsDomain has_any (hostname_has_any)) \n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", \n (temp_isSrcMatch and temp_isDstMatch), \"Both\", \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend temp_is_MatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=') \n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber,\n temp*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/README.md new file mode 100644 index 0000000000..ee68185119 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/README.md @@ -0,0 +1,18 @@ +# CrowdStrike Falcon Endpoint Protection ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for CrowdStrike Falcon Endpoint Protection. + +This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Network Session normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionCrowdStrikeFalconHost%2FvimNetworkSessionCrowdStrikeFalconHost.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionCrowdStrikeFalconHost%2FvimNetworkSessionCrowdStrikeFalconHost.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json new file mode 100644 index 0000000000..8a4ad88fbe --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimNetworkSessionCrowdStrikeFalconHost", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\")\n | where (array_length(hostname_has_any) == 0 or DestinationHostName has_any (hostname_has_any))\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (AdditionalExtensions has tostring(dstportnumber)))\n ;\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventFieldsLookup on ruleAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n )\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | extend deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | lookup ActionLookup on EventOutcome\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n SrcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(SrcDomain, DestinationNTDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n temp_*,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/README.md new file mode 100644 index 0000000000..c2348a71a9 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/README.md @@ -0,0 +1,18 @@ +# SentinelOne ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for SentinelOne. + +This ASIM parser supports normalizing SentinelOne logs to the ASIM Network Session normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionSentinelOne%2FvimNetworkSessionSentinelOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionSentinelOne%2FvimNetworkSessionSentinelOne.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json new file mode 100644 index 0000000000..65d81498eb --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimNetworkSessionSentinelOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionSentinelOne", + "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = SentinelOne_CL\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"TCPV4\"\n and (eventresult == \"*\" or eventresult == \"Success\")\n and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)\n and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))\n and (array_length(dvcaction) == 0 or dvcaction has_any (\"Allow\"))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = \"SrcHostname\"\n | where ASimMatchingIpAddr != \"No match\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n temp*,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..ff18467b97 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM NetworkSession normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionVMwareCarbonBlackCloud%2FvimNetworkSessionVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionVMwareCarbonBlackCloud%2FvimNetworkSessionVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..4b20e5efc8 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimNetworkSessionVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVMwareCarbonBlackCloud", + "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n];\nlet DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and array_length(hostname_has_any) == 0\n and eventType_s == \"endpoint.event.netconn\"\n and (isnull(dstportnumber) or toint(remote_port_d) == dstportnumber)\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend \n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n sensor_action_s == \"ACTION_ALLOW\" or isempty(sensor_action_s),\n \"Success\",\n \"Failure\"\n ),\n temp_SrcMatch = has_any_ipv4_prefix(local_ip_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(remote_ip_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n DvcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where (eventresult == \"*\" or eventresult =~ EventResult)\n and (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n and ASimMatchingIpAddr != \"No match\"\n and ASimMatchingHostname != \"No match\";\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcUsername = process_username_s,\n SrcProcessName = process_path_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp*,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMwareCarbonBlackCloud.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMwareCarbonBlackCloud.yaml index 809f1708fe..8bd7d89260 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMwareCarbonBlackCloud.yaml @@ -1,7 +1,7 @@ Parser: Title: NetworkSession ASIM Parser for VMware Carbon Black Cloud - Version: '0.1.0' - LastUpdated: Oct 25, 2023 + Version: '0.1.1' + LastUpdated: Dec 11, 2023 Product: Name: VMware Carbon Black Cloud Normalization: @@ -26,8 +26,8 @@ ParserParams: ParserQuery: | let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string) [ - "PROTO_TCP", "TCP", - "PROTO_UDP", "UDP" + "PROTO_TCP", "TCP", + "PROTO_UDP", "UDP" ]; let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string) [ @@ -57,7 +57,50 @@ ParserQuery: | "10", 100 ]; let parser=(disabled: bool=false) { - let alldata = CarbonBlackEvents_CL + let CarbonBlackEventsSchema = datatable ( + eventType_s: string, + netconn_protocol_s: string, + sensor_action_s: string, + alert_id_g: string, + device_name_s: string, + action_s: string, + createTime_s: string, + netconn_domain_s: string, + remote_ip_s: string, + netconn_inbound_b: bool, + process_guid_s: string, + remote_port_d: real, + local_port_d: real, + process_pid_d: real, + device_external_ip_s: string, + local_ip_s: string, + device_id_s: string, + device_os_s: string, + event_description_s: string, + event_id_g: string, + event_origin_s: string, + process_path_s: string, + process_username_s: string, + org_key_s: string, + )[]; + let CarbonBlackNotificationsSchema = datatable ( + type_s: string, + threatInfo_incidentId_g: string, + threatInfo_score_d: real, + threatInfo_summary_s: string, + threatInfo_time_d: real, + threatInfo_threatCause_threatCategory_s: string, + threatInfo_threatCause_causeEventId_g: string, + ruleName_s: string, + deviceInfo_deviceVersion_s: string, + threatInfo_threatCause_originSourceType_s: string, + threatInfo_threatCause_reputation_s: string, + threatInfo_threatCause_reason_s: string, + id_g: string, + primary_event_id_g: string, + threat_id_g: string + )[]; + let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL) | where not(disabled) | where eventType_s == "endpoint.event.netconn" | lookup NetworkProtocolLookup on netconn_protocol_s @@ -65,7 +108,7 @@ ParserQuery: | | lookup EventSeverityLookup on DvcAction; let alldatawiththreat = alldata | where isnotempty(alert_id_g) - | join kind=leftouter(CarbonBlackNotifications_CL + | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "THREAT" | project threatInfo_incidentId_g, @@ -80,11 +123,10 @@ ParserQuery: | threatInfo_threatCause_reputation_s, threatInfo_threatCause_reason_s) on $left.alert_id_g == $right.threatInfo_incidentId_g - | join kind=leftouter(CarbonBlackNotifications_CL + | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "CB_ANALYTICS" | project id_g, - primary_event_id_g, deviceInfo_deviceVersion_s, threat_id_g, threatInfo_score_d, @@ -94,6 +136,7 @@ ParserQuery: | | extend ThreatCategory = threatInfo_threatCause_threatCategory_s, ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d), + RuleName = ruleName_s, AdditionalFields_threat = bag_pack( "threatInfo_threatCause_reason", coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1), @@ -123,7 +166,8 @@ ParserQuery: | "" ), AdditionalFields_Common = bag_pack( - "Process Guid", process_guid_s + "Process Guid", + process_guid_s ), DstPortNumber = toint(remote_port_d), NetworkDirection = case( @@ -201,8 +245,6 @@ ParserQuery: | RawData, SourceSystem, TenantId, - AdditionalFields_*, - *_d1, - *_s1 + AdditionalFields_* }; - parser(disabled = disabled) \ No newline at end of file + parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMwareCarbonBlackCloud.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMwareCarbonBlackCloud.yaml index 6b5abcc15e..13e46a3377 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionVMwareCarbonBlackCloud.yaml @@ -1,7 +1,7 @@ Parser: Title: NetworkSession ASIM Parser for VMware Carbon Black Cloud - Version: '0.1.0' - LastUpdated: Oct 25, 2023 + Version: '0.1.1' + LastUpdated: Dec 11, 2023 Product: Name: VMware Carbon Black Cloud Normalization: @@ -53,8 +53,8 @@ ParserParams: ParserQuery: | let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string) [ - "PROTO_TCP", "TCP", - "PROTO_UDP", "UDP" + "PROTO_TCP", "TCP", + "PROTO_UDP", "UDP" ]; let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string) [ @@ -96,8 +96,51 @@ ParserQuery: | disabled: bool=false ) { let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); - let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); - let alldata = CarbonBlackEvents_CL + let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); + let CarbonBlackEventsSchema = datatable ( + eventType_s: string, + netconn_protocol_s: string, + sensor_action_s: string, + alert_id_g: string, + device_name_s: string, + action_s: string, + createTime_s: string, + netconn_domain_s: string, + remote_ip_s: string, + netconn_inbound_b: bool, + process_guid_s: string, + remote_port_d: real, + local_port_d: real, + process_pid_d: real, + device_external_ip_s: string, + local_ip_s: string, + device_id_s: string, + device_os_s: string, + event_description_s: string, + event_id_g: string, + event_origin_s: string, + process_path_s: string, + process_username_s: string, + org_key_s: string + )[]; + let CarbonBlackNotificationsSchema = datatable ( + type_s: string, + threatInfo_incidentId_g: string, + threatInfo_score_d: real, + threatInfo_summary_s: string, + threatInfo_time_d: real, + threatInfo_threatCause_threatCategory_s: string, + threatInfo_threatCause_causeEventId_g: string, + ruleName_s: string, + deviceInfo_deviceVersion_s: string, + threatInfo_threatCause_originSourceType_s: string, + threatInfo_threatCause_reputation_s: string, + threatInfo_threatCause_reason_s: string, + id_g: string, + primary_event_id_g: string, + threat_id_g: string + )[]; + let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL) | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) @@ -144,7 +187,7 @@ ParserQuery: | and ASimMatchingHostname != "No match"; let alldatawiththreat = alldata | where isnotempty(alert_id_g) - | join kind=leftouter(CarbonBlackNotifications_CL + | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "THREAT" | project threatInfo_incidentId_g, @@ -159,11 +202,10 @@ ParserQuery: | threatInfo_threatCause_reputation_s, threatInfo_threatCause_reason_s) on $left.alert_id_g == $right.threatInfo_incidentId_g - | join kind=leftouter(CarbonBlackNotifications_CL + | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "CB_ANALYTICS" | project id_g, - primary_event_id_g, deviceInfo_deviceVersion_s, threat_id_g, threatInfo_score_d, @@ -173,6 +215,7 @@ ParserQuery: | | extend ThreatCategory = threatInfo_threatCause_threatCategory_s, ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d), + RuleName = ruleName_s, AdditionalFields_threat = bag_pack( "threatInfo_threatCause_reason", coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1), @@ -200,7 +243,8 @@ ParserQuery: | "" ), AdditionalFields_Common = bag_pack( - "Process Guid", process_guid_s + "Process Guid", + process_guid_s ), DstPortNumber = toint(remote_port_d), NetworkDirection = case( @@ -271,9 +315,7 @@ ParserQuery: | RawData, SourceSystem, TenantId, - AdditionalFields_*, - *_d1, - *_s1 + AdditionalFields_* }; parser( starttime=starttime, diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..dd54573f70 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimProcessCreateVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s;\n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/README.md b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..4c7c2177c8 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM ProcessEvent Normalization Parser + +ARM template for ASIM ProcessEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Create normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM ProcessEvent normalization schema reference](https://aka.ms/ASimProcessEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FASimProcessCreateVMwareCarbonBlackCloud%2FASimProcessCreateVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FASimProcessCreateVMwareCarbonBlackCloud%2FASimProcessCreateVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json index 38b122b7ff..3da7e08ebc 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json @@ -35,7 +35,7 @@ "displayName": "Process Event ASIM parser", "category": "ASIM", "FunctionAlias": "ASimProcessEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", "version": 1 } } diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json index 75c0a21379..dc84a0c61f 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json @@ -35,7 +35,7 @@ "displayName": "Process Create ASIM parser", "category": "ASIM", "FunctionAlias": "ASimProcessEventCreate", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", "version": 1 } } diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json index c7328c9820..bcf504c57c 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json @@ -35,7 +35,7 @@ "displayName": "Process Terminate ASIM parser", "category": "ASIM", "FunctionAlias": "ASimProcessEventTerminate", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\nvimProcessEmpty,\nASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\nASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\nASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\nvimProcessEmpty,\nASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\nASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\nASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\nASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", "version": 1 } } diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..203e573a64 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimProcessTerminateVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d)\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/README.md b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..bc7a17e348 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM ProcessEvent Normalization Parser + +ARM template for ASIM ProcessEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Terminate normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM ProcessEvent normalization schema reference](https://aka.ms/ASimProcessEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FASimProcessTerminateVMwareCarbonBlackCloud%2FASimProcessTerminateVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FASimProcessTerminateVMwareCarbonBlackCloud%2FASimProcessTerminateVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimProcessEvent/ARM/FullDeploymentProcessEvent.json b/Parsers/ASimProcessEvent/ARM/FullDeploymentProcessEvent.json index d9ed2eb0af..facfcd0e9e 100644 --- a/Parsers/ASimProcessEvent/ARM/FullDeploymentProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/FullDeploymentProcessEvent.json @@ -118,6 +118,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimProcessCreateVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -318,6 +338,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimProcessTerminateVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -498,6 +538,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimProcessCreateVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -677,6 +737,26 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimProcessTerminateVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } } ], "outputs": {} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json b/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json index fa759dd4f4..d1fa2431ca 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json @@ -35,7 +35,7 @@ "displayName": "Process Create ASIM parser", "category": "ASIM", "FunctionAlias": "imProcessCreate", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" } diff --git a/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json b/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json index c132d2261b..7f8f93559c 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json @@ -35,7 +35,7 @@ "displayName": "Process Event filtering parser", "category": "ASIM", "FunctionAlias": "imProcessEvent", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) )))\n };\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n };\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" } diff --git a/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json b/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json index 8fb392ed09..f871392a40 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json @@ -35,7 +35,7 @@ "displayName": "Process Terminate ASIM parser", "category": "ASIM", "FunctionAlias": "imProcessTerminate", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n\nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n\nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*'" } diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/README.md b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..011ed965c7 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM ProcessEvent Normalization Parser + +ARM template for ASIM ProcessEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Create normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM ProcessEvent normalization schema reference](https://aka.ms/ASimProcessEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FvimProcessCreateVMwareCarbonBlackCloud%2FvimProcessCreateVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FvimProcessCreateVMwareCarbonBlackCloud%2FvimProcessCreateVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..50abd33f25 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimProcessCreateVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix))\n and (targetusername_has == '*' or childproc_username_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or process_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or childproc_name_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or parent_path_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or childproc_hash_s has_any (hashes_has_any)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s; \n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/README.md b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..1d4aa4ead6 --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM ProcessEvent Normalization Parser + +ARM template for ASIM ProcessEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Terminate normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM ProcessEvent normalization schema reference](https://aka.ms/ASimProcessEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FvimProcessTerminateVMwareCarbonBlackCloud%2FvimProcessTerminateVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimProcessEvent%2FARM%2FvimProcessTerminateVMwareCarbonBlackCloud%2FvimProcessTerminateVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..3e6f481abb --- /dev/null +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimProcessTerminateVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d))\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and array_length(parentprocess_has_any) == 0\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix)) \n and (actorusername_has == '*' or process_username_s has actorusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all) or process_cmdline_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any) or process_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix) or has_any_ipv4_prefix(process_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or parent_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or process_path_s has_any (targetprocess_has_any)) \n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateVMwareCarbonBlackCloud.yaml b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateVMwareCarbonBlackCloud.yaml index 17a554899d..ca294836fa 100644 --- a/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateVMwareCarbonBlackCloud.yaml @@ -1,7 +1,7 @@ Parser: Title: Process Create ASIM parser for VMware Carbon Black Cloud - Version: '0.1.0' - LastUpdated: Oct 25, 2023 + Version: '0.1.1' + LastUpdated: Dec 11, 2023 Product: Name: VMware Carbon Black Cloud Normalization: @@ -26,9 +26,9 @@ ParserParams: Default: false ParserQuery: | let EventFieldsLookup = datatable( - sensor_action_s: string, - DvcAction: string, - EventResult: string + sensor_action_s: string, + DvcAction: string, + EventResult: string )[ "ACTION_ALLOW", "Allow", "Success", "ACTION_BLOCK", "Block", "Failure", @@ -51,7 +51,60 @@ ParserQuery: | "10", 100 ]; let parser = (disabled: bool=false) { - let processdata = CarbonBlackEvents_CL + let CarbonBlackEventsSchema = datatable ( + eventType_s: string, + childproc_pid_d: real, + process_hash_s: string, + parent_hash_s: string, + childproc_hash_s: string, + sensor_action_s: string, + alert_id_g: string, + event_id_g: string, + createTime_s: string, + process_pid_d: real, + parent_pid_d: real, + org_key_s: string, + parent_cmdline_s: string, + process_reputation_s: string, + childproc_reputation_s: string, + parent_reputation_s: string, + process_guid_s: string, + childproc_guid_s: string, + parent_guid_s: string, + process_username_s: string, + target_cmdline_s: string, + childproc_name_s: string, + childproc_username_s: string, + device_external_ip_s: string, + device_group_s: string, + process_cmdline_s: string, + process_path_s: string, + device_id_s: string, + device_os_s: string, + event_description_s: string, + action_s: string, + event_origin_s: string, + parent_path_s: string, + device_name_s: string + )[]; + let CarbonBlackNotificationsSchema = datatable ( + type_s: string, + threatInfo_incidentId_g: string, + threatInfo_score_d: real, + threatInfo_summary_s: string, + threatInfo_time_d: real, + threatInfo_threatCause_threatCategory_s: string, + threatInfo_threatCause_causeEventId_g: string, + ruleName_s: string, + deviceInfo_deviceVersion_s: string, + threatInfo_threatCause_originSourceType_s: string, + threatInfo_threatCause_reputation_s: string, + threatInfo_threatCause_reason_s: string, + id_g: string, + primary_event_id_g: string, + threat_id_g: string + )[]; + let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema) | where not(disabled) | where eventType_s == "endpoint.event.procstart" and isnotempty(childproc_pid_d) | parse process_hash_s with * '["' ActingProcessMD5: string '","' ActingProcessSHA256: string '"]' @@ -60,7 +113,7 @@ ParserQuery: | | lookup EventFieldsLookup on sensor_action_s; let processdatawiththreat = processdata | where isnotempty(alert_id_g) and isnotempty(event_id_g) - | join kind=leftouter(CarbonBlackNotifications_CL + | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "THREAT" | project threatInfo_incidentId_g, @@ -77,7 +130,7 @@ ParserQuery: | on $left.alert_id_g == $right.threatInfo_incidentId_g, $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g - | join kind=leftouter (CarbonBlackNotifications_CL + | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "CB_ANALYTICS" | project id_g, @@ -115,16 +168,25 @@ ParserQuery: | ActingProcessId = tostring(toint(process_pid_d)), ParentProcessId = tostring(toint(parent_pid_d)), AdditionalFields_Common = bag_pack( - "org_key", org_key_s, - "alert_id", alert_id_g, - "parent_cmdline", parent_cmdline_s, - "process_reputation", process_reputation_s, - "childproc_reputation", childproc_reputation_s, - "parent_reputation", parent_reputation_s, - "process_guid", process_guid_s, - "childproc_guid", childproc_guid_s, - "parent_guid", parent_guid_s - ) + "org_key", + org_key_s, + "alert_id", + alert_id_g, + "parent_cmdline", + parent_cmdline_s, + "process_reputation", + process_reputation_s, + "childproc_reputation", + childproc_reputation_s, + "parent_reputation", + parent_reputation_s, + "process_guid", + process_guid_s, + "childproc_guid", + childproc_guid_s, + "parent_guid", + parent_guid_s + ) | invoke _ASIM_ResolveDvcFQDN('device_name_s') | project-rename ActorUsername = process_username_s, @@ -183,8 +245,6 @@ ParserQuery: | RawData, SourceSystem, TenantId, - AdditionalFields_*, - *_d1, - *_s1 + AdditionalFields_* }; parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateVMwareCarbonBlackCloud.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateVMwareCarbonBlackCloud.yaml index ccad51e8dc..bbc96d207c 100644 --- a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateVMwareCarbonBlackCloud.yaml @@ -1,7 +1,7 @@ Parser: Title: Process Create ASIM parser for VMware Carbon Black Cloud - Version: '0.1.0' - LastUpdated: Oct 25, 2023 + Version: '0.1.1' + LastUpdated: Dec 11, 2023 Product: Name: VMware Carbon Black Cloud Normalization: @@ -65,9 +65,9 @@ ParserParams: Default: false ParserQuery: | let EventFieldsLookup = datatable( - sensor_action_s: string, - DvcAction: string, - EventResult: string + sensor_action_s: string, + DvcAction: string, + EventResult: string )[ "ACTION_ALLOW", "Allow", "Success", "ACTION_BLOCK", "Block", "Failure", @@ -104,7 +104,60 @@ ParserQuery: | eventtype: string='*', hashes_has_any: dynamic=dynamic([]), disabled: bool=false) { - let processdata = CarbonBlackEvents_CL + let CarbonBlackEventsSchema = datatable ( + eventType_s: string, + childproc_pid_d: real, + process_hash_s: string, + parent_hash_s: string, + childproc_hash_s: string, + sensor_action_s: string, + alert_id_g: string, + event_id_g: string, + createTime_s: string, + process_pid_d: real, + parent_pid_d: real, + org_key_s: string, + parent_cmdline_s: string, + process_reputation_s: string, + childproc_reputation_s: string, + parent_reputation_s: string, + process_guid_s: string, + childproc_guid_s: string, + parent_guid_s: string, + process_username_s: string, + target_cmdline_s: string, + childproc_name_s: string, + childproc_username_s: string, + device_external_ip_s: string, + device_group_s: string, + process_cmdline_s: string, + process_path_s: string, + device_id_s: string, + device_os_s: string, + event_description_s: string, + action_s: string, + event_origin_s: string, + parent_path_s: string, + device_name_s: string + )[]; + let CarbonBlackNotificationsSchema = datatable ( + type_s: string, + threatInfo_incidentId_g: string, + threatInfo_score_d: real, + threatInfo_summary_s: string, + threatInfo_time_d: real, + threatInfo_threatCause_threatCategory_s: string, + threatInfo_threatCause_causeEventId_g: string, + ruleName_s: string, + deviceInfo_deviceVersion_s: string, + threatInfo_threatCause_originSourceType_s: string, + threatInfo_threatCause_reputation_s: string, + threatInfo_threatCause_reason_s: string, + id_g: string, + primary_event_id_g: string, + threat_id_g: string + )[]; + let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema) | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) @@ -126,7 +179,7 @@ ParserQuery: | | lookup EventFieldsLookup on sensor_action_s; let processdatawiththreat = processdata | where isnotempty(alert_id_g) and isnotempty(event_id_g) - | join kind=leftouter(CarbonBlackNotifications_CL + | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "THREAT" | project threatInfo_incidentId_g, @@ -143,7 +196,7 @@ ParserQuery: | on $left.alert_id_g == $right.threatInfo_incidentId_g, $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g - | join kind=leftouter (CarbonBlackNotifications_CL + | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema) | where type_s == "CB_ANALYTICS" | project id_g, @@ -181,16 +234,25 @@ ParserQuery: | ActingProcessId = tostring(toint(process_pid_d)), ParentProcessId = tostring(toint(parent_pid_d)), AdditionalFields_Common = bag_pack( - "org_key", org_key_s, - "alert_id", alert_id_g, - "parent_cmdline", parent_cmdline_s, - "process_reputation", process_reputation_s, - "childproc_reputation", childproc_reputation_s, - "parent_reputation", parent_reputation_s, - "process_guid", process_guid_s, - "childproc_guid", childproc_guid_s, - "parent_guid", parent_guid_s - ) + "org_key", + org_key_s, + "alert_id", + alert_id_g, + "parent_cmdline", + parent_cmdline_s, + "process_reputation", + process_reputation_s, + "childproc_reputation", + childproc_reputation_s, + "parent_reputation", + parent_reputation_s, + "process_guid", + process_guid_s, + "childproc_guid", + childproc_guid_s, + "parent_guid", + parent_guid_s + ) | invoke _ASIM_ResolveDvcFQDN('device_name_s') | project-rename ActorUsername = process_username_s, @@ -249,9 +311,7 @@ ParserQuery: | RawData, SourceSystem, TenantId, - AdditionalFields_*, - *_d1, - *_s1 + AdditionalFields_* }; parser( starttime=starttime, diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistry/ASimRegistry.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistry/ASimRegistry.json index 8de2cfe04a..a86f6c6395 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistry/ASimRegistry.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistry/ASimRegistry.json @@ -35,7 +35,7 @@ "displayName": "Registry Event ASIM Parser", "category": "ASIM", "FunctionAlias": "ASimRegistry", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimRegistryEventEmpty,\n ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimRegistryEventEmpty,\n ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))),\n ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json new file mode 100644 index 0000000000..1860d86c85 --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimRegistryEventTrendMicroVisionOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventTrendMicroVisionOne", + "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,\"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/README.md b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/README.md new file mode 100644 index 0000000000..72c90fb0bc --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/README.md @@ -0,0 +1,18 @@ +# Trend Micro Vision One ASIM RegistryEvent Normalization Parser + +ARM template for ASIM RegistryEvent schema parser for Trend Micro Vision One. + +This ASIM parser supports normalizing Trend Micro Vision One logs to the ASIM Registry Event normalized schema. Trend Micro Vision One events are captured through Trend Vision One data connector which ingests XDR logs into Microsoft Sentinel through the Trend Vision One API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM RegistryEvent normalization schema reference](https://aka.ms/ASimRegistryEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FASimRegistryEventTrendMicroVisionOne%2FASimRegistryEventTrendMicroVisionOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FASimRegistryEventTrendMicroVisionOne%2FASimRegistryEventTrendMicroVisionOne.json) diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..a1d836c801 --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimRegistryEventVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n[\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend\n RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/README.md b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..b0c9020b7f --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM RegistryEvent Normalization Parser + +ARM template for ASIM RegistryEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Registry Event normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM RegistryEvent normalization schema reference](https://aka.ms/ASimRegistryEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FASimRegistryEventVMwareCarbonBlackCloud%2FASimRegistryEventVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FASimRegistryEventVMwareCarbonBlackCloud%2FASimRegistryEventVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimRegistryEvent/ARM/FullDeploymentRegistryEvent.json b/Parsers/ASimRegistryEvent/ARM/FullDeploymentRegistryEvent.json index 6bbda6520b..6b115fb8b1 100644 --- a/Parsers/ASimRegistryEvent/ARM/FullDeploymentRegistryEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/FullDeploymentRegistryEvent.json @@ -138,6 +138,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimRegistryEventTrendMicroVisionOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimRegistryEventVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -297,6 +337,46 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimRegistryEventTrendMicroVisionOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimRegistryEventVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } } ], "outputs": {} diff --git a/Parsers/ASimRegistryEvent/ARM/imRegistry/imRegistry.json b/Parsers/ASimRegistryEvent/ARM/imRegistry/imRegistry.json index e501f3d4ca..78baa4fade 100644 --- a/Parsers/ASimRegistryEvent/ARM/imRegistry/imRegistry.json +++ b/Parsers/ASimRegistryEvent/ARM/imRegistry/imRegistry.json @@ -35,7 +35,7 @@ "displayName": "Registry Event ASIM Parser", "category": "ASIM", "FunctionAlias": "imRegistry", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack:bool=false\n )\n {\nunion isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) )))\n };\n parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack:bool=false\n )\n {\nunion isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))),\n vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" } diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/README.md b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/README.md new file mode 100644 index 0000000000..c8ae625382 --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/README.md @@ -0,0 +1,18 @@ +# Trend Micro Vision One ASIM RegistryEvent Normalization Parser + +ARM template for ASIM RegistryEvent schema parser for Trend Micro Vision One. + +This ASIM parser supports normalizing Trend Micro Vision One logs to the ASIM Registry Event normalized schema. Trend Micro Vision One events are captured through Trend Vision One data connector which ingests XDR logs into Microsoft Sentinel through the Trend Vision One API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM RegistryEvent normalization schema reference](https://aka.ms/ASimRegistryEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FvimRegistryEventTrendMicroVisionOne%2FvimRegistryEventTrendMicroVisionOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FvimRegistryEventTrendMicroVisionOne%2FvimRegistryEventTrendMicroVisionOne.json) diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json new file mode 100644 index 0000000000..4bb74e13e6 --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimRegistryEventTrendMicroVisionOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventTrendMicroVisionOne", + "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | where (array_length(actorusername_has_any) == 0 or detail_processUser_s has_any (actorusername_has_any))\n and (array_length(registryvalue_has_any) == 0 or detail_objectRegistryValue_s has_any (registryvalue_has_any))\n and (array_length(registryvaluedata_has_any) == 0 or detail_objectRegistryData_s has_any (registryvaluedata_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | extend \n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registryvaluedata_has_any, dvchostname_has_any=dvchostname_has_any, disabled = disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/README.md b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/README.md new file mode 100644 index 0000000000..84df2f90c6 --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM RegistryEvent Normalization Parser + +ARM template for ASIM RegistryEvent schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Registry Event normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM RegistryEvent normalization schema reference](https://aka.ms/ASimRegistryEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FvimRegistryEventVMwareCarbonBlackCloud%2FvimRegistryEventVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimRegistryEvent%2FARM%2FvimRegistryEventVMwareCarbonBlackCloud%2FvimRegistryEventVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json new file mode 100644 index 0000000000..9a7b23cbdb --- /dev/null +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimRegistryEventVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n [\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n registrykey_has_any: dynamic=dynamic([]), \n registryvalue_has_any: dynamic=dynamic([]), \n registryvaluedata_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | where array_length(registryvalue_has_any) == 0\n and array_length(registryvaluedata_has_any) == 0\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n actorusername_has_any=actorusername_has_any, \n registrykey_has_any=registrykey_has_any, \n registryvalue_has_any=registryvalue_has_any, \n registryvaluedata_has_any=registryvaluedata_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventVMwareCarbonBlackCloud.yaml b/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventVMwareCarbonBlackCloud.yaml index 9d8459693e..be14a203ed 100644 --- a/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventVMwareCarbonBlackCloud.yaml @@ -1,6 +1,6 @@ Parser: Title: Registry Event ASIM Parser for VMware Carbon Black Cloud - Version: '0.1.0' + Version: '0.1.1' LastUpdated: Oct 10, 2023 Product: Name: VMware Carbon Black Cloud diff --git a/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventVMwareCarbonBlackCloud.yaml b/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventVMwareCarbonBlackCloud.yaml index 9e316d8d2d..9e26186059 100644 --- a/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventVMwareCarbonBlackCloud.yaml +++ b/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventVMwareCarbonBlackCloud.yaml @@ -1,6 +1,6 @@ Parser: Title: Registry Event ASIM Parser for VMware Carbon Black Cloud - Version: '0.1.0' + Version: '0.1.1' LastUpdated: Oct 10, 2023 Product: Name: VMware Carbon Black Cloud diff --git a/Playbooks/Ingest-CanaryTokens/azuredeploy.json b/Playbooks/Ingest-CanaryTokens/azuredeploy.json index e185c1db0a..0c83481880 100644 --- a/Playbooks/Ingest-CanaryTokens/azuredeploy.json +++ b/Playbooks/Ingest-CanaryTokens/azuredeploy.json @@ -1,329 +1,416 @@ { - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata":{ - "comments": "This Logic App connector will act as a Webhook listener, CanaryTokens can then send data upon an incident when the canary token has been opened. This will send the data to Azure Sentinel - CanaryTokens_CL", - "author": "Nathan Swift" - }, - "parameters": { - "PlaybookName": { - "defaultValue": "Ingest-CanaryTokens", - "type": "String" - }, - "WorkspaceID": { - "defaultValue": "your-workspaceID", - "type": "string" - }, - "WorkspaceKey": { - "defaultValue": "your-workspaceKey", - "type": "securestring" - } - }, - "variables": { - "azureloganalyticsdatacollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('azureloganalyticsdatacollectorConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "IngestCanaryTokenAlerts", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" - }, - "parameterValues": { - "username": "[parameters('workspaceId')]", - "password": "[parameters('workspaceKey')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "tags": { - "LogicAppsCategory": "security" - }, - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('azureloganalyticsdatacollectorConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - } - }, - "triggers": { - "manual": { - "type": "Request", - "kind": "Http", - "inputs": {} - } - }, - "actions": { - "Compose_data_for_Sentinel": { - "runAfter": { - "Parse_JSON_GeoIp": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": { - "as": "@{body('Parse_JSON_GeoIp')?['as']}", - "canarytriggertime": "@body('Parse_JSON_Token_Response')?['time']", - "channel": "@{body('Parse_JSON_Token_Response')?['channel']}", - "city": "@{body('Parse_JSON_GeoIp')?['city']}", - "country": "@{body('Parse_JSON_GeoIp')?['country']}", - "countrycode": "@{body('Parse_JSON_GeoIp')?['countryCode']}", - "fileloc": "@{body('Parse_JSON_Token_Response')?['additional_data']?['location']}", - "incidentlist_csv": "@{variables('incidentscsv_url')}", - "incidentlist_json": "@{variables('incidentsjson_url')}", - "lat": "@{body('Parse_JSON_GeoIp')?['lat']}", - "lon": "@{body('Parse_JSON_GeoIp')?['lon']}", - "manage_url": " @{body('Parse_JSON_Token_Response')?['manage_url']}", - "memo": "@{body('Parse_JSON_Token_Response')?['memo']}", - "org": "@{body('Parse_JSON_GeoIp')?['org']}", - "postal": "@{body('Parse_JSON_GeoIp')?['zip']}", - "region": "@{body('Parse_JSON_GeoIp')?['region']}", - "regionname": "@{body('Parse_JSON_GeoIp')?['regionName']}", - "src_ip": "@{body('Parse_JSON_Token_Response')?['additional_data']?['src_ip']}", - "timezone": "@{body('Parse_JSON_GeoIp')?['timezone']}", - "tokenhistory_url": "@{variables('history_url')}", - "useragent": "@{body('Parse_JSON_Token_Response')?['additional_data']?['useragent']}" - } - }, - "HTTP_CanaryTokenDetails": { - "runAfter": { - "Initialize_variable_incidentsjson_url": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "method": "GET", - "uri": "@variables('incidentsjson_url')" - } - }, - "HTTP_GeoIP": { - "runAfter": { - "HTTP_CanaryTokenDetails": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "method": "GET", - "uri": "http://ip-api.com/json/@{body('Parse_JSON_Token_Response')?['additional_data']?['src_ip']}" - } - }, - "Initialize_variable_TokenAuth": { - "runAfter": { - "Parse_JSON_Token_Response": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "TokenAuth", - "type": "string", - "value": "@{substring(body('Parse_JSON_Token_Response')?['manage_url'], 38)}" - } - ] - } - }, - "Initialize_variable_history_url": { - "runAfter": { - "Initialize_variable_TokenAuth": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "history_url", - "type": "string", - "value": "https://canarytokens.org/history?token=@{variables('TokenAuth')}" - } - ] - } - }, - "Initialize_variable_incidentscsv_url": { - "runAfter": { - "Initialize_variable_history_url": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "incidentscsv_url", - "type": "string", - "value": "https://canarytokens.org/download?fmt=incidentlist_csv&token=@{variables('TokenAuth')}" - } - ] - } - }, - "Initialize_variable_incidentsjson_url": { - "runAfter": { - "Initialize_variable_incidentscsv_url": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "incidentsjson_url", - "type": "string", - "value": "https://canarytokens.org/download?fmt=incidentlist_json&token=@{variables('TokenAuth')}" - } - ] - } - }, - "Parse_JSON_GeoIp": { - "runAfter": { - "HTTP_GeoIP": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_GeoIP')", - "schema": { - "properties": { - "as": { - "type": "string" - }, - "city": { - "type": "string" - }, - "country": { - "type": "string" - }, - "countryCode": { - "type": "string" - }, - "isp": { - "type": "string" - }, - "lat": { - "type": "number" - }, - "lon": { - "type": "number" - }, - "org": { - "type": "string" - }, - "query": { - "type": "string" - }, - "region": { - "type": "string" - }, - "regionName": { - "type": "string" - }, - "status": { - "type": "string" - }, - "timezone": { - "type": "string" - }, - "zip": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Parse_JSON_Token_Response": { - "runAfter": {}, - "type": "ParseJson", - "inputs": { - "content": "@triggerBody()", - "schema": { - "properties": { - "additional_data": { - "properties": { - "location": {}, - "referer": {}, - "src_ip": { - "type": "string" - }, - "useragent": { - "type": "string" - } - }, - "type": "object" - }, - "channel": { - "type": "string" - }, - "manage_url": { - "type": "string" - }, - "memo": { - "type": "string" - }, - "time": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_Data_to_Sentinel": { - "runAfter": { - "Compose_data_for_Sentinel": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@{outputs('Compose_data_for_Sentinel')}", - "headers": { - "Log-Type": "CanaryTokens" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - }, - "outputs": {} - }, - "parameters": { - "$connections": { - "value": { - "AzureLogAnalyticsDataCollector": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('azureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[variables('azureloganalyticsdatacollectorConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" - } - } - } - } - } - } - ] -} \ No newline at end of file + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Put CanaryTokens webhook alerts to Custom Logs table", + "description": "This Logic App connector will act as a Webhook listener, CanaryTokens can then send data upon an incident when the canary token has been opened. This will send the data to Azure Sentinel - CanaryTokens_CL", + "mainSteps": [ + "" + ], + "prerequisites": [ + "" + ], + "postDeployment": [ + "1. Create CanaryTokens with LogicApp webhook\n2. Create matching analytic rule." + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2023-08-28T10:00:00.000Z", + "entities": [ + "Ip" + ], + "tags": [ + "Alert", + "Honeytokens", + "Honeyfiles" + ], + "support": { + "tier": "community" + }, + "author": { + "name": "Nathan Swift" + }, + "source": { + "kind": "Community" + }, + "version": "1.1.0", + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Put CanaryTokens webhook alerts to Custom Logs table", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1.0", + "title": "v1.1.0", + "notes": [ + "Match current CanaryToken API, Remove duplicate GeoIP, resourceTags and location as parameters" + ] + } + ] + }, + "parameters": { + "resourceTags": { + "type": "object", + "defaultValue": { + "LogicAppsCategory": "security" + }, + "metadata": { + "description": "The Azure tags to set on the resource." + } + }, + "PlaybookName": { + "defaultValue": "Ingest-CanaryTokens", + "type": "String", + "metadata": { + "description": "The Playbook aka LogicApp name." + } + }, + "WorkspaceID": { + "defaultValue": "your-workspaceID", + "type": "string", + "metadata": { + "description": "The target WorkspaceId for custom logs table." + } + }, + "WorkspaceKey": { + "defaultValue": "your-workspaceKey", + "type": "securestring", + "metadata": { + "description": "The target WorkspaceKey for custom logs table." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "azureloganalyticsdatacollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('azureloganalyticsdatacollectorConnectionName')]", + "location": "[parameters('location')]", + "tags": { + "tags": "[parameters('resourceTags')]" + }, + "properties": { + "displayName": "IngestCanaryTokenAlerts", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + }, + "parameterValues": { + "username": "[parameters('workspaceId')]", + "password": "[parameters('workspaceKey')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "tags": "[parameters('resourceTags')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('azureloganalyticsdatacollectorConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": {} + } + }, + "actions": { + "Compose_data_for_Sentinel": { + "runAfter": { + "HTTP_CanaryTokenDetails": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "as": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['asn']?['asn']}", + "canarytriggertime": "@body('Parse_JSON_Token_Response')?['time']", + "channel": "@{body('Parse_JSON_Token_Response')?['channel']}", + "city": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['city']}", + "country": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['country']}", + "countrycode": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['country']}", + "fileloc": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['loc']}", + "incidentlist_csv": "@{variables('incidentscsv_url')}", + "incidentlist_json": "@{variables('incidentsjson_url')}", + "lat": "", + "lon": "", + "manage_url": " @{body('Parse_JSON_Token_Response')?['manage_url']}", + "memo": "@{body('Parse_JSON_Token_Response')?['memo']}", + "org": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['org']}", + "postal": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['postal']}", + "region": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['region']}", + "regionname": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['region']}", + "src_ip": "@{body('Parse_JSON_Token_Response')?['src_ip']}", + "timezone": "@{body('Parse_JSON_Token_Response')?['additional_data']?['geo_info']?['timezone']}", + "token_type": "@{body('Parse_JSON_Token_Response')?['token_type']}", + "tokenhistory_url": "@{variables('history_url')}", + "useragent": "@{body('Parse_JSON_Token_Response')?['additional_data']?['useragent']}" + } + }, + "HTTP_CanaryTokenDetails": { + "runAfter": { + "Initialize_variable_incidentsjson_url": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@variables('incidentsjson_url')" + } + }, + "Initialize_variable_TokenAuth": { + "runAfter": { + "Condition_newly_saved_webhook": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "TokenAuth", + "type": "string", + "value": "@{substring(body('Parse_JSON_Token_Response')?['manage_url'], 38)}" + } + ] + } + }, + "Initialize_variable_history_url": { + "runAfter": { + "Initialize_variable_TokenAuth": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "history_url", + "type": "string", + "value": "https://canarytokens.org/history?token=@{variables('TokenAuth')}" + } + ] + } + }, + "Initialize_variable_incidentscsv_url": { + "runAfter": { + "Initialize_variable_history_url": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incidentscsv_url", + "type": "string", + "value": "https://canarytokens.org/download?fmt=incidentlist_csv&token=@{variables('TokenAuth')}" + } + ] + } + }, + "Initialize_variable_incidentsjson_url": { + "runAfter": { + "Initialize_variable_incidentscsv_url": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incidentsjson_url", + "type": "string", + "value": "https://canarytokens.org/download?fmt=incidentlist_json&token=@{variables('TokenAuth')}" + } + ] + } + }, + "Condition_newly_saved_webhook": { + "actions": { + "Terminate_newly_saved_webhook": { + "inputs": { + "runStatus": "Cancelled" + }, + "runAfter": {}, + "type": "Terminate" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_JSON_Token_Response')?['memo']", + "Congrats! The newly saved webhook works" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_Token_Response": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_Token_Response": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()", + "schema": { + "properties": { + "channel": { + "type": "string" + }, + "token_type": { + "type": "string" + }, + "src_ip": { + "type": "string" + }, + "token": { + "type": "string" + }, + "time": { + "type": "string" + }, + "memo": { + "type": "string" + }, + "manage_url": { + "type": "string" + }, + "additional_data": { + "type": "object", + "properties": { + "geo_info": { + "type": "object", + "properties": { + "loc": { + "type": "string" + }, + "org": { + "type": "string" + }, + "city": { + "type": "string" + }, + "country": { + "type": "string" + }, + "region": { + "type": "string" + }, + "hostname": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "timezone": { + "type": "string" + }, + "postal": { + "type": "string" + }, + "asn": { + "type": "object", + "properties": { + "route": { + "type": "string" + }, + "type": { + "type": "string" + }, + "asn": { + "type": "string" + }, + "domain": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + }, + "useragent": { + "type": "string" + } + } + } + }, + "type": "object" + } + } + }, + "Send_Data_to_Sentinel": { + "runAfter": { + "Compose_data_for_Sentinel": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('Compose_data_for_Sentinel')}", + "headers": { + "Log-Type": "CanaryTokens" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "AzureLogAnalyticsDataCollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('azureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('azureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + } + } + ] +} diff --git a/Playbooks/Ingest-CanaryTokens/readme.md b/Playbooks/Ingest-CanaryTokens/readme.md index 3d94f956d3..fe71be2f31 100644 --- a/Playbooks/Ingest-CanaryTokens/readme.md +++ b/Playbooks/Ingest-CanaryTokens/readme.md @@ -1,16 +1,16 @@ # Ingest-CanaryTokens author: Nathan Swift -This Logic App connector will act as a Webhook listener, CanaryTokens can then send data upon an incident when the Canarytoken has been opened. This will send the data to Azure Sentinel - CanaryTokens_CL +This Logic App connector will act as a Webhook listener, CanaryTokens can then send data upon an incident when the Canarytoken has been opened. This will send the data to Azure Sentinel - CanaryTokens_CL [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIngest-CanaryTokens%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.git.ttaallkk.top%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIngest-CanaryTokens%2Fazuredeploy.json) **HowTo Use** -Canary Tokens are digital artifacts that are a tripwire othat exposes a potential attacker. You can leave them in your network and file shares and in other places in your enviroment. Generate and sprinkle them throughout, be sure to use enticing names like Finance Report or Customer Accounts. The goal is to make it look worthwhile to exploit and data exfiltrate. Upon execution of the Canarytoken like a MS Word Document a HTTP GET call is made to CanaryTokens.org which in turn can send an email and send data to a Webhook. In this case we want the data also enriched and sent to Azure Sentinel notifying us that a potential attacker had opened the Canarytoken to kick of an investiagetion and case using Azure Sentinel to help dive deeper into the logs. +Canary Tokens are digital artifacts that are a tripwire othat exposes a potential attacker. You can leave them in your network and file shares and in other places in your environment. Generate and sprinkle them throughout, be sure to use enticing names like Finance Report or Customer Accounts. The goal is to make it look worthwhile to exploit and data exfiltrate. Upon execution of the Canarytoken like a MS Word Document a HTTP GET call is made to CanaryTokens.org which in turn can send an email and send data to a Webhook. In this case we want the data also enriched and sent to Azure Sentinel notifying us that a potential attacker had opened the Canarytoken to kick of an investiagetion and case using Azure Sentinel to help dive deeper into the logs. -When setting up [CanaryTokens Here](https://www.canarytokens.org/generate "CanaryTokens Here") here you will see the field "provide an email address and/or webhook URL", be sure to place your email address seperated by a SPACE with a copy of the complete HTTP Listener URL into the this field. +When setting up [CanaryTokens Here](https://www.canarytokens.org/generate "CanaryTokens Here") here you will see the field "provide an email address and/or webhook URL", be sure to place your email address separated by a SPACE with a copy of the complete HTTP Listener URL into the this field. Or you can just put a webhook and no email`. Example someone@someorg.com https://prod-79.eastus.logic.azure.com:443/workflows/579fb7927ab64ce7b4d34a4c85c65003/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=PsKBVi7LZgQ4y1ih59L5RWNpKzRd7hpkp9YiyH_WV4K @@ -26,7 +26,7 @@ For further reading on HoneyPots and HoneyTokens I recommend Chris Sander's book ```id: 27dda424-1dbe-4236-9dd5-c484b23111a5 name: Canarytoken Triggered description: | - 'A Canarytoken has been triggered in your enviroment, this may be an early sign of attacker intent and activity, + 'A Canarytoken has been triggered in your environment, this may be an early sign of attacker intent and activity, please follow up with Azure Sentinel logs and incidents accordingly along with the Server this Canarytoken was hosted on. Reference: https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html' severity: High @@ -54,7 +54,85 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity - +``` + +ARM Template +``` +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace": { + "metadata": { + "description": "Log Analytics Workspace Name" + }, + "type": "String" + } + }, + "resources": [ + { + "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers/', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/06031632-ac64-44b4-839b-5d429f3dd21b')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/06031632-ac64-44b4-839b-5d429f3dd21b')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "kind": "Scheduled", + "properties": { + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "groupByEntities": [], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "customDetails": { + "memo": "memo_s", + "canarytokens_url": "manage_url_s", + "token_type": "token_type_s", + "asn": "as_s", + "countrycode": "countrycode_s", + "useragent": "useragent_s" + }, + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ], + "queryFrequency": "PT5M", + "queryPeriod": "PT5M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "severity": "High", + "query": "CanaryTokens_CL\n| extend Canarydata = parse_csv(memo_s)\n| extend\n CanaryHost = tostring(Canarydata[0]),\n CanaryPublicIP = tostring(Canarydata[1]),\n CanaryPrivateIP = tostring(Canarydata[2]),\n CanaryShare = tostring(Canarydata[3]),\n CanaryDescription = tostring(Canarydata[4])\n| extend CanaryExcutedonHost = iif(CanaryPublicIP == src_ip_s, true, false)\n| extend timestamp = TimeGenerated, IPCustomEntity = src_ip_s //,AccountCustomEntity = user_s, HostCustomEntity = computer_s\n\n", + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "Collection", + "Discovery", + "Exfiltration" + ], + "displayName": "Canarytoken Triggered", + "enabled": true, + "description": "A Canarytoken has been triggered in your environment, this may be an early sign of attacker intent and activity, please follow up with Azure Sentinel logs and incidents accordingly along with the Server this Canarytoken was hosted on.\nSee Sentinel custom details and canarytoken history page for context.\nReference: https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html", + "alertRuleTemplateName": null + }, + "apiVersion": "2021-09-01-preview" + } + ] +} +``` The following Canarytokens have been tested: @@ -76,4 +154,20 @@ The following Canarytokens have been tested: *Slow Redirect* -more to be tested... \ No newline at end of file +more to be tested... + +## Deployment through Sentinel Repository (CI/CD) + +Analytic rule depends on CustomLog table that at this point is not supported by pipeline. +[Documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-cli-1%2Cazure-portal-2%2Cazure-portal-3) references few way to do it through Azure Portal, API, Az cli, and Powershell. +Example command with az cli: +``` +az login +az account set --subscription MySubscription +az monitor log-analytics workspace table create --resource-group MyResourceGroup --workspace-name MyWorkspace -n CanaryTokens_CL --columns as_s=string canarytriggertime_s=string channel_s=string city_s=string Computer=string countrycode_s=string fileloc_s=string incidentlist_csv_s=string incidentlist_json_s=string lat_s=string lon_s=string manage_url_s=string memo_s=string org_s=string postal_s=string RawData=string regionname_s=string region_s=string src_ip_s=string TimeGenerated=datetime timezone_s=string tokenhistory_url_s=string token_type_s=string Type=string useragent_s=string _BilledSize=real _IsBillable=string _ResourceId=string _SubscriptionId=string +``` +Note that default pipeline permissions don't allow to do this. It requires 'Microsoft.OperationalInsights/workspaces/tables/write' on matching workspace. + +Else you should deploy playbook first, create a token, and trigger once, before deploying analytic rule. +Token creation will trigger a webhook call but with a different payload and logicapp run is known to fail. +Token trigger triggers webhook and may result in an error 403, InvalidAuthorization. diff --git a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip index 12974be66d..8d3e9e2188 100644 Binary files a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip and b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip differ diff --git a/Solutions/AbnormalSecurity/Data Connectors/SentinelTimerTrigger/__init__.py b/Solutions/AbnormalSecurity/Data Connectors/SentinelTimerTrigger/__init__.py index ed0a77eefd..73dbbf08ec 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/SentinelTimerTrigger/__init__.py +++ b/Solutions/AbnormalSecurity/Data Connectors/SentinelTimerTrigger/__init__.py @@ -15,9 +15,8 @@ async def main(mytimer: func.TimerRequest, starter: str): client = df.DurableOrchestrationClient(starter) instance_id = "singleton_instance" existing_instance = await client.get_status(instance_id) - if existing_instance is None or str(existing_instance.runtime_status) in [None, "OrchestrationRuntimeStatus.Completed", "OrchestrationRuntimeStatus.Failed", "OrchestrationRuntimeStatus.Terminated"]: + if existing_instance is None or str(existing_instance.runtime_status) in ["None", "OrchestrationRuntimeStatus.Completed", "OrchestrationRuntimeStatus.Failed", "OrchestrationRuntimeStatus.Terminated"]: instance_id = await client.start_new("SentinelFunctionsOrchestrator", instance_id) logging.info(f"Starting new orchestration - the runtime status is: {str(existing_instance.runtime_status)}") else: logging.info(f"Skipped orchestration - runtime status is : {str(existing_instance.runtime_status)}") - diff --git a/Solutions/Authomize/Analytic Rules/AWS_role_with_admin_privileges.yaml b/Solutions/Authomize/Analytic Rules/AWS_role_with_admin_privileges.yaml index e7a59fe186..43e5d33970 100644 --- a/Solutions/Authomize/Analytic Rules/AWS_role_with_admin_privileges.yaml +++ b/Solutions/Authomize/Analytic Rules/AWS_role_with_admin_privileges.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "AWS role with admin privileges" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -49,4 +54,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml b/Solutions/Authomize/Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml index 2ed07f2c37..8fa3acc868 100644 --- a/Solutions/Authomize/Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml +++ b/Solutions/Authomize/Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "AWS role with shadow admin privileges" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Access_to_AWS_without_MFA.yaml b/Solutions/Authomize/Analytic Rules/Access_to_AWS_without_MFA.yaml index 2c6299acac..e01eb2561b 100644 --- a/Solutions/Authomize/Analytic Rules/Access_to_AWS_without_MFA.yaml +++ b/Solutions/Authomize/Analytic Rules/Access_to_AWS_without_MFA.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Access to AWS without MFA" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml b/Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml index 62cd305774..6da1f33a8e 100644 --- a/Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml +++ b/Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml @@ -9,17 +9,22 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess -- PrivilegeEscalation + - InitialAccess + - PrivilegeEscalation relevantTechniques: -- T1078 -- T1078 + - T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Admin SaaS account detected" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -51,4 +56,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Admin_password_wasnt_updated.yaml b/Solutions/Authomize/Analytic Rules/Admin_password_wasnt_updated.yaml index 0d8911f534..29db3c01a5 100644 --- a/Solutions/Authomize/Analytic Rules/Admin_password_wasnt_updated.yaml +++ b/Solutions/Authomize/Analytic Rules/Admin_password_wasnt_updated.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Admin password wasn't updated during the last 30 days" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml b/Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml index a437540b3e..c756d18950 100644 --- a/Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml +++ b/Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml @@ -9,13 +9,18 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- PrivilegeEscalation + - PrivilegeEscalation query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Chain of 3 or more roles" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -47,4 +52,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Detect_AWS_IAM_Users.yaml b/Solutions/Authomize/Analytic Rules/Detect_AWS_IAM_Users.yaml index b9be0a03ff..fff10ec45a 100644 --- a/Solutions/Authomize/Analytic Rules/Detect_AWS_IAM_Users.yaml +++ b/Solutions/Authomize/Analytic Rules/Detect_AWS_IAM_Users.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- PrivilegeEscalation + - PrivilegeEscalation relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Detect AWS IAM Users" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -49,4 +54,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Empty_group_with_entitlements.yaml b/Solutions/Authomize/Analytic Rules/Empty_group_with_entitlements.yaml index 19f398e748..fe63886214 100644 --- a/Solutions/Authomize/Analytic Rules/Empty_group_with_entitlements.yaml +++ b/Solutions/Authomize/Analytic Rules/Empty_group_with_entitlements.yaml @@ -9,13 +9,18 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- PrivilegeEscalation + - PrivilegeEscalation query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Empty group with entitlements" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -47,4 +52,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml b/Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml index 48927af92d..0fa69b048f 100644 --- a/Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml +++ b/Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "IaaS admin detected" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml b/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml index 1761a8a66e..f5747b8f10 100644 --- a/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml +++ b/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml @@ -9,13 +9,18 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- PrivilegeEscalation + - PrivilegeEscalation query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "IaaS policy not attached to any identity" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -47,4 +52,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/IaaS_shadow_admin_detected.yaml b/Solutions/Authomize/Analytic Rules/IaaS_shadow_admin_detected.yaml index d5bca1ec6b..351ad0a81c 100644 --- a/Solutions/Authomize/Analytic Rules/IaaS_shadow_admin_detected.yaml +++ b/Solutions/Authomize/Analytic Rules/IaaS_shadow_admin_detected.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "IaaS shadow admin detected" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml b/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml index 4764813811..ce75222b42 100644 --- a/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml +++ b/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml @@ -9,17 +9,22 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess -- PrivilegeEscalation + - InitialAccess + - PrivilegeEscalation relevantTechniques: -- T1078 -- T1078 + - T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "New direct access policy was granted against organizational policy" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -52,4 +57,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml b/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml index d575d05585..8b4742090a 100644 --- a/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml +++ b/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml @@ -9,13 +9,18 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "New service account gained access to IaaS resource" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -47,4 +52,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Password_Exfiltration_over_SCIM.yaml b/Solutions/Authomize/Analytic Rules/Password_Exfiltration_over_SCIM.yaml index 7e58a0d0e9..f7bf700aa1 100644 --- a/Solutions/Authomize/Analytic Rules/Password_Exfiltration_over_SCIM.yaml +++ b/Solutions/Authomize/Analytic Rules/Password_Exfiltration_over_SCIM.yaml @@ -9,18 +9,23 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- CredentialAccess -- InitialAccess + - CredentialAccess + - InitialAccess relevantTechniques: -- T1555 -- T1040 -- T1552 + - T1555 + - T1040 + - T1552 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Password Exfiltration over SCIM application" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -52,4 +57,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml b/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml index f28f475652..a05c67ab2e 100644 --- a/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml +++ b/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml @@ -9,16 +9,21 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- Discovery -- Impact + - Discovery + - Impact relevantTechniques: -- T1580 + - T1580 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Privileged Machines Exposed to the Internet" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml b/Solutions/Authomize/Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml index 997f65efde..cd463dd420 100644 --- a/Solutions/Authomize/Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml +++ b/Solutions/Authomize/Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- PrivilegeEscalation + - PrivilegeEscalation relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Refactor AWS policy based on activities in the last 60 days." | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -49,4 +54,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml b/Solutions/Authomize/Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml index 037c91b6a4..0b06135be0 100644 --- a/Solutions/Authomize/Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml +++ b/Solutions/Authomize/Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml @@ -10,15 +10,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Stale AWS policy attachment to identity" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml b/Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml index 56ab7b246a..4d84421358 100644 --- a/Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml +++ b/Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml @@ -9,13 +9,18 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- PrivilegeEscalation + - PrivilegeEscalation query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Stale IAAS policy attachment to role" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -47,4 +52,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/Unused_IaaS_Policy.yaml b/Solutions/Authomize/Analytic Rules/Unused_IaaS_Policy.yaml index 69f511fc20..0b5ee77459 100644 --- a/Solutions/Authomize/Analytic Rules/Unused_IaaS_Policy.yaml +++ b/Solutions/Authomize/Analytic Rules/Unused_IaaS_Policy.yaml @@ -9,18 +9,23 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess -- PrivilegeEscalation + - InitialAccess + - PrivilegeEscalation relevantTechniques: -- T1078 -- T1068 -- T1078 + - T1078 + - T1068 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "Unused IaaS Policy" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -53,4 +58,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml b/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml index 119889bdfd..d845ad8759 100644 --- a/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml +++ b/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "User assigned to a default admin role" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Analytic Rules/User_without_MFA.yaml b/Solutions/Authomize/Analytic Rules/User_without_MFA.yaml index 2c9a5120b6..277397f0d8 100644 --- a/Solutions/Authomize/Analytic Rules/User_without_MFA.yaml +++ b/Solutions/Authomize/Analytic Rules/User_without_MFA.yaml @@ -9,15 +9,20 @@ queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: -- InitialAccess + - InitialAccess relevantTechniques: -- T1078 + - T1078 query: |- Authomize_v2_CL | where ingestion_time() >= ago(30m) | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s | where Policy has "User without MFA" | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics +entityMappings: + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL requiredDataConnectors: - connectorId: Authomize dataTypes: [ "Authomize_v2_CL" ] @@ -50,4 +55,4 @@ customDetails: ReferencedURL: URL suppressionDuration: 5h suppressionEnabled: false -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/Authomize/Package/3.0.0.zip b/Solutions/Authomize/Package/3.0.0.zip index 00d6fbe884..3438c50a04 100644 Binary files a/Solutions/Authomize/Package/3.0.0.zip and b/Solutions/Authomize/Package/3.0.0.zip differ diff --git a/Solutions/Authomize/Package/mainTemplate.json b/Solutions/Authomize/Package/mainTemplate.json index 09bb7a9a0a..a192567044 100644 --- a/Solutions/Authomize/Package/mainTemplate.json +++ b/Solutions/Authomize/Package/mainTemplate.json @@ -44,9 +44,6 @@ "_solutionVersion": "3.0.0", "solutionId": "authomize.azure-sentinel-solution-authomize", "_solutionId": "[variables('solutionId')]", - "AuthomizeEventID": "EventID", - "_AuthomizeEventID": "[variables('AuthomizeEventID')]", - "TemplateEmptyArray": "[json('[]')]", "workbookVersion1": "1.0.0", "workbookContentId1": "AuthomizeWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -54,168 +51,183 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "analyticRuleVersion1": "1.0.1", - "analyticRulecontentId1": "48a9478b-440a-4330-b42c-94bd84dc904c", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.1", - "analyticRulecontentId2": "63d87fcb-d197-48d2-a642-de4813f0219a", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.1", - "analyticRulecontentId3": "87419138-d75f-450d-aca4-1dc802e32540", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.1", - "analyticRulecontentId4": "734c00a0-a95b-44dd-9b69-d926ed44256d", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.1", - "analyticRulecontentId5": "2526079b-3355-4756-a2d1-21e9cd957261", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "1.0.1", - "analyticRulecontentId6": "25bef734-4399-4c55-9579-4ebabd9cccf6", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "1.0.1", - "analyticRulecontentId7": "077eb06a-c011-47f7-8d92-dfc2b1e1d71b", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.0.1", - "analyticRulecontentId8": "c4d442a8-8227-4735-ac13-d84704e1b371", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.0.1", - "analyticRulecontentId9": "dc728ba1-5204-4fde-ab48-eda19c8fad3a", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "1.0.1", - "analyticRulecontentId10": "57bae0c4-50b7-4552-9de9-19dfecddbace", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "analyticRuleVersion11": "1.0.1", - "analyticRulecontentId11": "31f43e9d-1839-4baf-a668-54c28b98af3e", - "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", - "analyticRuleVersion12": "1.0.1", - "analyticRulecontentId12": "d7ee7bb5-d712-4d44-b201-b13379924934", - "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", - "analyticRuleVersion13": "1.0.1", - "analyticRulecontentId13": "6c17f270-cd56-48cc-9196-1728ffea6538", - "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", - "analyticRuleVersion14": "1.0.1", - "analyticRulecontentId14": "2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa", - "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", - "analyticRuleVersion15": "1.0.1", - "analyticRulecontentId15": "72891de4-da70-44e4-9984-35fcea98d000", - "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", - "analyticRuleVersion16": "1.0.1", - "analyticRulecontentId16": "642de064-c67b-4eb7-98bd-3f8cd51f282c", - "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", - "analyticRuleVersion17": "1.0.1", - "analyticRulecontentId17": "766a3b1b-0d5b-4a8d-b0d6-7dd379e73567", - "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", - "analyticRuleVersion18": "1.0.1", - "analyticRulecontentId18": "ccdf3f87-7890-4549-9d0f-8f43c1d2751d", - "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", - "analyticRuleVersion19": "1.0.1", - "analyticRulecontentId19": "e0ae5f9e-865b-41f5-98bb-c04113888e85", - "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", - "analyticRuleVersion20": "1.0.1", - "analyticRulecontentId20": "c04ed74c-3b23-48cd-9c11-fd10cffddc64", - "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", - "analyticRuleVersion21": "1.0.1", - "analyticRulecontentId21": "71a7b0de-f13d-44b9-9caa-668f1bad0ce6", - "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "b3430fb5-78aa-4729-8595-f66c06138478", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "bf03796a-3ed7-440f-bfc3-0c702cf762a9", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "ab80b41c-23e5-4264-ac23-806aad2a57af", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", - "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "fad675f5-b743-40c6-873d-019de93f18db", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", - "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "485e7cab-131e-40ce-9482-791e681b7967", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", - "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", - "huntingQueryVersion6": "1.0.0", - "huntingQuerycontentId6": "7457a420-8c28-4ce2-a55e-d050e5a6bc4f", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", - "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.2", + "_analyticRulecontentId1": "48a9478b-440a-4330-b42c-94bd84dc904c", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '48a9478b-440a-4330-b42c-94bd84dc904c')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('48a9478b-440a-4330-b42c-94bd84dc904c')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','48a9478b-440a-4330-b42c-94bd84dc904c','-', '1.0.2')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.2", + "_analyticRulecontentId2": "63d87fcb-d197-48d2-a642-de4813f0219a", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '63d87fcb-d197-48d2-a642-de4813f0219a')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('63d87fcb-d197-48d2-a642-de4813f0219a')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','63d87fcb-d197-48d2-a642-de4813f0219a','-', '1.0.2')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.2", + "_analyticRulecontentId3": "87419138-d75f-450d-aca4-1dc802e32540", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87419138-d75f-450d-aca4-1dc802e32540')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87419138-d75f-450d-aca4-1dc802e32540')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87419138-d75f-450d-aca4-1dc802e32540','-', '1.0.2')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.2", + "_analyticRulecontentId4": "734c00a0-a95b-44dd-9b69-d926ed44256d", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '734c00a0-a95b-44dd-9b69-d926ed44256d')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('734c00a0-a95b-44dd-9b69-d926ed44256d')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','734c00a0-a95b-44dd-9b69-d926ed44256d','-', '1.0.2')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.2", + "_analyticRulecontentId5": "2526079b-3355-4756-a2d1-21e9cd957261", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2526079b-3355-4756-a2d1-21e9cd957261')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2526079b-3355-4756-a2d1-21e9cd957261')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2526079b-3355-4756-a2d1-21e9cd957261','-', '1.0.2')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.2", + "_analyticRulecontentId6": "25bef734-4399-4c55-9579-4ebabd9cccf6", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '25bef734-4399-4c55-9579-4ebabd9cccf6')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('25bef734-4399-4c55-9579-4ebabd9cccf6')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','25bef734-4399-4c55-9579-4ebabd9cccf6','-', '1.0.2')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.2", + "_analyticRulecontentId7": "077eb06a-c011-47f7-8d92-dfc2b1e1d71b", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '077eb06a-c011-47f7-8d92-dfc2b1e1d71b')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('077eb06a-c011-47f7-8d92-dfc2b1e1d71b')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','077eb06a-c011-47f7-8d92-dfc2b1e1d71b','-', '1.0.2')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.2", + "_analyticRulecontentId8": "c4d442a8-8227-4735-ac13-d84704e1b371", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c4d442a8-8227-4735-ac13-d84704e1b371')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c4d442a8-8227-4735-ac13-d84704e1b371')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c4d442a8-8227-4735-ac13-d84704e1b371','-', '1.0.2')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.2", + "_analyticRulecontentId9": "dc728ba1-5204-4fde-ab48-eda19c8fad3a", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc728ba1-5204-4fde-ab48-eda19c8fad3a')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc728ba1-5204-4fde-ab48-eda19c8fad3a')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc728ba1-5204-4fde-ab48-eda19c8fad3a','-', '1.0.2')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.2", + "_analyticRulecontentId10": "57bae0c4-50b7-4552-9de9-19dfecddbace", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57bae0c4-50b7-4552-9de9-19dfecddbace')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57bae0c4-50b7-4552-9de9-19dfecddbace')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57bae0c4-50b7-4552-9de9-19dfecddbace','-', '1.0.2')))]" + }, + "analyticRuleObject11": { + "analyticRuleVersion11": "1.0.2", + "_analyticRulecontentId11": "31f43e9d-1839-4baf-a668-54c28b98af3e", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '31f43e9d-1839-4baf-a668-54c28b98af3e')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('31f43e9d-1839-4baf-a668-54c28b98af3e')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','31f43e9d-1839-4baf-a668-54c28b98af3e','-', '1.0.2')))]" + }, + "analyticRuleObject12": { + "analyticRuleVersion12": "1.0.2", + "_analyticRulecontentId12": "d7ee7bb5-d712-4d44-b201-b13379924934", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd7ee7bb5-d712-4d44-b201-b13379924934')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d7ee7bb5-d712-4d44-b201-b13379924934')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d7ee7bb5-d712-4d44-b201-b13379924934','-', '1.0.2')))]" + }, + "analyticRuleObject13": { + "analyticRuleVersion13": "1.0.2", + "_analyticRulecontentId13": "6c17f270-cd56-48cc-9196-1728ffea6538", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c17f270-cd56-48cc-9196-1728ffea6538')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c17f270-cd56-48cc-9196-1728ffea6538')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c17f270-cd56-48cc-9196-1728ffea6538','-', '1.0.2')))]" + }, + "analyticRuleObject14": { + "analyticRuleVersion14": "1.0.2", + "_analyticRulecontentId14": "2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa','-', '1.0.2')))]" + }, + "analyticRuleObject15": { + "analyticRuleVersion15": "1.0.2", + "_analyticRulecontentId15": "72891de4-da70-44e4-9984-35fcea98d000", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '72891de4-da70-44e4-9984-35fcea98d000')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('72891de4-da70-44e4-9984-35fcea98d000')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','72891de4-da70-44e4-9984-35fcea98d000','-', '1.0.2')))]" + }, + "analyticRuleObject16": { + "analyticRuleVersion16": "1.0.2", + "_analyticRulecontentId16": "642de064-c67b-4eb7-98bd-3f8cd51f282c", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '642de064-c67b-4eb7-98bd-3f8cd51f282c')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('642de064-c67b-4eb7-98bd-3f8cd51f282c')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','642de064-c67b-4eb7-98bd-3f8cd51f282c','-', '1.0.2')))]" + }, + "analyticRuleObject17": { + "analyticRuleVersion17": "1.0.2", + "_analyticRulecontentId17": "766a3b1b-0d5b-4a8d-b0d6-7dd379e73567", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '766a3b1b-0d5b-4a8d-b0d6-7dd379e73567')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('766a3b1b-0d5b-4a8d-b0d6-7dd379e73567')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','766a3b1b-0d5b-4a8d-b0d6-7dd379e73567','-', '1.0.2')))]" + }, + "analyticRuleObject18": { + "analyticRuleVersion18": "1.0.2", + "_analyticRulecontentId18": "ccdf3f87-7890-4549-9d0f-8f43c1d2751d", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ccdf3f87-7890-4549-9d0f-8f43c1d2751d')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ccdf3f87-7890-4549-9d0f-8f43c1d2751d')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ccdf3f87-7890-4549-9d0f-8f43c1d2751d','-', '1.0.2')))]" + }, + "analyticRuleObject19": { + "analyticRuleVersion19": "1.0.2", + "_analyticRulecontentId19": "e0ae5f9e-865b-41f5-98bb-c04113888e85", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e0ae5f9e-865b-41f5-98bb-c04113888e85')]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e0ae5f9e-865b-41f5-98bb-c04113888e85')))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e0ae5f9e-865b-41f5-98bb-c04113888e85','-', '1.0.2')))]" + }, + "analyticRuleObject20": { + "analyticRuleVersion20": "1.0.2", + "_analyticRulecontentId20": "c04ed74c-3b23-48cd-9c11-fd10cffddc64", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c04ed74c-3b23-48cd-9c11-fd10cffddc64')]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c04ed74c-3b23-48cd-9c11-fd10cffddc64')))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c04ed74c-3b23-48cd-9c11-fd10cffddc64','-', '1.0.2')))]" + }, + "analyticRuleObject21": { + "analyticRuleVersion21": "1.0.2", + "_analyticRulecontentId21": "71a7b0de-f13d-44b9-9caa-668f1bad0ce6", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '71a7b0de-f13d-44b9-9caa-668f1bad0ce6')]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('71a7b0de-f13d-44b9-9caa-668f1bad0ce6')))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','71a7b0de-f13d-44b9-9caa-668f1bad0ce6','-', '1.0.2')))]" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "b3430fb5-78aa-4729-8595-f66c06138478", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b3430fb5-78aa-4729-8595-f66c06138478')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "bf03796a-3ed7-440f-bfc3-0c702cf762a9", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bf03796a-3ed7-440f-bfc3-0c702cf762a9')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "ab80b41c-23e5-4264-ac23-806aad2a57af", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ab80b41c-23e5-4264-ac23-806aad2a57af')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "fad675f5-b743-40c6-873d-019de93f18db", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fad675f5-b743-40c6-873d-019de93f18db')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "485e7cab-131e-40ce-9482-791e681b7967", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('485e7cab-131e-40ce-9482-791e681b7967')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "7457a420-8c28-4ce2-a55e-d050e5a6bc4f", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7457a420-8c28-4ce2-a55e-d050e5a6bc4f')))]" + }, "uiConfigId1": "Authomize", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "Authomize", @@ -237,7 +249,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AuthomizeWorkbook Workbook with template version 3.0.0", + "description": "Authomize Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -319,7 +331,7 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -328,13 +340,13 @@ "description": "Access_to_AWS_without_MFA_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -353,10 +365,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -365,52 +377,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded. See the URL for further details within the event details in your Authomize Tenant. \n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Access to AWS without MFA", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded. See the URL for further details within the event details in your Authomize Tenant. \n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "Authomize Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Authomize", @@ -435,18 +455,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", "displayName": "Access to AWS without MFA", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -455,13 +475,13 @@ "description": "Admin_password_wasnt_updated_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -480,10 +500,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -492,52 +512,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Admin password wasn't updated during the last 30 days. The policy detects admin account where password wasn't updated during the last 30 days.\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Admin password wasn't updated during the last 30 days", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Admin password wasn't updated during the last 30 days. The policy detects admin account where password wasn't updated during the last 30 days.\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "Authomize Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Authomize", @@ -562,18 +590,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "Admin password not updated in 30 days", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -582,13 +610,13 @@ "description": "Admin_SaaS_account_detected_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -607,10 +635,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -621,52 +649,60 @@ "T1078", "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Admin SaaS account detected. The policy detects internal admins accounts, it's recommended to review any new administrative permission.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Admin SaaS account detected", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Admin SaaS account detected. The policy detects internal admins accounts, it's recommended to review any new administrative permission." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "Authomize Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Authomize", @@ -691,18 +727,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "Admin SaaS account detected", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -711,13 +747,13 @@ "description": "AWS_role_with_admin_privileges_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -736,10 +772,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -748,52 +784,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "AWS role with admin privileges. The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - AWS role with admin privileges", - "alertTactics": "Tactics" + "alertDescriptionFormat": "AWS role with admin privileges. The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "Authomize Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Authomize", @@ -818,18 +862,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "AWS role with admin privileges", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -838,13 +882,13 @@ "description": "AWS_role_with_shadow_admin_privileges_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -863,10 +907,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -875,52 +919,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "IaaS shadow admin detected. The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - AWS role with shadow admin privileges", - "alertTactics": "Tactics" + "alertDescriptionFormat": "IaaS shadow admin detected. The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "Authomize Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Authomize", @@ -945,18 +997,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", "displayName": "AWS role with shadow admin privileges", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -965,13 +1017,13 @@ "description": "Chain_of_3_or_more_roles_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -990,61 +1042,69 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ "PrivilegeEscalation" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Account can elevate privileges by assuming a role. The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Account can elevate privileges by assuming a role", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Account can elevate privileges by assuming a role. The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "Authomize Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Authomize", @@ -1069,18 +1129,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", "displayName": "Lateral Movement Risk - Role Chain Length", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1089,13 +1149,13 @@ "description": "Detect_AWS_IAM_Users_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1114,10 +1174,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -1126,52 +1186,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Detect AWS IAM Users. The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Detect AWS IAM Users", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Detect AWS IAM Users. The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { "description": "Authomize Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Authomize", @@ -1196,18 +1264,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", "displayName": "Detect AWS IAM Users", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1216,13 +1284,13 @@ "description": "Empty_group_with_entitlements_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1241,61 +1309,69 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ "PrivilegeEscalation" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Empty group with entitlements. The policy detects empty groups with entitlements", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Empty group with entitlements", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Empty group with entitlements. The policy detects empty groups with entitlements" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { "description": "Authomize Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Authomize", @@ -1320,18 +1396,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", "displayName": "Empty group with entitlements", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1340,13 +1416,13 @@ "description": "IaaS_admin_detected_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1365,10 +1441,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -1377,52 +1453,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "IaaS admin detected. The policy detects admin users in AWS or Azure\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - IaaS admin detected", - "alertTactics": "Tactics" + "alertDescriptionFormat": "IaaS admin detected. The policy detects admin users in AWS or Azure\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { "description": "Authomize Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Authomize", @@ -1447,18 +1531,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", "displayName": "IaaS admin detected", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1467,13 +1551,13 @@ "description": "IaaS_policy_not_attached_to_any_identity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1492,61 +1576,69 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ "PrivilegeEscalation" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - IaaS policy not attached to any identity", - "alertTactics": "Tactics" + "alertDescriptionFormat": "IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { "description": "Authomize Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Authomize", @@ -1571,18 +1663,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", "displayName": "IaaS policy not attached to any identity", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName11')]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1591,13 +1683,13 @@ "description": "IaaS_shadow_admin_detected_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion11')]", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId11')]", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1616,10 +1708,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -1628,52 +1720,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "IaaS shadow admin detected. The policy detects shadow admin users in AWS or Azure.\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - IaaS shadow admin detected", - "alertTactics": "Tactics" + "alertDescriptionFormat": "IaaS shadow admin detected. The policy detects shadow admin users in AWS or Azure.\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", "properties": { "description": "Authomize Analytics Rule 11", - "parentId": "[variables('analyticRuleId11')]", - "contentId": "[variables('_analyticRulecontentId11')]", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion11')]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", "source": { "kind": "Solution", "name": "Authomize", @@ -1698,18 +1798,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId11')]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", "displayName": "IaaS shadow admin detected", - "contentProductId": "[variables('_analyticRulecontentProductId11')]", - "id": "[variables('_analyticRulecontentProductId11')]", - "version": "[variables('analyticRuleVersion11')]" + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName12')]", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1718,13 +1818,13 @@ "description": "New_direct_access_policy_was_granted_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion12')]", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId12')]", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1743,10 +1843,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -1757,52 +1857,60 @@ "T1078", "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - New direct access policy was granted against organizational policy", - "alertTactics": "Tactics" + "alertDescriptionFormat": "New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { "description": "Authomize Analytics Rule 12", - "parentId": "[variables('analyticRuleId12')]", - "contentId": "[variables('_analyticRulecontentId12')]", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion12')]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", "name": "Authomize", @@ -1827,18 +1935,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId12')]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", "displayName": "New direct access policy was granted against organizational policy", - "contentProductId": "[variables('_analyticRulecontentProductId12')]", - "id": "[variables('_analyticRulecontentProductId12')]", - "version": "[variables('analyticRuleVersion12')]" + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName13')]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1847,13 +1955,13 @@ "description": "New_service_account_gained_access_to_IaaS_resource_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion13')]", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId13')]", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1872,61 +1980,69 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ "InitialAccess" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - New service account gained access to IaaS resource", - "alertTactics": "Tactics" + "alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { "description": "Authomize Analytics Rule 13", - "parentId": "[variables('analyticRuleId13')]", - "contentId": "[variables('_analyticRulecontentId13')]", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion13')]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", "source": { "kind": "Solution", "name": "Authomize", @@ -1951,18 +2067,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId13')]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", "displayName": "New service account gained access to IaaS resource", - "contentProductId": "[variables('_analyticRulecontentProductId13')]", - "id": "[variables('_analyticRulecontentProductId13')]", - "version": "[variables('analyticRuleVersion13')]" + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName14')]", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1971,13 +2087,13 @@ "description": "Password_Exfiltration_over_SCIM_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion14')]", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId14')]", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1996,10 +2112,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2011,52 +2127,60 @@ "T1040", "T1552" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Password Exfiltration over SCIM application. This policy detects suspicious sync events that occurred to applications using SCIM for user provisioning.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Password Exfiltration over SCIM application", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Password Exfiltration over SCIM application. This policy detects suspicious sync events that occurred to applications using SCIM for user provisioning." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", "properties": { "description": "Authomize Analytics Rule 14", - "parentId": "[variables('analyticRuleId14')]", - "contentId": "[variables('_analyticRulecontentId14')]", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion14')]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", "source": { "kind": "Solution", "name": "Authomize", @@ -2081,18 +2205,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId14')]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", "displayName": "Password Exfiltration over SCIM application", - "contentProductId": "[variables('_analyticRulecontentProductId14')]", - "id": "[variables('_analyticRulecontentProductId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName15')]", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2101,13 +2225,13 @@ "description": "Privileged_Machines_Exposed_to_the_Internet_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion15')]", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId15')]", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2126,10 +2250,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2139,52 +2263,60 @@ "techniques": [ "T1580" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also \"privileged\".", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Privileged Machines Exposed to the Internet", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also \"privileged\"." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", "properties": { "description": "Authomize Analytics Rule 15", - "parentId": "[variables('analyticRuleId15')]", - "contentId": "[variables('_analyticRulecontentId15')]", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion15')]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", "source": { "kind": "Solution", "name": "Authomize", @@ -2209,18 +2341,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId15')]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "contentKind": "AnalyticsRule", "displayName": "Privileged Machines Exposed to the Internet", - "contentProductId": "[variables('_analyticRulecontentProductId15')]", - "id": "[variables('_analyticRulecontentProductId15')]", - "version": "[variables('analyticRuleVersion15')]" + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName16')]", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2229,13 +2361,13 @@ "description": "Refactor_AWS_policy_based_on_activities_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion16')]", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId16')]", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2254,10 +2386,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2266,52 +2398,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Refactor AWS policy based on activities in the last 60 days", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", "properties": { "description": "Authomize Analytics Rule 16", - "parentId": "[variables('analyticRuleId16')]", - "contentId": "[variables('_analyticRulecontentId16')]", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion16')]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", "source": { "kind": "Solution", "name": "Authomize", @@ -2336,18 +2476,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId16')]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "contentKind": "AnalyticsRule", "displayName": "Refactor AWS policy based on activities in the last 60 days", - "contentProductId": "[variables('_analyticRulecontentProductId16')]", - "id": "[variables('_analyticRulecontentProductId16')]", - "version": "[variables('analyticRuleVersion16')]" + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName17')]", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2356,13 +2496,13 @@ "description": "Stale_AWS_policy_attachment_to_identity_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion17')]", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId17')]", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2381,10 +2521,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2393,52 +2533,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Stale AWS policy attachment to identity. The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Stale AWS policy attachment to identity", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Stale AWS policy attachment to identity. The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", "properties": { "description": "Authomize Analytics Rule 17", - "parentId": "[variables('analyticRuleId17')]", - "contentId": "[variables('_analyticRulecontentId17')]", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion17')]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", "source": { "kind": "Solution", "name": "Authomize", @@ -2463,18 +2611,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId17')]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "contentKind": "AnalyticsRule", "displayName": "Stale AWS policy attachment to identity", - "contentProductId": "[variables('_analyticRulecontentProductId17')]", - "id": "[variables('_analyticRulecontentProductId17')]", - "version": "[variables('analyticRuleVersion17')]" + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName18')]", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2483,13 +2631,13 @@ "description": "Stale_IAAS_policy_attachment_to_role_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion18')]", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId18')]", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2508,61 +2656,69 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ "PrivilegeEscalation" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Stale IAAS policy attachment to role. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days.It is recommended to remove unused policies from identities to reduce risk.", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Stale IAAS policy attachment to role", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Stale IAAS policy attachment to role. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days.It is recommended to remove unused policies from identities to reduce risk." }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", "properties": { "description": "Authomize Analytics Rule 18", - "parentId": "[variables('analyticRuleId18')]", - "contentId": "[variables('_analyticRulecontentId18')]", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion18')]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", "source": { "kind": "Solution", "name": "Authomize", @@ -2587,18 +2743,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId18')]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "contentKind": "AnalyticsRule", "displayName": "Stale IAAS policy attachment to role", - "contentProductId": "[variables('_analyticRulecontentProductId18')]", - "id": "[variables('_analyticRulecontentProductId18')]", - "version": "[variables('analyticRuleVersion18')]" + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName19')]", + "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2607,13 +2763,13 @@ "description": "Unused_IaaS_Policy_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion19')]", + "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId19')]", + "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2632,10 +2788,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2647,52 +2803,60 @@ "T1068", "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Unused IaaS Policy. The policy detects 'IaaS policies' that no one in the account has been using during the last X days.\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - Unused IaaS Policy", - "alertTactics": "Tactics" + "alertDescriptionFormat": "Unused IaaS Policy. The policy detects 'IaaS policies' that no one in the account has been using during the last X days.\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", "properties": { "description": "Authomize Analytics Rule 19", - "parentId": "[variables('analyticRuleId19')]", - "contentId": "[variables('_analyticRulecontentId19')]", + "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion19')]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", "source": { "kind": "Solution", "name": "Authomize", @@ -2717,18 +2881,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId19')]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "contentKind": "AnalyticsRule", "displayName": "Unused IaaS Policy", - "contentProductId": "[variables('_analyticRulecontentProductId19')]", - "id": "[variables('_analyticRulecontentProductId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName20')]", + "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2737,13 +2901,13 @@ "description": "User_assigned_to_a_default_admin_role_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion20')]", + "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId20')]", + "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2762,10 +2926,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2774,52 +2938,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - User assigned to a default admin role", - "alertTactics": "Tactics" + "alertDescriptionFormat": "User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", "properties": { "description": "Authomize Analytics Rule 20", - "parentId": "[variables('analyticRuleId20')]", - "contentId": "[variables('_analyticRulecontentId20')]", + "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion20')]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", "source": { "kind": "Solution", "name": "Authomize", @@ -2844,18 +3016,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId20')]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", "contentKind": "AnalyticsRule", "displayName": "User assigned to a default admin role", - "contentProductId": "[variables('_analyticRulecontentProductId20')]", - "id": "[variables('_analyticRulecontentProductId20')]", - "version": "[variables('analyticRuleVersion20')]" + "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName21')]", + "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2864,13 +3036,13 @@ "description": "User_without_MFA_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion21')]", + "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId21')]", + "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2889,10 +3061,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Authomize", "dataTypes": [ "Authomize_v2_CL" - ], - "connectorId": "Authomize" + ] } ], "tactics": [ @@ -2901,52 +3073,60 @@ "techniques": [ "T1078" ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URL" + } + ], + "entityType": "URL" + } + ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "EventRecommendation": "Recommendation", - "AuthomizeEventID": "[variables('_AuthomizeEventID')]", - "EventDescription": "Description", + "AuthomizeEventID": "EventID", "EventName": "Policy", - "ReferencedURL": "URL" + "ReferencedURL": "URL", + "EventRecommendation": "Recommendation", + "EventDescription": "Description" }, "alertDetailsOverride": { - "alertDescriptionFormat": "User without MFA. The policy detects user accounts without mutli-factor authentication\n", + "alertTactics": "Tactics", + "alertSeverity": "Severity", "alertDynamicProperties": [ { "value": "URL", "alertProperty": "AlertLink" } ], - "alertSeverity": "Severity", "alertnameFormat": "Alert from Authomize - User without MFA", - "alertTactics": "Tactics" + "alertDescriptionFormat": "User without MFA. The policy detects user accounts without mutli-factor authentication\n" }, "incidentConfiguration": { - "createIncident": true, "groupingConfiguration": { - "lookbackDuration": "5h", - "enabled": true, "matchingMethod": "AnyAlert", - "groupByCustomDetails": "[variables('TemplateEmptyArray')]", "reopenClosedIncident": false, - "groupByAlertDetails": "[variables('TemplateEmptyArray')]", - "groupByEntities": "[variables('TemplateEmptyArray')]" - } + "enabled": true, + "lookbackDuration": "5h" + }, + "createIncident": true } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", "properties": { "description": "Authomize Analytics Rule 21", - "parentId": "[variables('analyticRuleId21')]", - "contentId": "[variables('_analyticRulecontentId21')]", + "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion21')]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", "source": { "kind": "Solution", "name": "Authomize", @@ -2971,18 +3151,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId21')]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", "contentKind": "AnalyticsRule", "displayName": "User without MFA", - "contentProductId": "[variables('_analyticRulecontentProductId21')]", - "id": "[variables('_analyticRulecontentProductId21')]", - "version": "[variables('analyticRuleVersion21')]" + "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -2991,7 +3171,7 @@ "description": "Admin_SaaS_account_detected_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ @@ -3025,13 +3205,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "Authomize Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Authomize", @@ -3056,18 +3236,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Admin SaaS account detected", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3076,7 +3256,7 @@ "description": "Chain_of_3_or_more_roles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ @@ -3110,13 +3290,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "Authomize Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Authomize", @@ -3141,18 +3321,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "ateral Movement Risk - Role Chain Length", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3161,7 +3341,7 @@ "description": "IaaS_admin_detected_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ @@ -3195,13 +3375,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "Authomize Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Authomize", @@ -3226,18 +3406,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "contentKind": "HuntingQuery", "displayName": "IaaS admin detected", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3246,7 +3426,7 @@ "description": "IaaS_shadow_admin_detected_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ @@ -3280,13 +3460,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "Authomize Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Authomize", @@ -3311,18 +3491,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "contentKind": "HuntingQuery", "displayName": "IaaS shadow admin detected", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3331,7 +3511,7 @@ "description": "Password_Exfiltration_over_SCIM_application_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ @@ -3365,13 +3545,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "Authomize Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Authomize", @@ -3396,18 +3576,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "contentKind": "HuntingQuery", "displayName": "Password Exfiltration over SCIM application", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName6')]", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -3416,7 +3596,7 @@ "description": "Privileged_Machines_Exposed_to_the_Internet_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ @@ -3450,13 +3630,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { "description": "Authomize Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "Authomize", @@ -3481,12 +3661,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId6')]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "contentKind": "HuntingQuery", "displayName": "Privileged Machines Exposed to the Internet", - "contentProductId": "[variables('_huntingQuerycontentProductId6')]", - "id": "[variables('_huntingQuerycontentProductId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" } }, { @@ -3812,138 +3992,138 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId11')]", - "version": "[variables('analyticRuleVersion11')]" + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId12')]", - "version": "[variables('analyticRuleVersion12')]" + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId13')]", - "version": "[variables('analyticRuleVersion13')]" + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId15')]", - "version": "[variables('analyticRuleVersion15')]" + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId16')]", - "version": "[variables('analyticRuleVersion16')]" + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId17')]", - "version": "[variables('analyticRuleVersion17')]" + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId18')]", - "version": "[variables('analyticRuleVersion18')]" + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId20')]", - "version": "[variables('analyticRuleVersion20')]" + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId21')]", - "version": "[variables('analyticRuleVersion21')]" + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "DataConnector", diff --git a/Solutions/Authomize/Package/testParameters.json b/Solutions/Authomize/Package/testParameters.json new file mode 100644 index 0000000000..dce8ccf5a7 --- /dev/null +++ b/Solutions/Authomize/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Authomize ITDR Event Monitoring for Identities", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Authomize/ReleaseNotes.md b/Solutions/Authomize/ReleaseNotes.md index e1feaf90b4..4487a36caa 100644 --- a/Solutions/Authomize/ReleaseNotes.md +++ b/Solutions/Authomize/ReleaseNotes.md @@ -1,3 +1,3 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.0 | 27-07-2023 | Initial Solution Release. | \ No newline at end of file +| 3.0.0 | 12-12-2023 | Added Entity Mapping to **Analytic rules** | diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json index 0ab369f0c9..feddd04c9d 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json @@ -5,7 +5,7 @@ "name": "mytimer", "type": "timerTrigger", "direction": "in", - "schedule": "0 */5 * * * *", + "schedule": "0 */3 * * * *", "runOnStartup": false } ] diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py index 0af2ad1bf7..d179872233 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py @@ -16,8 +16,8 @@ 'azure.core.pipeline.policies.http_logging_policy').setLevel(logging.ERROR) logging.getLogger('charset_normalizer').setLevel(logging.ERROR) - -MAX_SCRIPT_EXEC_TIME_MINUTES = 5 +# Defines how long the function can run, max in consumption mode is 10 minutes +MAX_SCRIPT_EXEC_TIME_MINUTES = int(os.environ.get('MAX_SCRIPT_EXEC_TIME_MINUTES', 10)) AZURE_STORAGE_CONNECTION_STRING = os.environ['AZURE_STORAGE_CONNECTION_STRING'] @@ -30,7 +30,7 @@ # Defines how many files can be processed simultaneously MAX_CONCURRENT_PROCESSING_FILES = int( - os.environ.get('MAX_CONCURRENT_PROCESSING_FILES', 20)) + os.environ.get('MAX_CONCURRENT_PROCESSING_FILES', 1)) # Defines page size while listing files from blob storage. New page is not processed while old page is processing. MAX_PAGE_SIZE = int(MAX_CONCURRENT_PROCESSING_FILES * 1.5) @@ -39,7 +39,7 @@ MAX_BUCKET_SIZE = int(os.environ.get('MAX_BUCKET_SIZE', 2000)) # Defines max chunk download size for blob storage in MB -MAX_CHUNK_SIZE_MB = int(os.environ.get('MAX_CHUNK_SIZE_MB', 2)) +MAX_CHUNK_SIZE_MB = int(os.environ.get('MAX_CHUNK_SIZE_MB', 500)) LOG_ANALYTICS_URI = os.environ.get('logAnalyticsUri') @@ -53,6 +53,7 @@ async def main(mytimer: func.TimerRequest): + logging.basicConfig(level=logging.INFO) logging.info('Starting script') logging.info('Concurrency parameters: MAX_CONCURRENT_PROCESSING_FILES {}, MAX_PAGE_SIZE {}, MAX_BUCKET_SIZE {}.'.format( MAX_CONCURRENT_PROCESSING_FILES, MAX_PAGE_SIZE, MAX_BUCKET_SIZE)) @@ -97,14 +98,15 @@ def _create_container_client(self): async def get_blobs(self): container_client = self._create_container_client() async with container_client: - async for blob in container_client.list_blobs(): + async for blob in container_client.list_blobs(include=['tags']): if 'ownership-challenge' not in blob['name']: - yield blob + if blob['tags'] is None or 'StartedProcessing' not in blob['tags']: + yield blob def check_if_script_runs_too_long(self): now = int(time.time()) duration = now - self.script_start_time - max_duration = int(MAX_SCRIPT_EXEC_TIME_MINUTES * 60 * 0.85) + max_duration = int(MAX_SCRIPT_EXEC_TIME_MINUTES * 60 * 0.75) return duration > max_duration async def delete_blob(self, blob, container_client): @@ -141,6 +143,11 @@ def merge_lines(self, data): async def process_blob(self, blob, container_client, session: aiohttp.ClientSession): async with self.semaphore: logging.info("Start processing {}".format(blob['name'])) + blob_client = container_client.get_blob_client(blob['name']) + tags = await blob_client.get_blob_tags() + updated_tags = {'StartedProcessing': 'true'} + tags.update(updated_tags) + await blob_client.set_blob_tags(tags) sentinel = AzureSentinelConnectorAsync( session, LOG_ANALYTICS_URI, WORKSPACE_ID, SHARED_KEY, LOG_TYPE, queue_size=MAX_BUCKET_SIZE) blob_cor = await container_client.download_blob(blob['name']) diff --git a/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip b/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip index a6601037b0..6f3b14612c 100644 Binary files a/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip and b/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip differ diff --git a/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json b/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json index 73b2beca84..689ad30f8a 100644 --- a/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json +++ b/Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json @@ -168,7 +168,9 @@ "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", "WORKSPACE_ID": "[parameters('AzureSentinelWorkspaceId')]", "SHARED_KEY": "[parameters('AzureSentinelSharedKey')]", + "MAX_SCRIPT_EXEC_TIME_MINUTES": "[parameters('MaxRunTime')]", "MAX_CONCURRENT_PROCESSING_FILES": "[parameters('SimultaneouslyProcessingFiles')]", + "MAX_CHUNK_SIZE_MB": "[parameters('MaximumStorageBlobSize')]", "MAX_BUCKET_SIZE": "[parameters('EventsBucketSize')]", "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CloudflareDataConnector-functionapp", diff --git a/Solutions/Cloudflare/Data/Solution_Cloudflare.json b/Solutions/Cloudflare/Data/Solution_Cloudflare.json index da515fd069..5ee7ca7f6a 100644 --- a/Solutions/Cloudflare/Data/Solution_Cloudflare.json +++ b/Solutions/Cloudflare/Data/Solution_Cloudflare.json @@ -7,7 +7,7 @@ "Cloudflare/Data Connectors/Cloudflare_API_FunctionApp.json" ], "Parsers": [ - "Cloudflare/Parsers/Cloudflare.txt" + "Cloudflare/Parsers/Cloudflare.yaml" ], "Workbooks":[ "Cloudflare/Workbooks/Cloudflare.json" diff --git a/Solutions/Cloudflare/Package/3.0.2.zip b/Solutions/Cloudflare/Package/3.0.2.zip new file mode 100644 index 0000000000..6e7ea05e56 Binary files /dev/null and b/Solutions/Cloudflare/Package/3.0.2.zip differ diff --git a/Solutions/Cloudflare/Package/createUiDefinition.json b/Solutions/Cloudflare/Package/createUiDefinition.json index 949df94ae5..908fcecf14 100644 --- a/Solutions/Cloudflare/Package/createUiDefinition.json +++ b/Solutions/Cloudflare/Package/createUiDefinition.json @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting Cloudflare logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Cloudflare. You can get Cloudflare custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the Cloudflare Kusto Function alias." + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." } }, { @@ -111,19 +111,13 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": [ - "Cloudflare", - "Cloudflare" - ], + "label": "Cloudflare", "elements": [ { "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": [ - "Sets the time name for analysis", - "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability." - ] + "text": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability." } } ] diff --git a/Solutions/Cloudflare/Package/mainTemplate.json b/Solutions/Cloudflare/Package/mainTemplate.json index 5bff839a5f..cc16aab737 100644 --- a/Solutions/Cloudflare/Package/mainTemplate.json +++ b/Solutions/Cloudflare/Package/mainTemplate.json @@ -38,12 +38,12 @@ } }, "variables": { - "solutionId": "cloudflare.cloudflare_sentinel", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Cloudflare", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", + "solutionId": "cloudflare.cloudflare_sentinel", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "CloudflareDataConnector", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "CloudflareDataConnector", @@ -53,142 +53,140 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "parserName1": "Cloudflare", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", - "parserVersion1": "1.0.0", - "parserContentId1": "Cloudflare-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", - "workbookVersion1": "1.0.0", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','Cloudflare')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Cloudflare-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "Cloudflare-Parser" + }, + "workbookVersion1": "1.0", "workbookContentId1": "CloudflareWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "analyticRuleVersion1": "1.0.0", - "analyticRulecontentId1": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.0", - "analyticRulecontentId2": "729c6d21-fad9-4a6a-9c7f-482393c95957", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.0", - "analyticRulecontentId3": "ef877d68-755f-4cf1-ac1d-f336e395667c", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.0", - "analyticRulecontentId4": "fc50076a-0275-43d5-b9dd-38346c061f67", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.0", - "analyticRulecontentId5": "40554544-6e4a-4413-8d14-bf2de939c5d9", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "1.0.0", - "analyticRulecontentId6": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "1.0.1", - "analyticRulecontentId7": "f32142b1-4bcb-45c0-92e4-2ddc18768522", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.0.0", - "analyticRulecontentId8": "dcb797cd-a4cd-4306-897b-7991f71d7e27", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.0.0", - "analyticRulecontentId9": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "1.0.0", - "analyticRulecontentId10": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "5d72f483-929a-498a-b840-dff7deed2116", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "20ef3865-fd1f-44a4-ac8f-8d026cf954e0", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "d72d0055-ae52-43b5-859e-db72e5ef183a", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", - "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "a6f1938f-2f87-446c-83ac-624c277cfd32", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", - "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "7c8f0bed-b25c-4d48-9afa-c505e141bf4b", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", - "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", - "huntingQueryVersion6": "1.0.0", - "huntingQuerycontentId6": "e1a9febc-6b37-47e6-b5a7-0eec7638ba82", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", - "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", - "huntingQueryVersion7": "1.0.0", - "huntingQuerycontentId7": "eb7b88ab-47b1-483f-95b3-2b315d98d465", - "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", - "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", - "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", - "huntingQueryVersion8": "1.0.0", - "huntingQuerycontentId8": "8a72cdb0-97d9-4547-9eca-1bdea2ccd796", - "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", - "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", - "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", - "huntingQueryVersion9": "1.0.0", - "huntingQuerycontentId9": "9fc7d945-0e82-4664-aca0-dc121a5cd7be", - "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", - "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", - "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", - "huntingQueryVersion10": "1.0.0", - "huntingQuerycontentId10": "0be3ddc1-99db-4153-ba3c-2c1e5c82560d", - "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", - "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", - "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "5d72f483-929a-498a-b840-dff7deed2116", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5d72f483-929a-498a-b840-dff7deed2116')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "20ef3865-fd1f-44a4-ac8f-8d026cf954e0", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('20ef3865-fd1f-44a4-ac8f-8d026cf954e0')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "d72d0055-ae52-43b5-859e-db72e5ef183a", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d72d0055-ae52-43b5-859e-db72e5ef183a')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "a6f1938f-2f87-446c-83ac-624c277cfd32", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a6f1938f-2f87-446c-83ac-624c277cfd32')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "7c8f0bed-b25c-4d48-9afa-c505e141bf4b", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7c8f0bed-b25c-4d48-9afa-c505e141bf4b')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "e1a9febc-6b37-47e6-b5a7-0eec7638ba82", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e1a9febc-6b37-47e6-b5a7-0eec7638ba82')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.0", + "_huntingQuerycontentId7": "eb7b88ab-47b1-483f-95b3-2b315d98d465", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('eb7b88ab-47b1-483f-95b3-2b315d98d465')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "1.0.0", + "_huntingQuerycontentId8": "8a72cdb0-97d9-4547-9eca-1bdea2ccd796", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8a72cdb0-97d9-4547-9eca-1bdea2ccd796')))]" + }, + "huntingQueryObject9": { + "huntingQueryVersion9": "1.0.0", + "_huntingQuerycontentId9": "9fc7d945-0e82-4664-aca0-dc121a5cd7be", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9fc7d945-0e82-4664-aca0-dc121a5cd7be')))]" + }, + "huntingQueryObject10": { + "huntingQueryVersion10": "1.0.0", + "_huntingQuerycontentId10": "0be3ddc1-99db-4153-ba3c-2c1e5c82560d", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0be3ddc1-99db-4153-ba3c-2c1e5c82560d')))]" + }, + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "a7ce6135-9d55-4f14-b058-adc2e920a4fa", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a7ce6135-9d55-4f14-b058-adc2e920a4fa')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a7ce6135-9d55-4f14-b058-adc2e920a4fa')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a7ce6135-9d55-4f14-b058-adc2e920a4fa','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "729c6d21-fad9-4a6a-9c7f-482393c95957", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '729c6d21-fad9-4a6a-9c7f-482393c95957')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('729c6d21-fad9-4a6a-9c7f-482393c95957')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','729c6d21-fad9-4a6a-9c7f-482393c95957','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "ef877d68-755f-4cf1-ac1d-f336e395667c", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ef877d68-755f-4cf1-ac1d-f336e395667c')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ef877d68-755f-4cf1-ac1d-f336e395667c')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ef877d68-755f-4cf1-ac1d-f336e395667c','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "fc50076a-0275-43d5-b9dd-38346c061f67", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fc50076a-0275-43d5-b9dd-38346c061f67')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fc50076a-0275-43d5-b9dd-38346c061f67')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fc50076a-0275-43d5-b9dd-38346c061f67','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "40554544-6e4a-4413-8d14-bf2de939c5d9", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '40554544-6e4a-4413-8d14-bf2de939c5d9')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('40554544-6e4a-4413-8d14-bf2de939c5d9')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','40554544-6e4a-4413-8d14-bf2de939c5d9','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7313352a-09f6-4a84-88bd-6f17f1cbeb8f')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7313352a-09f6-4a84-88bd-6f17f1cbeb8f')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7313352a-09f6-4a84-88bd-6f17f1cbeb8f','-', '1.0.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.1", + "_analyticRulecontentId7": "f32142b1-4bcb-45c0-92e4-2ddc18768522", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f32142b1-4bcb-45c0-92e4-2ddc18768522')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f32142b1-4bcb-45c0-92e4-2ddc18768522')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f32142b1-4bcb-45c0-92e4-2ddc18768522','-', '1.0.1')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.0", + "_analyticRulecontentId8": "dcb797cd-a4cd-4306-897b-7991f71d7e27", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dcb797cd-a4cd-4306-897b-7991f71d7e27')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dcb797cd-a4cd-4306-897b-7991f71d7e27')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dcb797cd-a4cd-4306-897b-7991f71d7e27','-', '1.0.0')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.0", + "_analyticRulecontentId9": "f53fe2a9-96b5-454c-827e-cf1764a67fb0", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f53fe2a9-96b5-454c-827e-cf1764a67fb0')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f53fe2a9-96b5-454c-827e-cf1764a67fb0')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f53fe2a9-96b5-454c-827e-cf1764a67fb0','-', '1.0.0')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.0", + "_analyticRulecontentId10": "4d9d00b9-31a6-49e4-88c1-9e68277053ac", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d9d00b9-31a6-49e4-88c1-9e68277053ac')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d9d00b9-31a6-49e4-88c1-9e68277053ac')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d9d00b9-31a6-49e4-88c1-9e68277053ac','-', '1.0.0')))]" + }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -201,7 +199,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cloudflare data connector with template version 3.0.1", + "description": "Cloudflare data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -546,36 +544,36 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName1')]", + "name": "[variables('parserObject1').parserTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cloudflare Data Parser with template version 3.0.1", + "description": "Cloudflare Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('parserObject1').parserVersion1]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", + "name": "[variables('parserObject1')._parserName1]", "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Cloudflare", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "Cloudflare", - "query": "\nCloudflare_CL\n| extend\n BotScore_d=column_ifexists('BotScore_d', ''),\n BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),\n CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),\n CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),\n CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),\n CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),\n ClientASN_d=column_ifexists('ClientASN_d', ''),\n ClientCountry_s=column_ifexists('ClientCountry_s', ''),\n ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),\n ClientIP_s=column_ifexists('ClientIP_s', ''),\n ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),\n ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),\n ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),\n ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),\n ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),\n ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),\n ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),\n ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),\n ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),\n ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),\n ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),\n EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),\n EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),\n EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),\n EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),\n EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),\n EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),\n EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),\n EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),\n EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),\n EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),\n EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),\n EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),\n EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),\n EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),\n FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),\n FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),\n FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),\n OriginIP_s=column_ifexists('OriginIP_s', ''),\n OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),\n OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),\n OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),\n OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),\n OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),\n OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),\n ParentRayID_s=column_ifexists('ParentRayID_s', ''),\n RayID_s=column_ifexists('RayID_s', ''),\n SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),\n WAFAction_s=column_ifexists('WAFAction_s', ''),\n WAFFlags_s=column_ifexists('WAFFlags_s', ''),\n WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),\n WAFProfile_s=column_ifexists('WAFProfile_s', ''),\n WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),\n WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),\n WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),\n WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),\n WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),\n WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),\n ZoneID_d=column_ifexists('ZoneID_d', ''),\n Application_s=column_ifexists('Application_s', ''),\n ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),\n ClientProto_s=column_ifexists('ClientProto_s', ''),\n ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),\n ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),\n ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),\n ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),\n ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),\n ColoCode_s=column_ifexists('ColoCode_s', ''),\n ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),\n DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),\n Event_s=column_ifexists('Event_s', ''),\n IpFirewall_b=column_ifexists('IpFirewall_b', ''),\n OriginBytes_d=column_ifexists('OriginBytes_d', ''),\n OriginPort_d=column_ifexists('OriginPort_d', ''),\n OriginProto_s=column_ifexists('OriginProto_s', ''),\n OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),\n OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),\n OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),\n OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),\n OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),\n OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),\n ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),\n Status_d=column_ifexists('Status_d', ''),\n Timestamp_t=column_ifexists('Timestamp_t', ''),\n Action_s=column_ifexists('Action_s', ''),\n ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),\n ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),\n ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),\n ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),\n ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),\n ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),\n ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),\n Datetime_t=column_ifexists('Datetime_t', ''),\n Kind_s=column_ifexists('Kind_s', ''),\n MatchIndex_d=column_ifexists('MatchIndex_d', ''),\n OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),\n RuleID_s=column_ifexists('RuleID_s', ''),\n Source_s=column_ifexists('Source_s', '')\n| extend\n SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),\n TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),\n TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),\n DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),\n NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),\n ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),\n ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))\n| project-rename\n SrcBytes=ClientRequestBytes_d,\n SrcPortNumber=ClientSrcPort_d,\n DstBytes=EdgeResponseBytes_d,\n BotScore=BotScore_d,\n BotScoreSrc=BotScoreSrc_s,\n CacheCacheStatus=CacheCacheStatus_s,\n CacheResponseBytes=CacheResponseBytes_d,\n CacheResponseStatus=CacheResponseStatus_d,\n CacheTieredFill=CacheTieredFill_b,\n ClientASN=ClientASN_d,\n SrcGeoCountry=ClientCountry_s,\n SrcIpAddr=ClientIP_s,\n ClientIPClass=ClientIPClass_s,\n HttpRequestHeaderHost=ClientRequestHost_s,\n HttpRequestMethod=ClientRequestMethod_s,\n ClientRequestPath=ClientRequestPath_s,\n ClientRequestProtocol=ClientRequestProtocol_s,\n HttpReferrerOriginal=ClientRequestReferer_s,\n ClientRequestURI=ClientRequestURI_s,\n HttpUserAgentOriginal=ClientRequestUserAgent_s,\n ClientXRequestedWith=ClientXRequestedWith_s,\n EdgeColoCode=EdgeColoCode_s,\n EdgeColoID=EdgeColoID_d,\n EdgeEndTimestamp=EdgeEndTimestamp_t,\n EdgePathingOp=EdgePathingOp_s,\n EdgePathingSrc=EdgePathingSrc_s,\n EdgePathingStatus=EdgePathingStatus_s,\n EdgeRateLimitAction=EdgeRateLimitAction_s,\n EdgeRateLimitID=EdgeRateLimitID_d,\n EdgeRequestHost=EdgeRequestHost_s,\n EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,\n HttpContentType=EdgeResponseContentType_s,\n EdgeResponseStatus=EdgeResponseStatus_d,\n EdgeServerIP=EdgeServerIP_s,\n EdgeStartTimestamp=EdgeStartTimestamp_t,\n FirewallMatchesSources=FirewallMatchesSources_s,\n DstIpAddr=OriginIP_s,\n OriginResponseBytes=OriginResponseBytes_d,\n OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,\n OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,\n HttpStatusCode=OriginResponseStatus_d,\n OriginResponseTime=OriginResponseTime_d,\n OriginSSLProtocol=OriginSSLProtocol_s,\n ParentRayID=ParentRayID_s,\n RayID=RayID_s,\n SecurityLevel=SecurityLevel_s,\n WAFAction=WAFAction_s,\n WAFFlags=WAFFlags_s,\n WAFMatchedVar=WAFMatchedVar_s,\n WAFProfile=WAFProfile_s,\n WAFRuleID=WAFRuleID_s,\n WAFRuleMessage=WAFRuleMessage_s,\n WorkerCPUTime=WorkerCPUTime_d,\n WorkerStatus=WorkerStatus_s,\n WorkerSubrequest=WorkerSubrequest_b,\n WorkerSubrequestCount=WorkerSubrequestCount_d,\n ZoneID=ZoneID_d,\n Application=Application_s,\n ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,\n NetworkProtocol=ClientProto_s,\n ClientTcpRtt=ClientTcpRtt_d,\n ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,\n ClientTlsStatus=ClientTlsStatus_s,\n ColoCode=ColoCode_s,\n ConnectTimestamp=ConnectTimestamp_t,\n DisconnectTimestamp=DisconnectTimestamp_t,\n IpFirewall=IpFirewall_b,\n DstPortNumber=OriginPort_d,\n OriginProto=OriginProto_s,\n OriginTcpRtt=OriginTcpRtt_d,\n OriginTlsCipher=OriginTlsCipher_s,\n OriginTlsFingerprint=OriginTlsFingerprint_s,\n OriginTlsMode=OriginTlsMode_s,\n OriginTlsProtocol=OriginTlsProtocol_s,\n OriginTlsStatus=OriginTlsStatus_s,\n ProxyProtocol=ProxyProtocol_s,\n EventResult=Status_d,\n Timestamp=Timestamp_t,\n ClientASNDescription=ClientASNDescription_s,\n ClientRefererHost=ClientRefererHost_s,\n ClientRefererPath=ClientRefererPath_s,\n ClientRefererQuery=ClientRefererQuery_s,\n ClientRefererScheme=ClientRefererScheme_s,\n ClientRequestQuery=ClientRequestQuery_s,\n ClientRequestScheme=ClientRequestScheme_s,\n Datetime=Datetime_t,\n EventSubType=Kind_s,\n MatchIndex=MatchIndex_d,\n OriginatorRayID=OriginatorRayID_s\n| project-away \n ClientDeviceType_s,\n Source_s,\n ClientSSLCipher_s,\n ClientTlsCipher_s,\n ClientSSLProtocol_s,\n ClientTlsProtocol_s,\n FirewallMatchesActions_s,\n Event_s,\n Action_s,\n FirewallMatchesRuleIDs_s,\n RuleID_s", + "query": "Cloudflare_CL\n| extend\n BotScore_d=column_ifexists('BotScore_d', ''),\n BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),\n CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),\n CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),\n CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),\n CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),\n ClientASN_d=column_ifexists('ClientASN_d', ''),\n ClientCountry_s=column_ifexists('ClientCountry_s', ''),\n ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),\n ClientIP_s=column_ifexists('ClientIP_s', ''),\n ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),\n ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),\n ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),\n ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),\n ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),\n ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),\n ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),\n ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),\n ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),\n ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),\n ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),\n EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),\n EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),\n EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),\n EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),\n EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),\n EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),\n EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),\n EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),\n EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),\n EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),\n EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),\n EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),\n EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),\n EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),\n FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),\n FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),\n FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),\n OriginIP_s=column_ifexists('OriginIP_s', ''),\n OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),\n OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),\n OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),\n OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),\n OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),\n OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),\n ParentRayID_s=column_ifexists('ParentRayID_s', ''),\n RayID_s=column_ifexists('RayID_s', ''),\n SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),\n WAFAction_s=column_ifexists('WAFAction_s', ''),\n WAFFlags_s=column_ifexists('WAFFlags_s', ''),\n WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),\n WAFProfile_s=column_ifexists('WAFProfile_s', ''),\n WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),\n WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),\n WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),\n WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),\n WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),\n WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),\n ZoneID_d=column_ifexists('ZoneID_d', ''),\n Application_s=column_ifexists('Application_s', ''),\n ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),\n ClientProto_s=column_ifexists('ClientProto_s', ''),\n ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),\n ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),\n ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),\n ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),\n ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),\n ColoCode_s=column_ifexists('ColoCode_s', ''),\n ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),\n DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),\n Event_s=column_ifexists('Event_s', ''),\n IpFirewall_b=column_ifexists('IpFirewall_b', ''),\n OriginBytes_d=column_ifexists('OriginBytes_d', ''),\n OriginPort_d=column_ifexists('OriginPort_d', ''),\n OriginProto_s=column_ifexists('OriginProto_s', ''),\n OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),\n OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),\n OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),\n OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),\n OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),\n OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),\n ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),\n Status_d=column_ifexists('Status_d', ''),\n Timestamp_t=column_ifexists('Timestamp_t', ''),\n Action_s=column_ifexists('Action_s', ''),\n ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),\n ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),\n ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),\n ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),\n ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),\n ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),\n ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),\n Datetime_t=column_ifexists('Datetime_t', ''),\n Kind_s=column_ifexists('Kind_s', ''),\n MatchIndex_d=column_ifexists('MatchIndex_d', ''),\n OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),\n RuleID_s=column_ifexists('RuleID_s', ''),\n Source_s=column_ifexists('Source_s', '')\n| extend\n SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),\n TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),\n TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),\n DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),\n NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),\n ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),\n ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))\n| project-rename\n SrcBytes=ClientRequestBytes_d,\n SrcPortNumber=ClientSrcPort_d,\n DstBytes=EdgeResponseBytes_d,\n BotScore=BotScore_d,\n BotScoreSrc=BotScoreSrc_s,\n CacheCacheStatus=CacheCacheStatus_s,\n CacheResponseBytes=CacheResponseBytes_d,\n CacheResponseStatus=CacheResponseStatus_d,\n CacheTieredFill=CacheTieredFill_b,\n ClientASN=ClientASN_d,\n SrcGeoCountry=ClientCountry_s,\n SrcIpAddr=ClientIP_s,\n ClientIPClass=ClientIPClass_s,\n HttpRequestHeaderHost=ClientRequestHost_s,\n HttpRequestMethod=ClientRequestMethod_s,\n ClientRequestPath=ClientRequestPath_s,\n ClientRequestProtocol=ClientRequestProtocol_s,\n HttpReferrerOriginal=ClientRequestReferer_s,\n ClientRequestURI=ClientRequestURI_s,\n HttpUserAgentOriginal=ClientRequestUserAgent_s,\n ClientXRequestedWith=ClientXRequestedWith_s,\n EdgeColoCode=EdgeColoCode_s,\n EdgeColoID=EdgeColoID_d,\n EdgeEndTimestamp=EdgeEndTimestamp_t,\n EdgePathingOp=EdgePathingOp_s,\n EdgePathingSrc=EdgePathingSrc_s,\n EdgePathingStatus=EdgePathingStatus_s,\n EdgeRateLimitAction=EdgeRateLimitAction_s,\n EdgeRateLimitID=EdgeRateLimitID_d,\n EdgeRequestHost=EdgeRequestHost_s,\n EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,\n HttpContentType=EdgeResponseContentType_s,\n EdgeResponseStatus=EdgeResponseStatus_d,\n EdgeServerIP=EdgeServerIP_s,\n EdgeStartTimestamp=EdgeStartTimestamp_t,\n FirewallMatchesSources=FirewallMatchesSources_s,\n DstIpAddr=OriginIP_s,\n OriginResponseBytes=OriginResponseBytes_d,\n OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,\n OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,\n HttpStatusCode=OriginResponseStatus_d,\n OriginResponseTime=OriginResponseTime_d,\n OriginSSLProtocol=OriginSSLProtocol_s,\n ParentRayID=ParentRayID_s,\n RayID=RayID_s,\n SecurityLevel=SecurityLevel_s,\n WAFAction=WAFAction_s,\n WAFFlags=WAFFlags_s,\n WAFMatchedVar=WAFMatchedVar_s,\n WAFProfile=WAFProfile_s,\n WAFRuleID=WAFRuleID_s,\n WAFRuleMessage=WAFRuleMessage_s,\n WorkerCPUTime=WorkerCPUTime_d,\n WorkerStatus=WorkerStatus_s,\n WorkerSubrequest=WorkerSubrequest_b,\n WorkerSubrequestCount=WorkerSubrequestCount_d,\n ZoneID=ZoneID_d,\n Application=Application_s,\n ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,\n NetworkProtocol=ClientProto_s,\n ClientTcpRtt=ClientTcpRtt_d,\n ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,\n ClientTlsStatus=ClientTlsStatus_s,\n ColoCode=ColoCode_s,\n ConnectTimestamp=ConnectTimestamp_t,\n DisconnectTimestamp=DisconnectTimestamp_t,\n IpFirewall=IpFirewall_b,\n DstPortNumber=OriginPort_d,\n OriginProto=OriginProto_s,\n OriginTcpRtt=OriginTcpRtt_d,\n OriginTlsCipher=OriginTlsCipher_s,\n OriginTlsFingerprint=OriginTlsFingerprint_s,\n OriginTlsMode=OriginTlsMode_s,\n OriginTlsProtocol=OriginTlsProtocol_s,\n OriginTlsStatus=OriginTlsStatus_s,\n ProxyProtocol=ProxyProtocol_s,\n EventResult=Status_d,\n Timestamp=Timestamp_t,\n ClientASNDescription=ClientASNDescription_s,\n ClientRefererHost=ClientRefererHost_s,\n ClientRefererPath=ClientRefererPath_s,\n ClientRefererQuery=ClientRefererQuery_s,\n ClientRefererScheme=ClientRefererScheme_s,\n ClientRequestQuery=ClientRequestQuery_s,\n ClientRequestScheme=ClientRequestScheme_s,\n Datetime=Datetime_t,\n EventSubType=Kind_s,\n MatchIndex=MatchIndex_d,\n OriginatorRayID=OriginatorRayID_s\n| project-away \n ClientDeviceType_s,\n Source_s,\n ClientSSLCipher_s,\n ClientTlsCipher_s,\n ClientSSLProtocol_s,\n ClientTlsProtocol_s,\n FirewallMatchesActions_s,\n Event_s,\n Action_s,\n FirewallMatchesRuleIDs_s,\n RuleID_s\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "Cloudflare" + "value": "" } ] } @@ -583,15 +581,15 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", "dependsOn": [ - "[variables('_parserName1')]" + "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare')]", + "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", - "version": "[variables('parserVersion1')]", + "version": "[variables('parserObject1').parserVersion1]", "source": { "name": "Cloudflare", "kind": "Solution", @@ -616,31 +614,31 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId1')]", + "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Cloudflare", - "contentProductId": "[variables('_parsercontentProductId1')]", - "id": "[variables('_parsercontentProductId1')]", - "version": "[variables('parserVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "apiVersion": "2022-10-01", - "name": "[variables('_parserName1')]", + "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Cloudflare", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "Cloudflare", - "query": "\nCloudflare_CL\n| extend\n BotScore_d=column_ifexists('BotScore_d', ''),\n BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),\n CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),\n CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),\n CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),\n CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),\n ClientASN_d=column_ifexists('ClientASN_d', ''),\n ClientCountry_s=column_ifexists('ClientCountry_s', ''),\n ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),\n ClientIP_s=column_ifexists('ClientIP_s', ''),\n ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),\n ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),\n ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),\n ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),\n ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),\n ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),\n ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),\n ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),\n ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),\n ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),\n ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),\n EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),\n EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),\n EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),\n EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),\n EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),\n EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),\n EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),\n EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),\n EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),\n EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),\n EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),\n EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),\n EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),\n EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),\n FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),\n FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),\n FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),\n OriginIP_s=column_ifexists('OriginIP_s', ''),\n OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),\n OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),\n OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),\n OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),\n OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),\n OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),\n ParentRayID_s=column_ifexists('ParentRayID_s', ''),\n RayID_s=column_ifexists('RayID_s', ''),\n SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),\n WAFAction_s=column_ifexists('WAFAction_s', ''),\n WAFFlags_s=column_ifexists('WAFFlags_s', ''),\n WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),\n WAFProfile_s=column_ifexists('WAFProfile_s', ''),\n WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),\n WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),\n WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),\n WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),\n WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),\n WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),\n ZoneID_d=column_ifexists('ZoneID_d', ''),\n Application_s=column_ifexists('Application_s', ''),\n ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),\n ClientProto_s=column_ifexists('ClientProto_s', ''),\n ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),\n ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),\n ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),\n ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),\n ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),\n ColoCode_s=column_ifexists('ColoCode_s', ''),\n ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),\n DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),\n Event_s=column_ifexists('Event_s', ''),\n IpFirewall_b=column_ifexists('IpFirewall_b', ''),\n OriginBytes_d=column_ifexists('OriginBytes_d', ''),\n OriginPort_d=column_ifexists('OriginPort_d', ''),\n OriginProto_s=column_ifexists('OriginProto_s', ''),\n OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),\n OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),\n OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),\n OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),\n OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),\n OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),\n ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),\n Status_d=column_ifexists('Status_d', ''),\n Timestamp_t=column_ifexists('Timestamp_t', ''),\n Action_s=column_ifexists('Action_s', ''),\n ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),\n ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),\n ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),\n ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),\n ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),\n ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),\n ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),\n Datetime_t=column_ifexists('Datetime_t', ''),\n Kind_s=column_ifexists('Kind_s', ''),\n MatchIndex_d=column_ifexists('MatchIndex_d', ''),\n OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),\n RuleID_s=column_ifexists('RuleID_s', ''),\n Source_s=column_ifexists('Source_s', '')\n| extend\n SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),\n TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),\n TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),\n DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),\n NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),\n ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),\n ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))\n| project-rename\n SrcBytes=ClientRequestBytes_d,\n SrcPortNumber=ClientSrcPort_d,\n DstBytes=EdgeResponseBytes_d,\n BotScore=BotScore_d,\n BotScoreSrc=BotScoreSrc_s,\n CacheCacheStatus=CacheCacheStatus_s,\n CacheResponseBytes=CacheResponseBytes_d,\n CacheResponseStatus=CacheResponseStatus_d,\n CacheTieredFill=CacheTieredFill_b,\n ClientASN=ClientASN_d,\n SrcGeoCountry=ClientCountry_s,\n SrcIpAddr=ClientIP_s,\n ClientIPClass=ClientIPClass_s,\n HttpRequestHeaderHost=ClientRequestHost_s,\n HttpRequestMethod=ClientRequestMethod_s,\n ClientRequestPath=ClientRequestPath_s,\n ClientRequestProtocol=ClientRequestProtocol_s,\n HttpReferrerOriginal=ClientRequestReferer_s,\n ClientRequestURI=ClientRequestURI_s,\n HttpUserAgentOriginal=ClientRequestUserAgent_s,\n ClientXRequestedWith=ClientXRequestedWith_s,\n EdgeColoCode=EdgeColoCode_s,\n EdgeColoID=EdgeColoID_d,\n EdgeEndTimestamp=EdgeEndTimestamp_t,\n EdgePathingOp=EdgePathingOp_s,\n EdgePathingSrc=EdgePathingSrc_s,\n EdgePathingStatus=EdgePathingStatus_s,\n EdgeRateLimitAction=EdgeRateLimitAction_s,\n EdgeRateLimitID=EdgeRateLimitID_d,\n EdgeRequestHost=EdgeRequestHost_s,\n EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,\n HttpContentType=EdgeResponseContentType_s,\n EdgeResponseStatus=EdgeResponseStatus_d,\n EdgeServerIP=EdgeServerIP_s,\n EdgeStartTimestamp=EdgeStartTimestamp_t,\n FirewallMatchesSources=FirewallMatchesSources_s,\n DstIpAddr=OriginIP_s,\n OriginResponseBytes=OriginResponseBytes_d,\n OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,\n OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,\n HttpStatusCode=OriginResponseStatus_d,\n OriginResponseTime=OriginResponseTime_d,\n OriginSSLProtocol=OriginSSLProtocol_s,\n ParentRayID=ParentRayID_s,\n RayID=RayID_s,\n SecurityLevel=SecurityLevel_s,\n WAFAction=WAFAction_s,\n WAFFlags=WAFFlags_s,\n WAFMatchedVar=WAFMatchedVar_s,\n WAFProfile=WAFProfile_s,\n WAFRuleID=WAFRuleID_s,\n WAFRuleMessage=WAFRuleMessage_s,\n WorkerCPUTime=WorkerCPUTime_d,\n WorkerStatus=WorkerStatus_s,\n WorkerSubrequest=WorkerSubrequest_b,\n WorkerSubrequestCount=WorkerSubrequestCount_d,\n ZoneID=ZoneID_d,\n Application=Application_s,\n ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,\n NetworkProtocol=ClientProto_s,\n ClientTcpRtt=ClientTcpRtt_d,\n ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,\n ClientTlsStatus=ClientTlsStatus_s,\n ColoCode=ColoCode_s,\n ConnectTimestamp=ConnectTimestamp_t,\n DisconnectTimestamp=DisconnectTimestamp_t,\n IpFirewall=IpFirewall_b,\n DstPortNumber=OriginPort_d,\n OriginProto=OriginProto_s,\n OriginTcpRtt=OriginTcpRtt_d,\n OriginTlsCipher=OriginTlsCipher_s,\n OriginTlsFingerprint=OriginTlsFingerprint_s,\n OriginTlsMode=OriginTlsMode_s,\n OriginTlsProtocol=OriginTlsProtocol_s,\n OriginTlsStatus=OriginTlsStatus_s,\n ProxyProtocol=ProxyProtocol_s,\n EventResult=Status_d,\n Timestamp=Timestamp_t,\n ClientASNDescription=ClientASNDescription_s,\n ClientRefererHost=ClientRefererHost_s,\n ClientRefererPath=ClientRefererPath_s,\n ClientRefererQuery=ClientRefererQuery_s,\n ClientRefererScheme=ClientRefererScheme_s,\n ClientRequestQuery=ClientRequestQuery_s,\n ClientRequestScheme=ClientRequestScheme_s,\n Datetime=Datetime_t,\n EventSubType=Kind_s,\n MatchIndex=MatchIndex_d,\n OriginatorRayID=OriginatorRayID_s\n| project-away \n ClientDeviceType_s,\n Source_s,\n ClientSSLCipher_s,\n ClientTlsCipher_s,\n ClientSSLProtocol_s,\n ClientTlsProtocol_s,\n FirewallMatchesActions_s,\n Event_s,\n Action_s,\n FirewallMatchesRuleIDs_s,\n RuleID_s", + "query": "Cloudflare_CL\n| extend\n BotScore_d=column_ifexists('BotScore_d', ''),\n BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''),\n CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''),\n CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''),\n CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''),\n CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''),\n ClientASN_d=column_ifexists('ClientASN_d', ''),\n ClientCountry_s=column_ifexists('ClientCountry_s', ''),\n ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''),\n ClientIP_s=column_ifexists('ClientIP_s', ''),\n ClientIPClass_s=column_ifexists('ClientIPClass_s', ''),\n ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''),\n ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''),\n ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''),\n ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''),\n ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''),\n ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''),\n ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''),\n ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''),\n ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''),\n ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''),\n EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''),\n EdgeColoID_d=column_ifexists('EdgeColoID_d', ''),\n EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''),\n EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''),\n EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''),\n EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''),\n EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''),\n EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''),\n EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''),\n EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''),\n EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''),\n EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''),\n EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''),\n EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''),\n FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''),\n FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''),\n FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''),\n OriginIP_s=column_ifexists('OriginIP_s', ''),\n OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''),\n OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''),\n OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''),\n OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''),\n OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''),\n OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''),\n ParentRayID_s=column_ifexists('ParentRayID_s', ''),\n RayID_s=column_ifexists('RayID_s', ''),\n SecurityLevel_s=column_ifexists('SecurityLevel_s', ''),\n WAFAction_s=column_ifexists('WAFAction_s', ''),\n WAFFlags_s=column_ifexists('WAFFlags_s', ''),\n WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''),\n WAFProfile_s=column_ifexists('WAFProfile_s', ''),\n WAFRuleID_s=column_ifexists('WAFRuleID_s', ''),\n WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''),\n WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''),\n WorkerStatus_s=column_ifexists('WorkerStatus_s', ''),\n WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''),\n WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''),\n ZoneID_d=column_ifexists('ZoneID_d', ''),\n Application_s=column_ifexists('Application_s', ''),\n ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''),\n ClientProto_s=column_ifexists('ClientProto_s', ''),\n ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''),\n ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''),\n ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''),\n ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''),\n ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''),\n ColoCode_s=column_ifexists('ColoCode_s', ''),\n ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''),\n DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''),\n Event_s=column_ifexists('Event_s', ''),\n IpFirewall_b=column_ifexists('IpFirewall_b', ''),\n OriginBytes_d=column_ifexists('OriginBytes_d', ''),\n OriginPort_d=column_ifexists('OriginPort_d', ''),\n OriginProto_s=column_ifexists('OriginProto_s', ''),\n OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''),\n OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''),\n OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''),\n OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''),\n OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''),\n OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''),\n ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''),\n Status_d=column_ifexists('Status_d', ''),\n Timestamp_t=column_ifexists('Timestamp_t', ''),\n Action_s=column_ifexists('Action_s', ''),\n ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''),\n ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''),\n ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''),\n ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''),\n ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''),\n ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''),\n ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''),\n Datetime_t=column_ifexists('Datetime_t', ''),\n Kind_s=column_ifexists('Kind_s', ''),\n MatchIndex_d=column_ifexists('MatchIndex_d', ''),\n OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''),\n RuleID_s=column_ifexists('RuleID_s', ''),\n Source_s=column_ifexists('Source_s', '')\n| extend\n SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s),\n TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s),\n TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s),\n DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s),\n NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s),\n ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')),\n ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')),\n EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', ''))\n| project-rename\n SrcBytes=ClientRequestBytes_d,\n SrcPortNumber=ClientSrcPort_d,\n DstBytes=EdgeResponseBytes_d,\n BotScore=BotScore_d,\n BotScoreSrc=BotScoreSrc_s,\n CacheCacheStatus=CacheCacheStatus_s,\n CacheResponseBytes=CacheResponseBytes_d,\n CacheResponseStatus=CacheResponseStatus_d,\n CacheTieredFill=CacheTieredFill_b,\n ClientASN=ClientASN_d,\n SrcGeoCountry=ClientCountry_s,\n SrcIpAddr=ClientIP_s,\n ClientIPClass=ClientIPClass_s,\n HttpRequestHeaderHost=ClientRequestHost_s,\n HttpRequestMethod=ClientRequestMethod_s,\n ClientRequestPath=ClientRequestPath_s,\n ClientRequestProtocol=ClientRequestProtocol_s,\n HttpReferrerOriginal=ClientRequestReferer_s,\n ClientRequestURI=ClientRequestURI_s,\n HttpUserAgentOriginal=ClientRequestUserAgent_s,\n ClientXRequestedWith=ClientXRequestedWith_s,\n EdgeColoCode=EdgeColoCode_s,\n EdgeColoID=EdgeColoID_d,\n EdgeEndTimestamp=EdgeEndTimestamp_t,\n EdgePathingOp=EdgePathingOp_s,\n EdgePathingSrc=EdgePathingSrc_s,\n EdgePathingStatus=EdgePathingStatus_s,\n EdgeRateLimitAction=EdgeRateLimitAction_s,\n EdgeRateLimitID=EdgeRateLimitID_d,\n EdgeRequestHost=EdgeRequestHost_s,\n EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d,\n HttpContentType=EdgeResponseContentType_s,\n EdgeResponseStatus=EdgeResponseStatus_d,\n EdgeServerIP=EdgeServerIP_s,\n EdgeStartTimestamp=EdgeStartTimestamp_t,\n FirewallMatchesSources=FirewallMatchesSources_s,\n DstIpAddr=OriginIP_s,\n OriginResponseBytes=OriginResponseBytes_d,\n OriginResponseHTTPExpires=OriginResponseHTTPExpires_s,\n OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s,\n HttpStatusCode=OriginResponseStatus_d,\n OriginResponseTime=OriginResponseTime_d,\n OriginSSLProtocol=OriginSSLProtocol_s,\n ParentRayID=ParentRayID_s,\n RayID=RayID_s,\n SecurityLevel=SecurityLevel_s,\n WAFAction=WAFAction_s,\n WAFFlags=WAFFlags_s,\n WAFMatchedVar=WAFMatchedVar_s,\n WAFProfile=WAFProfile_s,\n WAFRuleID=WAFRuleID_s,\n WAFRuleMessage=WAFRuleMessage_s,\n WorkerCPUTime=WorkerCPUTime_d,\n WorkerStatus=WorkerStatus_s,\n WorkerSubrequest=WorkerSubrequest_b,\n WorkerSubrequestCount=WorkerSubrequestCount_d,\n ZoneID=ZoneID_d,\n Application=Application_s,\n ClientMatchedIpFirewall=ClientMatchedIpFirewall_s,\n NetworkProtocol=ClientProto_s,\n ClientTcpRtt=ClientTcpRtt_d,\n ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s,\n ClientTlsStatus=ClientTlsStatus_s,\n ColoCode=ColoCode_s,\n ConnectTimestamp=ConnectTimestamp_t,\n DisconnectTimestamp=DisconnectTimestamp_t,\n IpFirewall=IpFirewall_b,\n DstPortNumber=OriginPort_d,\n OriginProto=OriginProto_s,\n OriginTcpRtt=OriginTcpRtt_d,\n OriginTlsCipher=OriginTlsCipher_s,\n OriginTlsFingerprint=OriginTlsFingerprint_s,\n OriginTlsMode=OriginTlsMode_s,\n OriginTlsProtocol=OriginTlsProtocol_s,\n OriginTlsStatus=OriginTlsStatus_s,\n ProxyProtocol=ProxyProtocol_s,\n EventResult=Status_d,\n Timestamp=Timestamp_t,\n ClientASNDescription=ClientASNDescription_s,\n ClientRefererHost=ClientRefererHost_s,\n ClientRefererPath=ClientRefererPath_s,\n ClientRefererQuery=ClientRefererQuery_s,\n ClientRefererScheme=ClientRefererScheme_s,\n ClientRequestQuery=ClientRequestQuery_s,\n ClientRequestScheme=ClientRequestScheme_s,\n Datetime=Datetime_t,\n EventSubType=Kind_s,\n MatchIndex=MatchIndex_d,\n OriginatorRayID=OriginatorRayID_s\n| project-away \n ClientDeviceType_s,\n Source_s,\n ClientSSLCipher_s,\n ClientTlsCipher_s,\n ClientSSLProtocol_s,\n ClientTlsProtocol_s,\n FirewallMatchesActions_s,\n Event_s,\n Action_s,\n FirewallMatchesRuleIDs_s,\n RuleID_s\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "Cloudflare" + "value": "" } ] } @@ -649,15 +647,15 @@ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", "dependsOn": [ - "[variables('_parserId1')]" + "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Cloudflare')]", + "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", - "version": "[variables('parserVersion1')]", + "version": "[variables('parserObject1').parserVersion1]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -684,7 +682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareWorkbook Workbook with template version 3.0.1", + "description": "Cloudflare Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -698,11 +696,11 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Sets the time name for analysis" + "description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability." }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parse) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"2088f290-65ee-4357-badb-55ce732a5004\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Web Traffic Overview\",\"subTarget\":\"cloudflare_web_traffic_overview\",\"style\":\"link\"},{\"id\":\"25df6ee6-dcf7-4aa2-b90e-50f8a4b6548d\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Security Overview\",\"subTarget\":\"cloudflare_security_overview\",\"style\":\"link\"},{\"id\":\"a2108bc6-5769-4c86-a5c0-201f531ed929\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Reliability Summary\",\"subTarget\":\"cloudflare_reliability_summary\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c64d5d3d-90c6-484a-ab88-c70652b75b6e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":172800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientDeviceType_s\",\"size\":0,\"title\":\"Traffic Type\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Traffic Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientRequestProtocol_s\",\"size\":0,\"title\":\"HTTP Protocols\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"HTTP Protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientRequestMethod_s\",\"size\":0,\"title\":\"Request Methods\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Request Methods\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| extend EdgeResponseContentType = iif(isempty(EdgeResponseContentType_s),\\\"empty\\\",EdgeResponseContentType_s )\\n| summarize count() by EdgeResponseContentType\",\"size\":0,\"title\":\"Content Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Content Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientRequestURI_s\\n| sort by Count | project-rename ClientRequestURI=ClientRequestURI_s | take 50\",\"size\":0,\"title\":\"Top Requested URIs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Requested URIs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientIP_s\\n| sort by Count | take 50 | project-rename ClientIP=ClientIP_s\",\"size\":0,\"title\":\"Top Traffic IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Traffic IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| extend ClientRequestReferer = iif(isempty(ClientRequestReferer_s),\\\"empty\\\",ClientRequestReferer_s )\\n| summarize Count=count() by ClientRequestReferer\\n| sort by Count | take 50\\n\",\"size\":0,\"title\":\"Top Referer\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Referer\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientIPClass_s | project-rename ClientIPClass=ClientIPClass_s\\n| sort by Count | take 50\\n\",\"size\":0,\"title\":\"Top Traffic Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Traffic Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\\n| sort by Count | take 50\",\"size\":0,\"title\":\"Top User Agents\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ClientRequestUserAgent\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"75%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"name\":\"Top User Agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let total_number_of_requests =\\nCloudflare_CL\\n| summarize Count=count()\\n| extend title=\\\"Total Number Of Requests\\\";\\n\\nlet threats_stopped =\\nCloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat) | summarize Count=count()\\n| extend title=\\\"Stopped Threats\\\";\\n\\nlet result_table = union total_number_of_requests, threats_stopped; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Req_Threats_title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by threat\",\"size\":0,\"title\":\"Top Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let total_number_of_requests =\\nCloudflare_CL\\n| summarize Count=count()\\n| extend title=\\\"Total Number Of Requests\\\";\\n\\nlet threats_stopped =\\nCloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat) | summarize Count=count()\\n| extend title=\\\"Stopped Threats\\\";\\n\\nlet result_table = union total_number_of_requests, threats_stopped; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"title\":\"Requests vs Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Requests vs Threats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Threats Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Threats Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize count() by ClientCountry_s | project-rename Country=ClientCountry_s | take 20\",\"size\":0,\"title\":\"Top Threat Countries\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize count() by ClientIP_s | project-rename ClientIP=ClientIP_s\",\"size\":0,\"title\":\"Top Threat Client IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat Client IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by ClientRequestURI_s | project-rename ClientRequestURI=ClientRequestURI_s\",\"size\":0,\"title\":\"Top Threat URIs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat URIs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\",\"size\":0,\"title\":\"Top Threat User Agents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat User Agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by EdgePathingStatus_s | project-rename EdgePathingStatus=EdgePathingStatus_s\",\"size\":0,\"title\":\"Top Threat User Agents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat User Agents - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let 5xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"5\\\"\\n| summarize Count=count()\\n| extend title=\\\"5xx Errors (Edge)\\\";\\n\\nlet 4xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"4\\\"\\n| summarize Count=count()\\n| extend title=\\\"4xx Errors (Edge)\\\";\\n\\nlet 3xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"3\\\"\\n| summarize Count=count()\\n| extend title=\\\"3xx Errors (Edge)\\\";\\n\\nlet result_table = union 5xx, 4xx, 3xx; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"title\":\"ERRORS Counts (Edge)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Errors (Edge)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| summarize Count=count() by response_error_type\",\"size\":0,\"title\":\"Edge Response Error Ratio\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Edge Response Error Ratio\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(OriginResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(OriginResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(OriginResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| summarize Count=count() by response_error_type\",\"size\":0,\"title\":\"Origin Response Error Ratio\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Origin Response Error Ratio\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;\",\"size\":0,\"title\":\"Edge Response Status Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"50\",\"name\":\"Edge Response Status Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(OriginResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(OriginResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(OriginResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;\",\"size\":0,\"title\":\"Origin Response Status Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"50\",\"name\":\"Origin Response Status Over Time\"}],\"fromTemplateId\":\"sentinel-CloudflareWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This workbook depends on a parser based on a Kusto Function to work as expected [**Cloudflare**](https://aka.ms/sentinel-CloudflareDataConnector-parse) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"2088f290-65ee-4357-badb-55ce732a5004\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Web Traffic Overview\",\"subTarget\":\"cloudflare_web_traffic_overview\",\"style\":\"link\"},{\"id\":\"25df6ee6-dcf7-4aa2-b90e-50f8a4b6548d\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Security Overview\",\"subTarget\":\"cloudflare_security_overview\",\"style\":\"link\"},{\"id\":\"a2108bc6-5769-4c86-a5c0-201f531ed929\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloudflare Reliability Summary\",\"subTarget\":\"cloudflare_reliability_summary\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c64d5d3d-90c6-484a-ab88-c70652b75b6e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":172800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientDeviceType_s\",\"size\":0,\"title\":\"Traffic Type\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Traffic Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientRequestProtocol_s\",\"size\":0,\"title\":\"HTTP Protocols\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"HTTP Protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize count() by ClientRequestMethod_s\",\"size\":0,\"title\":\"Request Methods\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Request Methods\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| extend EdgeResponseContentType = iif(isempty(EdgeResponseContentType_s),\\\"empty\\\",EdgeResponseContentType_s )\\n| summarize count() by EdgeResponseContentType\",\"size\":0,\"title\":\"Content Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Content Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientRequestURI_s\\n| sort by Count | project-rename ClientRequestURI=ClientRequestURI_s | take 50\",\"size\":0,\"title\":\"Top Requested URIs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Requested URIs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientIP_s\\n| sort by Count | take 50 | project-rename ClientIP=ClientIP_s\",\"size\":0,\"title\":\"Top Traffic IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Traffic IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| extend ClientRequestReferer = iif(isempty(ClientRequestReferer_s),\\\"empty\\\",ClientRequestReferer_s )\\n| summarize Count=count() by ClientRequestReferer\\n| sort by Count | take 50\\n\",\"size\":0,\"title\":\"Top Referer\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Referer\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientIPClass_s | project-rename ClientIPClass=ClientIPClass_s\\n| sort by Count | take 50\\n\",\"size\":0,\"title\":\"Top Traffic Types\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"customWidth\":\"25\",\"name\":\"Top Traffic Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL\\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\\n| sort by Count | take 50\",\"size\":0,\"title\":\"Top User Agents\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ClientRequestUserAgent\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"75%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_web_traffic_overview\"},\"name\":\"Top User Agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let total_number_of_requests =\\nCloudflare_CL\\n| summarize Count=count()\\n| extend title=\\\"Total Number Of Requests\\\";\\n\\nlet threats_stopped =\\nCloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat) | summarize Count=count()\\n| extend title=\\\"Stopped Threats\\\";\\n\\nlet result_table = union total_number_of_requests, threats_stopped; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Req_Threats_title\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by threat\",\"size\":0,\"title\":\"Top Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let total_number_of_requests =\\nCloudflare_CL\\n| summarize Count=count()\\n| extend title=\\\"Total Number Of Requests\\\";\\n\\nlet threats_stopped =\\nCloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat) | summarize Count=count()\\n| extend title=\\\"Stopped Threats\\\";\\n\\nlet result_table = union total_number_of_requests, threats_stopped; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"title\":\"Requests vs Threats\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Requests vs Threats\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Threats Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Threats Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize count() by ClientCountry_s | project-rename Country=ClientCountry_s | take 20\",\"size\":0,\"title\":\"Top Threat Countries\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize count() by ClientIP_s | project-rename ClientIP=ClientIP_s\",\"size\":0,\"title\":\"Top Threat Client IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat Client IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by ClientRequestURI_s | project-rename ClientRequestURI=ClientRequestURI_s\",\"size\":0,\"title\":\"Top Threat URIs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat URIs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by ClientRequestUserAgent_s | project-rename ClientRequestUserAgent=ClientRequestUserAgent_s\",\"size\":0,\"title\":\"Top Threat User Agents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat User Agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend threat=case(EdgePathingSrc_s ==\\\"user\\\" and EdgePathingOp_s == \\\"ban\\\" and EdgePathingStatus_s has \\\"ip\\\" ,\\\"IP Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\",\\\"Country Block\\\",EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"zl\\\", \\\"Routed by Zone Lockdown\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ua\\\", \\\"Blocked User Agent\\\", EdgePathingSrc_s==\\\"user\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"rateLimit\\\", \\\"Blocked by Rate Limiting\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Blocked by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"filterBasedFirewall\\\" and EdgePathingOp_s==\\\"chl\\\", \\\"Challenged by Filter Based Firewall\\\", EdgePathingSrc_s==\\\"bic\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"unknown\\\", \\\"Browser Integrity Check\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ctry\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"hot\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"ip\\\", \\\"Blocked Hotlink\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaErr\\\", \\\"CAPTCHA Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaFail\\\", \\\"CAPTCHA Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"captchaNew\\\", \\\"New CAPTCHA\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlErr\\\", \\\"Java Script Challenge Error\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlFail\\\", \\\"Java Script Challenge Failed\\\", EdgePathingSrc_s==\\\"macro\\\" and EdgePathingOp_s==\\\"chl\\\" and EdgePathingStatus_s==\\\"jschlNew\\\", \\\"New Java Script Challenge\\\", EdgePathingSrc_s==\\\"protect\\\" and EdgePathingOp_s==\\\"ban\\\" and EdgePathingStatus_s==\\\"17ddos\\\", \\\"L7 DDos Mitigation\\\",\\\"\\\")\\n| where isnotempty(threat)\\n| summarize Count=count() by EdgePathingStatus_s | project-rename EdgePathingStatus=EdgePathingStatus_s\",\"size\":0,\"title\":\"Top Threat User Agents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Count\",\"sortOrderField\":2,\"size\":\"auto\"}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_security_overview\"},\"customWidth\":\"33\",\"name\":\"Top Threat User Agents - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let 5xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"5\\\"\\n| summarize Count=count()\\n| extend title=\\\"5xx Errors (Edge)\\\";\\n\\nlet 4xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"4\\\"\\n| summarize Count=count()\\n| extend title=\\\"4xx Errors (Edge)\\\";\\n\\nlet 3xx = Cloudflare_CL \\n| where tostring(EdgeResponseStatus_d) startswith \\\"3\\\"\\n| summarize Count=count()\\n| extend title=\\\"3xx Errors (Edge)\\\";\\n\\nlet result_table = union 5xx, 4xx, 3xx; \\nresult_table \\n| sort by Count\\n\\n\",\"size\":0,\"title\":\"ERRORS Counts (Edge)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Errors (Edge)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| summarize Count=count() by response_error_type\",\"size\":0,\"title\":\"Edge Response Error Ratio\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Edge Response Error Ratio\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(OriginResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(OriginResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(OriginResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| summarize Count=count() by response_error_type\",\"size\":0,\"title\":\"Origin Response Error Ratio\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"33\",\"name\":\"Origin Response Error Ratio\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(EdgeResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(EdgeResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;\",\"size\":0,\"title\":\"Edge Response Status Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"50\",\"name\":\"Edge Response Status Over Time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Cloudflare_CL \\n| extend response_error_type= case(tostring(OriginResponseStatus_d) startswith \\\"2\\\" , \\\"2xx\\\", tostring(OriginResponseStatus_d) startswith \\\"3\\\" , \\\"3xx\\\", tostring(OriginResponseStatus_d) startswith \\\"4\\\" , \\\"4xx\\\", tostring(OriginResponseStatus_d) startswith \\\"5\\\" , \\\"5xx\\\",\\\"\\\")\\n| where isnotempty(response_error_type)\\n| make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by response_error_type;\",\"size\":0,\"title\":\"Origin Response Status Over Time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloudflare_reliability_summary\"},\"customWidth\":\"50\",\"name\":\"Origin Response Status Over Time\"}],\"fromTemplateId\":\"sentinel-CloudflareWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -713,7 +711,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=CloudflareWorkbook; logoFileName=cloudflare.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Cloudflare; templateRelativePath=Cloudflare.json; subtitle=; provider=Cloudflare}.description", + "description": "@{workbookKey=CloudflareWorkbook; logoFileName=cloudflare.svg; description=Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=Cloudflare; templateRelativePath=Cloudflare.json; subtitle=; provider=Cloudflare}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -766,71 +764,42 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareBadClientIp_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareClientErrors_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects requests from IP with bad reputation index.", - "displayName": "Cloudflare - Bad client IP", - "enabled": false, - "query": "let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);\nCloudflare\n| where ClientIPClass in~ (ip_reputation)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Client errors", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode between(400..499)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches for client related errors." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess,Impact" }, { - "entityType": "URL", - "fieldMappings": [ - { - "columnName": "UrlCustomEntity", - "identifier": "Url" - } - ] + "name": "techniques", + "value": "T1190,T1133,T1498" } ] } @@ -838,13 +807,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "description": "Cloudflare Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -869,73 +838,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Bad client IP", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Client errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareEmptyUA_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareClientTlsErrors_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects requests where user agent is empty.", - "displayName": "Cloudflare - Empty user agent", - "enabled": false, - "query": "Cloudflare\n| where isempty(HttpUserAgentOriginal)\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Client TLS errors", + "category": "Hunting Queries", + "query": "let err_tls = dynamic(['UNKNOWN', 'INTERNAL_ERROR', 'INVALID_CONFIG', 'INVALID_SNI', 'HANDSHAKE_FAILED']);\nCloudflare\n| where TimeGenerated > ago(24h)\n| where ClientTlsStatus in~ (err_tls)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches for client TLS errors." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess,Impact" + }, + { + "name": "techniques", + "value": "T1190,T1133,T1498" } ] } @@ -943,13 +892,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "description": "Cloudflare Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -974,73 +923,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Empty user agent", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Client TLS errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareMultipleErrorsSource_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareFilesRequested_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects multiple failure requests from single source in short timeframe.", - "displayName": "Cloudflare - Multiple error requests from single source", - "enabled": false, - "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Files requested", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| extend File = extract(@'\\/(\\w+\\.\\w+)', 1, ClientRequestURI)\n| summarize count() by File, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n| extend FileCustomEntity = File\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches for files requested." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1048,13 +977,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "description": "Cloudflare Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1079,73 +1008,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Multiple error requests from single source", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Files requested", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareMultipleUAs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareRareUAs_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects requests with different user agents from one source in short timeframe.", - "displayName": "Cloudflare - Multiple user agents for single source", - "enabled": false, - "query": "let threshold = 10;\nCloudflare\n| where isnotempty(HttpUserAgentOriginal)\n| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)\n| where d_ua > threshold\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Rare user agents", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(HttpUserAgentOriginal)\n| summarize count() by HttpUserAgentOriginal, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches rare user agent strings." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1153,13 +1062,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "description": "Cloudflare Hunting Query 4", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1184,82 +1093,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Multiple user agents for single source", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Rare user agents", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareUnexpectedCountry_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareServerErrors_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects requests from countries which are in blocklist.", - "displayName": "Cloudflare - Client request from country in blocklist", - "enabled": false, - "query": "let bl_countries = dynamic(['cn', 'hk']);\nCloudflare\n| where SrcGeoCountry in~ (bl_countries)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Server errors", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode between(500..599)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches for server related errors." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess,Impact" }, { - "entityType": "URL", - "fieldMappings": [ - { - "columnName": "UrlCustomEntity", - "identifier": "Url" - } - ] + "name": "techniques", + "value": "T1190,T1133,T1498" } ] } @@ -1267,13 +1147,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "description": "Cloudflare Hunting Query 5", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1298,74 +1178,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Client request from country in blocklist", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Server errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareUnexpectedPost_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareServerTlsErrors_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects post requests to unusual extensions.", - "displayName": "Cloudflare - Unexpected POST requests", - "enabled": false, - "query": "Cloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where tostring(HttpStatusCode) startswith '2'\n| where DstBytes != 0 or SrcBytes != 0\n| extend fe = extract(@'.*(\\.\\w+)$', 1, ClientRequestURI)\n| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Server TLS errors", + "category": "Hunting Queries", + "query": "let err_tls = dynamic(['UNKNOWN', 'INTERNAL_ERROR', 'INVALID_CONFIG', 'INVALID_SNI', 'HANDSHAKE_FAILED']);\nCloudflare\n| where TimeGenerated > ago(24h)\n| where OriginTlsStatus in~ (err_tls)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "Persistence", - "CommandAndControl" - ], - "techniques": [ - "T1505", - "T1071" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches for server TLS errors." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess,Impact" + }, + { + "name": "techniques", + "value": "T1190,T1133,T1498" } ] } @@ -1373,13 +1232,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "description": "Cloudflare Hunting Query 6", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1404,73 +1263,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Unexpected POST requests", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Server TLS errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareUnexpectedRequest_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareTopNetworkRules_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects client requests to unusual client request.", - "displayName": "Cloudflare - Unexpected client request", - "enabled": false, - "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/') \n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Top Network rules", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkRuleName)\n| summarize count() by NetworkRuleName, EdgeRequestHost\n| order by count_\n| extend CloudAppCustomEntity = EdgeRequestHost\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches top network rules triggered." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1478,13 +1317,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "description": "Cloudflare Hunting Query 7", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1509,73 +1348,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Unexpected client request", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Top Network rules", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareUnexpectedUrl_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareTopWafRules_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects client requests to unusual URI.", - "displayName": "Cloudflare - Unexpected URI", - "enabled": false, - "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI matches regex @'(127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Top WAF rules", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(WAFRuleID)\n| summarize count() by WAFRuleID, WAFRuleMessage, EdgeRequestHost\n| order by count_\n| extend CloudAppCustomEntity = EdgeRequestHost\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches top WAF rules triggered." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1583,13 +1402,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "description": "Cloudflare Hunting Query 8", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1614,82 +1433,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - Unexpected URI", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Top WAF rules", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareWafThreatAllowed_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareUnexpectedCountries_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects WAF \"Allowed\" action on threat events.", - "displayName": "Cloudflare - WAF Allowed threat", - "enabled": false, - "query": "Cloudflare\n| where isnotempty(WAFRuleID) or isnotempty(WAFRuleMessage)\n| where WAFAction =~ 'Allow'\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Unexpected countries", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| summarize count() by SrcGeoCountry, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches requests by country and helps to identify requests coming from unexpected countries." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess" }, { - "entityType": "URL", - "fieldMappings": [ - { - "columnName": "UrlCustomEntity", - "identifier": "Url" - } - ] + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1697,13 +1487,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "description": "Cloudflare Hunting Query 9", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1728,82 +1518,53 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - WAF Allowed threat", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Unexpected countries", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareXSSProbingPattern_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudflareUnexpectedEdgeResponse_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cloudflare_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects XSS probing patterns.", - "displayName": "Cloudflare - XSS probing pattern in request", - "enabled": false, - "query": "let s_threshold = 3;\nCloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| extend susp_ch = countof(ClientRequestURI, '%00')\n| where ClientRequestURI matches regex @'(alert\\()|(alert\\%28)|(String\\.fromCharCode\\()|(expression\\(alert)' or susp_ch > s_threshold\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "Cloudflare - Unexpected edge response", + "category": "Hunting Queries", + "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode != EdgeResponseStatus\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "version": 2, + "tags": [ { - "dataTypes": [ - "Cloudflare" - ], - "connectorId": "CloudflareDataConnector" - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query searches for unexpected EdgeResponseStatus values." + }, { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ] + "name": "tactics", + "value": "InitialAccess" }, { - "entityType": "URL", - "fieldMappings": [ - { - "columnName": "UrlCustomEntity", - "identifier": "Url" - } - ] + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1811,13 +1572,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", "properties": { - "description": "Cloudflare Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "description": "Cloudflare Hunting Query 10", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1842,53 +1603,82 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", - "contentKind": "AnalyticsRule", - "displayName": "Cloudflare - XSS probing pattern in request", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "contentKind": "HuntingQuery", + "displayName": "Cloudflare - Unexpected edge response", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareClientErrors_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareBadClientIp_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_1", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Client errors", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode between(400..499)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "version": 2, - "tags": [ + "description": "Detects requests from IP with bad reputation index.", + "displayName": "Cloudflare - Bad client IP", + "enabled": false, + "query": "let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);\nCloudflare\n| where ClientIPClass in~ (ip_reputation)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query searches for client related errors." - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "tactics", - "value": "InitialAccess,Impact" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" }, { - "name": "techniques", - "value": "T1190,T1133,T1498" + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "UrlCustomEntity" + } + ], + "entityType": "URL" } ] } @@ -1896,13 +1686,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "description": "Cloudflare Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -1927,53 +1717,73 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Client errors", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Bad client IP", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareClientTlsErrors_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareEmptyUA_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_2", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Client TLS errors", - "category": "Hunting Queries", - "query": "let err_tls = dynamic(['UNKNOWN', 'INTERNAL_ERROR', 'INVALID_CONFIG', 'INVALID_SNI', 'HANDSHAKE_FAILED']);\nCloudflare\n| where TimeGenerated > ago(24h)\n| where ClientTlsStatus in~ (err_tls)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for client TLS errors." - }, + "description": "Detects requests where user agent is empty.", + "displayName": "Cloudflare - Empty user agent", + "enabled": false, + "query": "Cloudflare\n| where isempty(HttpUserAgentOriginal)\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "InitialAccess,Impact" - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133,T1498" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" } ] } @@ -1981,13 +1791,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "description": "Cloudflare Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2012,53 +1822,73 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Client TLS errors", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Empty user agent", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareFilesRequested_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareMultipleErrorsSource_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_3", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Files requested", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| extend File = extract(@'\\/(\\w+\\.\\w+)', 1, ClientRequestURI)\n| summarize count() by File, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n| extend FileCustomEntity = File\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for files requested." - }, + "description": "Detects multiple failure requests from single source in short timeframe.", + "displayName": "Cloudflare - Multiple error requests from single source", + "enabled": false, + "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "InitialAccess" - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" } ] } @@ -2066,13 +1896,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "description": "Cloudflare Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2097,53 +1927,73 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Files requested", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Multiple error requests from single source", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareRareUAs_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareMultipleUAs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_4", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Rare user agents", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(HttpUserAgentOriginal)\n| summarize count() by HttpUserAgentOriginal, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches rare user agent strings." - }, + "description": "Detects requests with different user agents from one source in short timeframe.", + "displayName": "Cloudflare - Multiple user agents for single source", + "enabled": false, + "query": "let threshold = 10;\nCloudflare\n| where isnotempty(HttpUserAgentOriginal)\n| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)\n| where d_ua > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "InitialAccess" - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" } ] } @@ -2151,13 +2001,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "description": "Cloudflare Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2182,53 +2032,82 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Rare user agents", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Multiple user agents for single source", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareServerErrors_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareUnexpectedCountry_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_5", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Server errors", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode between(500..599)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "version": 2, - "tags": [ + "description": "Detects requests from countries which are in blocklist.", + "displayName": "Cloudflare - Client request from country in blocklist", + "enabled": false, + "query": "let bl_countries = dynamic(['cn', 'hk']);\nCloudflare\n| where SrcGeoCountry in~ (bl_countries)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query searches for server related errors." - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "tactics", - "value": "InitialAccess,Impact" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" }, { - "name": "techniques", - "value": "T1190,T1133,T1498" + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "UrlCustomEntity" + } + ], + "entityType": "URL" } ] } @@ -2236,13 +2115,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "description": "Cloudflare Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2267,53 +2146,74 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Server errors", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Client request from country in blocklist", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName6')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareServerTlsErrors_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareUnexpectedPost_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_6", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Server TLS errors", - "category": "Hunting Queries", - "query": "let err_tls = dynamic(['UNKNOWN', 'INTERNAL_ERROR', 'INVALID_CONFIG', 'INVALID_SNI', 'HANDSHAKE_FAILED']);\nCloudflare\n| where TimeGenerated > ago(24h)\n| where OriginTlsStatus in~ (err_tls)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for server TLS errors." - }, + "description": "Detects post requests to unusual extensions.", + "displayName": "Cloudflare - Unexpected POST requests", + "enabled": false, + "query": "Cloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where tostring(HttpStatusCode) startswith '2'\n| where DstBytes != 0 or SrcBytes != 0\n| extend fe = extract(@'.*(\\.\\w+)$', 1, ClientRequestURI)\n| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "InitialAccess,Impact" - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "Persistence", + "CommandAndControl" + ], + "techniques": [ + "T1505", + "T1071" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133,T1498" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" } ] } @@ -2321,13 +2221,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "description": "Cloudflare Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2352,53 +2252,73 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId6')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Server TLS errors", - "contentProductId": "[variables('_huntingQuerycontentProductId6')]", - "id": "[variables('_huntingQuerycontentProductId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Unexpected POST requests", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName7')]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareTopNetworkRules_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareUnexpectedRequest_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_7", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Top Network rules", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkRuleName)\n| summarize count() by NetworkRuleName, EdgeRequestHost\n| order by count_\n| extend CloudAppCustomEntity = EdgeRequestHost\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches top network rules triggered." - }, + "description": "Detects client requests to unusual client request.", + "displayName": "Cloudflare - Unexpected client request", + "enabled": false, + "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/') \n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "InitialAccess" - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" } ] } @@ -2406,13 +2326,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "description": "Cloudflare Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2437,53 +2357,73 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId7')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Top Network rules", - "contentProductId": "[variables('_huntingQuerycontentProductId7')]", - "id": "[variables('_huntingQuerycontentProductId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Unexpected client request", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName8')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareTopWafRules_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareUnexpectedUrl_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_8", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Top WAF rules", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where isnotempty(WAFRuleID)\n| summarize count() by WAFRuleID, WAFRuleMessage, EdgeRequestHost\n| order by count_\n| extend CloudAppCustomEntity = EdgeRequestHost\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches top WAF rules triggered." - }, + "description": "Detects client requests to unusual URI.", + "displayName": "Cloudflare - Unexpected URI", + "enabled": false, + "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI matches regex @'(127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "tactics", - "value": "InitialAccess" - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" } ] } @@ -2491,13 +2431,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "description": "Cloudflare Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2522,53 +2462,82 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId8')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Top WAF rules", - "contentProductId": "[variables('_huntingQuerycontentProductId8')]", - "id": "[variables('_huntingQuerycontentProductId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - Unexpected URI", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName9')]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareUnexpectedCountries_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareWafThreatAllowed_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_9", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Unexpected countries", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| summarize count() by SrcGeoCountry, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n", - "version": 2, - "tags": [ + "description": "Detects WAF \"Allowed\" action on threat events.", + "displayName": "Cloudflare - WAF Allowed threat", + "enabled": false, + "query": "Cloudflare\n| where isnotempty(WAFRuleID) or isnotempty(WAFRuleMessage)\n| where WAFAction =~ 'Allow'\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query searches requests by country and helps to identify requests coming from unexpected countries." - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "tactics", - "value": "InitialAccess" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" }, { - "name": "techniques", - "value": "T1190,T1133" + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "UrlCustomEntity" + } + ], + "entityType": "URL" } ] } @@ -2576,13 +2545,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", + "description": "Cloudflare Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2607,53 +2576,82 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId9')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Unexpected countries", - "contentProductId": "[variables('_huntingQuerycontentProductId9')]", - "id": "[variables('_huntingQuerycontentProductId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - WAF Allowed threat", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName10')]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudflareUnexpectedEdgeResponse_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudflareXSSProbingPattern_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cloudflare_Hunting_Query_10", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "Cloudflare - Unexpected edge response", - "category": "Hunting Queries", - "query": "Cloudflare\n| where TimeGenerated > ago(24h)\n| where HttpStatusCode != EdgeResponseStatus\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", - "version": 2, - "tags": [ + "description": "Detects XSS probing patterns.", + "displayName": "Cloudflare - XSS probing pattern in request", + "enabled": false, + "query": "let s_threshold = 3;\nCloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| extend susp_ch = countof(ClientRequestURI, '%00')\n| where ClientRequestURI matches regex @'(alert\\()|(alert\\%28)|(String\\.fromCharCode\\()|(expression\\(alert)' or susp_ch > s_threshold\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query searches for unexpected EdgeResponseStatus values." - }, + "connectorId": "CloudflareDataConnector", + "dataTypes": [ + "Cloudflare" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "tactics", - "value": "InitialAccess" + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ], + "entityType": "IP" }, { - "name": "techniques", - "value": "T1190,T1133" + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "UrlCustomEntity" + } + ], + "entityType": "URL" } ] } @@ -2661,13 +2659,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { - "description": "Cloudflare Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "description": "Cloudflare Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Cloudflare", @@ -2692,12 +2690,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId10')]", - "contentKind": "HuntingQuery", - "displayName": "Cloudflare - Unexpected edge response", - "contentProductId": "[variables('_huntingQuerycontentProductId10')]", - "id": "[variables('_huntingQuerycontentProductId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "Cloudflare - XSS probing pattern in request", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { @@ -2705,7 +2703,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Cloudflare", @@ -2742,8 +2740,8 @@ }, { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" }, { "kind": "Workbook", @@ -2751,104 +2749,104 @@ "version": "[variables('workbookVersion1')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } ] }, diff --git a/Solutions/Cloudflare/Package/testParameters.json b/Solutions/Cloudflare/Package/testParameters.json new file mode 100644 index 0000000000..a2d8348d6e --- /dev/null +++ b/Solutions/Cloudflare/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Cloudflare", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Cloudflare/ReleaseNotes.md b/Solutions/Cloudflare/ReleaseNotes.md index 2c2a589d72..ba6b4b433d 100644 --- a/Solutions/Cloudflare/ReleaseNotes.md +++ b/Solutions/Cloudflare/ReleaseNotes.md @@ -1,4 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|------------------------------------------------------------------------------------------------| -| 3.0.1 | 01-08-2023 | Updated logic in **Data Connector** to handle broken events | -| 3.0.0 | 24-07-2023 | Updated logic in **Hunting Query** (Cloudflare - Client errors,Cloudflare - Server errors) | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-------------------------------------------------------------------------------------------------| +| 3.0.2 | 12-12-2023 | Modified **Function App** for better performance in Production Logs. | +| 3.0.1 | 01-08-2023 | Updated logic in **Data Connector** to handle broken events. | +| 3.0.0 | 24-07-2023 | Updated logic in **Hunting Query** (Cloudflare - Client errors,Cloudflare - Server errors). | \ No newline at end of file diff --git a/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json b/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json index 524d70c216..250027cbc5 100644 --- a/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json +++ b/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json @@ -5,10 +5,10 @@ "Description": "[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\r\n1. **Forcepoint CSG via AMA** - This data connector helps in ingesting Forcepoint CSG logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Forcepoint CSG via Legacy Agent** - This data connector helps in ingesting Forcepoint CSG logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Forcepoint CSG via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Data Connectors": [ "Solutions/Forcepoint CSG/Data Connectors/ForcepointCloudSecurityGateway.json", - "Solutions/Forcepoint CSG/Data Connectors/template_ForcepointCloudSecurityGatewayAMA.json" + "Solutions/Forcepoint CSG/Data Connectors/template_ForcepointCloudSecurityGatewayAMA.json" ], "Workbooks": [ - "Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json" + "Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json" ], "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel", "Version": "3.0.0", diff --git a/Solutions/Forcepoint CSG/Package/3.0.1.zip b/Solutions/Forcepoint CSG/Package/3.0.1.zip new file mode 100644 index 0000000000..fd3b306fca Binary files /dev/null and b/Solutions/Forcepoint CSG/Package/3.0.1.zip differ diff --git a/Solutions/Forcepoint CSG/Package/mainTemplate.json b/Solutions/Forcepoint CSG/Package/mainTemplate.json index e96c39e9fc..fc32991f96 100644 --- a/Solutions/Forcepoint CSG/Package/mainTemplate.json +++ b/Solutions/Forcepoint CSG/Package/mainTemplate.json @@ -39,7 +39,7 @@ }, "variables": { "_solutionName": "Forcepoint CSG", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-csg", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ForcepointCSG", @@ -79,7 +79,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Forcepoint CSG data connector with template version 3.0.0", + "description": "Forcepoint CSG data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -434,7 +434,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Forcepoint CSG data connector with template version 3.0.0", + "description": "Forcepoint CSG data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -539,7 +539,6 @@ { "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, { "title": "Step B. Implementation options", @@ -746,7 +745,6 @@ { "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, { "title": "Step B. Implementation options", @@ -799,7 +797,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ForcepointCloudSecuirtyGatewayworkbookWorkbook Workbook with template version 3.0.0", + "description": "ForcepointCloudSecuirtyGateway Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -828,7 +826,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=ForcepointCloudSecurityGatewayWorkbook; logoFileName=Forcepoint_new_logo.svg; description=Use this report to understand query runs across your workspace.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Forcepoint Cloud Security Gateway Workbook; templateRelativePath=ForcepointCloudSecuirtyGatewayworkbook.json; subtitle=; provider=Forcepoint}.description", + "description": "@{workbookKey=ForcepointCloudSecurityGatewayWorkbook; logoFileName=Forcepoint_new_logo.svg; description=Use this report to understand query runs across your workspace.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Forcepoint Cloud Security Gateway Workbook; templateRelativePath=ForcepointCloudSecuirtyGateway.json; subtitle=; provider=Forcepoint}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -885,7 +883,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Forcepoint CSG", diff --git a/Solutions/Forcepoint CSG/Package/testParameters.json b/Solutions/Forcepoint CSG/Package/testParameters.json new file mode 100644 index 0000000000..22b567cd0a --- /dev/null +++ b/Solutions/Forcepoint CSG/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Forcepoint Cloud Security Gateway Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json b/Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json similarity index 100% rename from Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGatewayworkbook.json rename to Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json diff --git a/Solutions/Legacy IOC based Threat Protection/Data/Solution_Legacy IOC based Threat Protection.json b/Solutions/Legacy IOC based Threat Protection/Data/Solution_Legacy IOC based Threat Protection.json index 05f809cf78..17ae3c5b9d 100644 --- a/Solutions/Legacy IOC based Threat Protection/Data/Solution_Legacy IOC based Threat Protection.json +++ b/Solutions/Legacy IOC based Threat Protection/Data/Solution_Legacy IOC based Threat Protection.json @@ -3,43 +3,7 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "", "Description": "Microsoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.\n\n**Pre-requisites:**\n\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\n\n1. [Squid Proxy](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-squidproxyazure-sentinel-solution-squidproxy)\n\n2. [Microsoft Windows DNS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\n\n3. [Cisco ASA](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa)\n\n4. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\n\n5. [Microsoft Defender XDR](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n6. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\n\n7. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\n\n8. [Infoblox NIOS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-infobloxniosazure-sentinel-solution-infobloxnios)\n\n9. [Google Cloud Platform DNS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpdnsazure-sentinel-solution-gcpdns)\n\n10. [NXLog DNS](https://ms.portal.azure.com/#create/nxlogltd1589381969261.nxlog_dns_logsnxlog-dns-plan1)\n\n11. [Cisco Umbrella](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoumbrellaazure-sentinel-solution-ciscoumbrella)\n\n12. [Corelight ](https://ms.portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template)\n\n13. [Amazon Web Services](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n14. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n15. [Sysmon for Linux](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux)\n\n16. [Microsoft 365](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\n\n17. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents)\n\n18. [Microsoft Entra ID](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\n\n19. [Azure Activity](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivityazure-sentinel-solution-azureactivity)\n\n20. [F5 Advanced WAF](https://ms.portal.azure.com/#create/f5-networks.f5_bigip_mssf5-big-ip)\n\n21. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\n\n22. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\n\n23. [Common Event Format](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-commoneventformatazure-sentinel-solution-commoneventformat)\n\n24. [Windows Firewall](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall)", - "Analytic Rules": [ - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/AquaBlizzardFeb2022.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumIPIOC112020.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/RubySleetOct292020IOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/ChiaCryptoMining.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/Dev-0530_July2022.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/CadetBlizzard_Jan2022_IOC.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/GraniteTyphoonIOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/HiveRansomwareJuly2022.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/SeashellBlizzardIOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiAVDetection.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiFileHashesJuly2022.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/Manganese_VPN-IOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/MSHTMLVuln.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/NylonTyphoonIOCsNov2021.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_FoggyWeb.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/PlaidRainIPIoC.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/Solorigate-Network-Beacon.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/Solorigate-VM-Network.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/CaramelTsunami_IOC.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/ForestBlizzardOct292020IOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/TarraskHashIoC.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/EmeraldSleetIOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/WSLMalwareCorrelation.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/DiamondSleetJan272021IOCs.yaml", - "Solutions/Legacy IOC based Threat Protection/Analytic Rules/DiamondSleetOct292020IOCs.yaml" - ], + "Hunting Queries": [ "Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0056CommandLineActivityNovember2021.yaml", "Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml", @@ -53,7 +17,7 @@ "Solutions/Legacy IOC based Threat Protection/Hunting Queries/ForestBlizzard_IOC_RetroHunt.yaml" ], "BasePath": "C:\\One\\Azure\\Azure-Sentinel", - "Version": "3.0.0", + "Version": "3.0.2", "TemplateSpec": true, "Is1PConnector": true, "Metadata": "SolutionMetadata.json" diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/AquaBlizzardFeb2022.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/AquaBlizzardFeb2022.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/AquaBlizzardFeb2022.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/AquaBlizzardFeb2022.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumDomainIOC112020.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumDomainIOC112020.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumDomainIOC112020.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumIPIOC112020.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumIPIOC112020.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/BariumIPIOC112020.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumIPIOC112020.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/CadetBlizzard_Jan2022_IOC.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/CadetBlizzard_Jan2022_IOC.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/CadetBlizzard_Jan2022_IOC.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/CadetBlizzard_Jan2022_IOC.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/CaramelTsunami_IOC.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/CaramelTsunami_IOC.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/CaramelTsunami_IOC.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/CaramelTsunami_IOC.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ChiaCryptoMining.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ChiaCryptoMining.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/ChiaCryptoMining.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ChiaCryptoMining.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DEV-0322_SolarWinds_Serv-U_IOC.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiAVDetection.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiAVDetection.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiAVDetection.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiC2DomainsJuly2022.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiFileHashesJuly2022.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiFileHashesJuly2022.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/DenimTsunamiFileHashesJuly2022.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DenimTsunamiFileHashesJuly2022.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Dev-0530_July2022.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Dev-0530_July2022.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/Dev-0530_July2022.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Dev-0530_July2022.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/DiamondSleetJan272021IOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetJan272021IOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/DiamondSleetJan272021IOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetJan272021IOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/DiamondSleetOct292020IOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetOct292020IOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/DiamondSleetOct292020IOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/DiamondSleetOct292020IOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/EmeraldSleetIOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/EmeraldSleetIOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/EmeraldSleetIOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/EmeraldSleetIOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ForestBlizzardOct292020IOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ForestBlizzardOct292020IOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/ForestBlizzardOct292020IOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/ForestBlizzardOct292020IOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/GraniteTyphoonIOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/GraniteTyphoonIOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/GraniteTyphoonIOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/GraniteTyphoonIOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/HiveRansomwareJuly2022.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/HiveRansomwareJuly2022.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/HiveRansomwareJuly2022.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/HiveRansomwareJuly2022.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/KnownMintSandstormDomainsIP-October2020.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MSHTMLVuln.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/MSHTMLVuln.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MSHTMLVuln.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Manganese_VPN-IOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Manganese_VPN-IOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/Manganese_VPN-IOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Manganese_VPN-IOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_DomainIOCsMarch2021.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_FoggyWeb.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_FoggyWeb.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_FoggyWeb.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_FoggyWeb.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/MidnightBlizzard_IOCsMay2021.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/NylonTyphoonIOCsNov2021.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/NylonTyphoonIOCsNov2021.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/NylonTyphoonIOCsNov2021.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/NylonTyphoonIOCsNov2021.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/PHOSPHORUSMarch2019IOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/PlaidRainIPIoC.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/PlaidRainIPIoC.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/PlaidRainIPIoC.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/PlaidRainIPIoC.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/RubySleetOct292020IOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/RubySleetOct292020IOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/RubySleetOct292020IOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/RubySleetOct292020IOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/SUNSPOTLogFile.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SUNSPOTLogFile.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SeashellBlizzardIOCs.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SeashellBlizzardIOCs.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/SeashellBlizzardIOCs.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SeashellBlizzardIOCs.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/SilkTyphoonUmServiceSuspiciousFile.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Solorigate-Network-Beacon.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-Network-Beacon.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/Solorigate-Network-Beacon.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-Network-Beacon.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/Solorigate-VM-Network.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/Solorigate-VM-Network.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/Solorigate-VM-Network.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/TarraskHashIoC.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/TarraskHashIoC.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/TarraskHashIoC.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/TarraskHashIoC.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Analytic Rules/WSLMalwareCorrelation.yaml b/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/WSLMalwareCorrelation.yaml similarity index 100% rename from Solutions/Legacy IOC based Threat Protection/Analytic Rules/WSLMalwareCorrelation.yaml rename to Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/WSLMalwareCorrelation.yaml diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml index 9799f6d2cf..182094c5b4 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021(ASIMVersion).yaml @@ -1,6 +1,8 @@ id: 6bfea14f-2122-46b3-8f8b-3947e0fb6d92 name: Dev-0322 Command Line Activity November 2021 (ASIM Version) description: | + 'This query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized.' +description-detailed: | 'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021.yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021.yaml index 7c055c7853..4cd3a4150d 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021.yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322CommandLineActivityNovember2021.yaml @@ -1,6 +1,8 @@ id: 78fa22f9-0c13-4847-bbe6-6a7aa1b47547 name: Dev-0322 Command Line Activity November 2021 description: | + 'This query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized.' +description-detailed: | 'This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml index 3b9763644c..b6ae1161fc 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021(ASIMVersion).yaml @@ -1,6 +1,8 @@ id: 9b72769e-6ab1-4736-988b-018d92dc5e62 name: Dev-0322 File Drop Activity November 2021 (ASIM Version) description: | + 'This query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized.' +description-detailed: | 'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021.yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021.yaml index 58a47c97b4..99a263766c 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021.yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/Dev-0322FileDropActivityNovember2021.yaml @@ -1,6 +1,8 @@ id: 5bf2d4d8-ea03-4673-aaf8-716a61446022 name: Dev-0322 File Drop Activity November 2021 description: | + 'This query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized.' +description-detailed: | 'This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software. The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor. The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.' diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/ForestBlizzard_IOC_RetroHunt.yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/ForestBlizzard_IOC_RetroHunt.yaml index abb901b853..bc83aaac7c 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/ForestBlizzard_IOC_RetroHunt.yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/ForestBlizzard_IOC_RetroHunt.yaml @@ -1,6 +1,9 @@ id: b8b7574f-1cd6-4308-822a-ab07256106f8 name: Retrospective hunt for Forest Blizzard IP IOCs description: | + 'Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes. + The query is scoped in the time window that these IOCs were active.' +description-detailed: | 'Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes. The query is scoped in the time window that these IOCs were active. References: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy.' diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NetworkConnectiontoOMIPorts.yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NetworkConnectiontoOMIPorts.yaml index 683681005f..25e28f11bd 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NetworkConnectiontoOMIPorts.yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NetworkConnectiontoOMIPorts.yaml @@ -1,6 +1,8 @@ id: 767b8f6d-8029-4c92-afe1-282167d9d49a name: Connection from external IP to OMI related Ports description: | + 'This query detects attempts to exploit OMI vulnerability (CVE-2021-38647) by identifying external IP connections to management ports (5985,5986,1270). It uses the imNetworkSession schema and other logs for this purpose.' +description-detailed: | 'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml index ae2115dd01..8b2215bfda 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/NylonTyphoonCommandLineActivity-Nov2021.yaml @@ -1,6 +1,8 @@ id: bb30abbc-9af6-4a37-9536-e9207e023989 name: Nylon Typhoon Command Line Activity November 2021 description: | + 'This query hunts for Nylon Typhoon-related activity, specifically data collection and staging. It looks for use of tools like xcopy and renamed archiving tools on hosts with observed signatures.' +description-detailed: | 'This hunting query looks for process command line activity related to data collection and staging observed by Nylon Typhoon. It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to Nylon Typhoon actor.' requiredDataConnectors: diff --git a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/SolarWindsInventory.yaml b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/SolarWindsInventory.yaml index 522c0eb28c..4b24133efc 100644 --- a/Solutions/Legacy IOC based Threat Protection/Hunting Queries/SolarWindsInventory.yaml +++ b/Solutions/Legacy IOC based Threat Protection/Hunting Queries/SolarWindsInventory.yaml @@ -1,7 +1,9 @@ id: 278592b5-612b-48a4-bb38-4c01ff8ee2a5 name: SolarWinds Inventory description: | - 'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' + 'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This query helps discover any systems that have SolarWinds processes.' +description-detailed: | + 'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes' requiredDataConnectors: - connectorId: SecurityEvents dataTypes: diff --git a/Solutions/Legacy IOC based Threat Protection/Package/3.0.2.zip b/Solutions/Legacy IOC based Threat Protection/Package/3.0.2.zip new file mode 100644 index 0000000000..b93a30271c Binary files /dev/null and b/Solutions/Legacy IOC based Threat Protection/Package/3.0.2.zip differ diff --git a/Solutions/Legacy IOC based Threat Protection/Package/createUiDefinition.json b/Solutions/Legacy IOC based Threat Protection/Package/createUiDefinition.json index bb4939d987..4dcacebdb3 100644 --- a/Solutions/Legacy IOC based Threat Protection/Package/createUiDefinition.json +++ b/Solutions/Legacy IOC based Threat Protection/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.\n\n**Pre-requisites:**\n\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\n\n1. [Squid Proxy](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-squidproxyazure-sentinel-solution-squidproxy)\n\n2. [Microsoft Windows DNS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\n\n3. [Cisco ASA](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa)\n\n4. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\n\n5. [Microsoft Defender XDR](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n6. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\n\n7. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\n\n8. [Infoblox NIOS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-infobloxniosazure-sentinel-solution-infobloxnios)\n\n9. [Google Cloud Platform DNS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpdnsazure-sentinel-solution-gcpdns)\n\n10. [NXLog DNS](https://ms.portal.azure.com/#create/nxlogltd1589381969261.nxlog_dns_logsnxlog-dns-plan1)\n\n11. [Cisco Umbrella](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoumbrellaazure-sentinel-solution-ciscoumbrella)\n\n12. [Corelight ](https://ms.portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template)\n\n13. [Amazon Web Services](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n14. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n15. [Sysmon for Linux](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux)\n\n16. [Microsoft 365](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\n\n17. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents)\n\n18. [Microsoft Entra ID](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\n\n19. [Azure Activity](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivityazure-sentinel-solution-azureactivity)\n\n20. [F5 Advanced WAF](https://ms.portal.azure.com/#create/f5-networks.f5_bigip_mssf5-big-ip)\n\n21. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\n\n22. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\n\n23. [Common Event Format](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-commoneventformatazure-sentinel-solution-commoneventformat)\n\n24. [Windows Firewall](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall)\n\n**Analytic Rules:** 35, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy%20IOC%20based%20Threat%20Protection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.\n\n**Pre-requisites:**\n\nThis is a [domain solution](https://learn.microsoft.com/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.\n\n1. [Squid Proxy](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-squidproxyazure-sentinel-solution-squidproxy)\n\n2. [Windows Server DNS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns)\n\n3. [Cisco ASA](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa)\n\n4. [Palo Alto Networks](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos)\n\n5. [Microsoft Defender XDR](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n6. [Azure Firewall](https://ms.portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall)\n\n7. [ZScaler Internet Access](https://ms.portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1)\n\n8. [Infoblox NIOS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-infobloxniosazure-sentinel-solution-infobloxnios)\n\n9. [Google Cloud Platform DNS](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpdnsazure-sentinel-solution-gcpdns)\n\n10. [NXLog DNS](https://ms.portal.azure.com/#create/nxlogltd1589381969261.nxlog_dns_logsnxlog-dns-plan1)\n\n11. [Cisco Umbrella](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoumbrellaazure-sentinel-solution-ciscoumbrella)\n\n12. [Corelight ](https://ms.portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template)\n\n13. [Amazon Web Services](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n14. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents)\n\n15. [Sysmon for Linux](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux)\n\n16. [Microsoft 365](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-office365azure-sentinel-solution-office365)\n\n17. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents)\n\n18. [Microsoft Entra ID](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\n\n19. [Azure Activity](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivityazure-sentinel-solution-azureactivity)\n\n20. [F5 Advanced WAF](https://ms.portal.azure.com/#create/f5-networks.f5_bigip_mssf5-big-ip)\n\n21. [Fortinet FortiGate](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate)\n\n22. [Check Point](https://ms.portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1)\n\n23. [Common Event Format](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-commoneventformatazure-sentinel-solution-commoneventformat)\n\n24. [Windows Firewall](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall)\n\n**Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,524 +51,6 @@ } ], "steps": [ - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Barium domains", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] -Known Barium IP", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Ruby Sleet domains and hashes", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic6", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021", - "elements": [ - { - "name": "analytic6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic7", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Dev-0530 IOC - July 2022", - "elements": [ - { - "name": "analytic7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic8", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Cadet Blizzard Actor IOC - January 2022", - "elements": [ - { - "name": "analytic8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic9", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match", - "elements": [ - { - "name": "analytic9-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic10", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Granite Typhoon domains and hashes", - "elements": [ - { - "name": "analytic10-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic11", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Silk Typhoon UM Service writing suspicious file", - "elements": [ - { - "name": "analytic11-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic12", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Hive Ransomware IOC - July 2022", - "elements": [ - { - "name": "analytic12-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic13", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Seashell Blizzard IP", - "elements": [ - { - "name": "analytic13-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic14", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Denim Tsunami AV Detection", - "elements": [ - { - "name": "analytic14-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic15", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Denim Tsunami C2 Domains July 2022", - "elements": [ - { - "name": "analytic15-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic16", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Denim Tsunami File Hashes July 2022", - "elements": [ - { - "name": "analytic16-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic17", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020", - "elements": [ - { - "name": "analytic17-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic18", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Manganese IP and UserAgent activity", - "elements": [ - { - "name": "analytic18-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic19", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack", - "elements": [ - { - "name": "analytic19-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic20", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Nylon Typhoon domains and hashes", - "elements": [ - { - "name": "analytic20-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic21", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021", - "elements": [ - { - "name": "analytic21-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic22", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor", - "elements": [ - { - "name": "analytic22-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic23", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021", - "elements": [ - { - "name": "analytic23-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic24", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Phosphorus group domains/IP", - "elements": [ - { - "name": "analytic24-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic25", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Plaid Rain IP", - "elements": [ - { - "name": "analytic25-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic26", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Solorigate Network Beacon", - "elements": [ - { - "name": "analytic26-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic27", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Solorigate Domains Found in VM Insights", - "elements": [ - { - "name": "analytic27-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic28", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Caramel Tsunami Actor IOC - July 2021", - "elements": [ - { - "name": "analytic28-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic29", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020", - "elements": [ - { - "name": "analytic29-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic30", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - SUNSPOT log file creation", - "elements": [ - { - "name": "analytic30-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic31", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Tarrask malware IOC - April 2022", - "elements": [ - { - "name": "analytic31-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic32", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Emerald Sleet domains included in DCU takedown", - "elements": [ - { - "name": "analytic32-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic33", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021", - "elements": [ - { - "name": "analytic33-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic34", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes", - "elements": [ - { - "name": "analytic34-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - }, - { - "name": "analytic35", - "type": "Microsoft.Common.Section", - "label": "[Deprecated] - Known Diamond Sleet related maldoc hash", - "elements": [ - { - "name": "analytic35-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" - } - } - ] - } - ] - }, { "name": "huntingqueries", "label": "Hunting Queries", @@ -614,7 +96,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization This hunting query depends on MicrosoftDefenderAdvancedThreatProtection data connector (SecurityAlert (MDATP) Parser or Table)" + "text": "This query hunts for command line activity linked to Dev-0322’s compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection data connector (SecurityAlert (MDATP) Parser or Table)" } } ] @@ -628,7 +110,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection data connector (SecurityAlert (MDATP) DeviceProcessEvents Parser or Table)" + "text": "This query hunts for command line activity linked to Dev-0322’s compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection data connector (SecurityAlert (MDATP) DeviceProcessEvents Parser or Table)" } } ] @@ -642,7 +124,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization This hunting query depends on MicrosoftDefenderAdvancedThreatProtection data connector (SecurityAlert (MDATP) Parser or Table)" + "text": "This query hunts for file creation events linked to Dev-0322’s compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection data connector (SecurityAlert (MDATP) Parser or Table)" } } ] @@ -656,7 +138,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection data connector (SecurityAlert (MDATP) DeviceFileEvents DeviceProcessEvents Parser or Table)" + "text": "This query hunts for file creation events linked to Dev-0322’s compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection data connector (SecurityAlert (MDATP) DeviceFileEvents DeviceProcessEvents Parser or Table)" } } ] @@ -670,7 +152,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). \n OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. \n The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) \n as well as a few other logs to look for this activity. The Network normalizing parsers can be deployed in a click using an ARM Template shared in the link below:\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimNetworkSession This hunting query depends on AzureNetworkWatcher AzureMonitor(VMInsights) AzureFirewall data connector (AzureNetworkAnalytics_CL VMConnection AzureDiagnostics Parser or Table)" + "text": "This query detects attempts to exploit OMI vulnerability (CVE-2021-38647) by identifying external IP connections to management ports (5985,5986,1270). It uses the imNetworkSession schema and other logs for this purpose. This hunting query depends on AzureNetworkWatcher AzureMonitor(VMInsights) AzureFirewall data connector (AzureNetworkAnalytics_CL VMConnection AzureDiagnostics Parser or Table)" } } ] @@ -684,7 +166,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for process command line activity related to data collection and staging observed by Nylon Typhoon.\nIt hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to Nylon Typhoon actor. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityAlert (MDATP) DeviceProcessEvents SecurityEvent WindowsEvent Parser or Table)" + "text": "This query hunts for Nylon Typhoon-related activity, specifically data collection and staging. It looks for use of tools like xcopy and renamed archiving tools on hosts with observed signatures. This hunting query depends on MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityAlert (MDATP) DeviceProcessEvents SecurityEvent WindowsEvent Parser or Table)" } } ] @@ -712,7 +194,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes This hunting query depends on SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityEvent DeviceProcessEvents SecurityEvents WindowsEvent Parser or Table)" + "text": "Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This query helps discover any systems that have SolarWinds processes. This hunting query depends on SecurityEvents MicrosoftThreatProtection WindowsSecurityEvents WindowsForwardedEvents data connector (SecurityEvent DeviceProcessEvents SecurityEvents WindowsEvent Parser or Table)" } } ] @@ -726,7 +208,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes.\nThe query is scoped in the time window that these IOCs were active.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy. This hunting query depends on CiscoASA PaloAltoNetworks AzureSecurityCenter data connector (CommonSecurityLog CommonSecurityLog SecurityAlert Parser or Table)" + "text": "Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes.\nThe query is scoped in the time window that these IOCs were active. This hunting query depends on CiscoASA PaloAltoNetworks AzureSecurityCenter data connector (CommonSecurityLog CommonSecurityLog SecurityAlert Parser or Table)" } } ] diff --git a/Solutions/Legacy IOC based Threat Protection/Package/mainTemplate.json b/Solutions/Legacy IOC based Threat Protection/Package/mainTemplate.json index 31b604a5e9..701bd72d7b 100644 --- a/Solutions/Legacy IOC based Threat Protection/Package/mainTemplate.json +++ b/Solutions/Legacy IOC based Threat Protection/Package/mainTemplate.json @@ -33,6805 +33,75 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Legacy IOC based Threat Protection", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-ioclegacy", "_solutionId": "[variables('solutionId')]", - "analyticRuleVersion1": "2.0.0", - "analyticRulecontentId1": "825991eb-ea39-4590-9de2-ee97ef42eb93", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "2.0.0", - "analyticRulecontentId2": "70b12a3b-4899-42cb-910c-5ffaf9d7997d", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "2.0.0", - "analyticRulecontentId3": "6ee72a9e-2e54-459c-bc9a-9c09a6502a63", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "2.0.0", - "analyticRulecontentId4": "c87fb346-ea3a-4c64-ba92-3dd383e0f0b5", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "2.0.0", - "analyticRulecontentId5": "595a10c9-91be-4abb-bbc7-ae9c57848bef", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "2.0.0", - "analyticRulecontentId6": "4759ddb4-2daf-43cb-b34e-d85b85b4e4a5", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "2.0.0", - "analyticRulecontentId7": "a172107d-794c-48c0-bc26-d3349fe10b4d", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "2.0.1", - "analyticRulecontentId8": "961b6a81-5c53-40b6-9800-4f661a8faea7", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "2.0.0", - "analyticRulecontentId9": "d804b39c-03a4-417c-a949-bdbf21fa3305", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "2.0.0", - "analyticRulecontentId10": "26a3b261-b997-4374-94ea-6c37f67f4f39", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "analyticRuleVersion11": "2.0.0", - "analyticRulecontentId11": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e", - "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", - "analyticRuleVersion12": "2.0.0", - "analyticRulecontentId12": "b2199398-8942-4b8c-91a9-b0a707c5d147", - "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", - "analyticRuleVersion13": "2.0.0", - "analyticRulecontentId13": "7ee72a9e-2e54-459c-bc8a-8c08a6532a63", - "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", - "analyticRuleVersion14": "2.0.0", - "analyticRulecontentId14": "9f9c1e51-4fb1-4510-a675-c7c2fb32f47e", - "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", - "analyticRuleVersion15": "2.0.0", - "analyticRulecontentId15": "ce02935c-cc67-4b77-9b96-93d9947e119a", - "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", - "analyticRuleVersion16": "2.0.0", - "analyticRulecontentId16": "a779e2d5-9109-4f0a-a75e-f3d4f3c58560", - "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", - "analyticRuleVersion17": "2.0.0", - "analyticRulecontentId17": "7249500f-3038-4b83-8549-9cd8dfa2d498", - "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", - "analyticRuleVersion18": "2.0.0", - "analyticRulecontentId18": "a04cf847-a832-4c60-b687-b0b6147da219", - "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", - "analyticRuleVersion19": "2.0.0", - "analyticRulecontentId19": "972c89fa-c969-4d12-932f-04d55d145299", - "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", - "analyticRuleVersion20": "2.0.0", - "analyticRulecontentId20": "9122a9cb-916b-4d98-a199-1b7b0af8d598", - "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", - "analyticRuleVersion21": "2.0.0", - "analyticRulecontentId21": "bb8a3481-dd14-4e76-8dcc-bbec8776d695", - "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", - "analyticRuleVersion22": "3.0.0", - "analyticRulecontentId22": "c37711a4-5f44-4472-8afc-0679bc0ef966", - "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", - "analyticRuleVersion23": "2.0.0", - "analyticRulecontentId23": "677da133-e487-4108-a150-5b926591a92b", - "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]", - "analyticRuleVersion24": "2.0.0", - "analyticRulecontentId24": "155f40c6-610d-497d-85fc-3cf06ec13256", - "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]", - "analyticRuleVersion25": "2.0.0", - "analyticRulecontentId25": "95407904-0131-4918-bc49-ebf282ce149a", - "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", - "analyticRuleVersion26": "2.0.0", - "analyticRulecontentId26": "cecdbd4c-4902-403c-8d4b-32eb1efe460b", - "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]", - "analyticRuleVersion27": "2.0.0", - "analyticRulecontentId27": "ab4b6944-a20d-42ab-8b63-238426525801", - "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", - "analyticRuleVersion28": "2.0.0", - "analyticRulecontentId28": "94749332-1ad9-49dd-a5ab-5ff2170788fc", - "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]", - "analyticRuleVersion29": "2.0.0", - "analyticRulecontentId29": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c", - "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]", - "analyticRuleVersion30": "2.0.0", - "analyticRulecontentId30": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e", - "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]", - "analyticRuleVersion31": "2.0.0", - "analyticRulecontentId31": "caf78b95-d886-4ac3-957a-a7a3691ff4ed", - "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]", - "analyticRuleVersion32": "2.0.0", - "analyticRulecontentId32": "70b12a3b-4896-42cb-910c-5ffaf8d7987d", - "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", - "analyticRuleVersion33": "2.0.0", - "analyticRulecontentId33": "d992b87b-eb49-4a9d-aa96-baacf9d26247", - "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", - "analyticRuleVersion34": "2.0.0", - "analyticRulecontentId34": "09551db0-e147-4a0c-9e7b-918f88847605", - "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", - "analyticRuleVersion35": "2.0.0", - "analyticRulecontentId35": "3174a9ec-d0ad-4152-8307-94ed04fa450a", - "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "e2629949-2043-4421-8064-bca23c8491dd", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "6bfea14f-2122-46b3-8f8b-3947e0fb6d92", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "78fa22f9-0c13-4847-bbe6-6a7aa1b47547", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", - "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "9b72769e-6ab1-4736-988b-018d92dc5e62", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", - "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "5bf2d4d8-ea03-4673-aaf8-716a61446022", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", - "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", - "huntingQueryVersion6": "1.0.1", - "huntingQuerycontentId6": "767b8f6d-8029-4c92-afe1-282167d9d49a", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", - "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", - "huntingQueryVersion7": "1.0.1", - "huntingQuerycontentId7": "bb30abbc-9af6-4a37-9536-e9207e023989", - "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", - "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", - "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", - "huntingQueryVersion8": "1.0.1", - "huntingQuerycontentId8": "f090f8f4a-b986-42d2-b536-e0795c723e25", - "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", - "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", - "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", - "huntingQueryVersion9": "1.0.1", - "huntingQuerycontentId9": "278592b5-612b-48a4-bb38-4c01ff8ee2a5", - "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", - "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", - "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", - "huntingQueryVersion10": "1.0.2", - "huntingQuerycontentId10": "b8b7574f-1cd6-4308-822a-ab07256106f8", - "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", - "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", - "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AquaBlizzardFeb2022_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\n(union isfuzzy=true\n(DeviceProcessEvents\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and ProcessCommandLine has ('/tr \"wscript.exe') and ProcessCommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and ProcessCommandLine has ('//e:VBScript //b\" /F')) or (ProcessCommandLine has ('wscript.exe C:\\\\Users\\\\') and ProcessCommandLine has ('.wav') and ProcessCommandLine has ('//e:VBScript //b') \nor (ProcessCommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \"InitiatingProcessSHA256\", SHA256 in (sha256Hashes), \"SHA256\", \"No Match\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \"InitiatingProcessSHA256\", InitiatingProcessSHA256, FileHash == \"SHA256\", SHA256, \"No Match\"), AlgorithmCustomEntity = \"SHA256\"\n),\n( SecurityEvent\n| where EventID == 4688\n| where (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and CommandLine has ('/tr \"wscript.exe') and CommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and CommandLine has ('//e:VBScript //b\" /F')) or (CommandLine has ('wscript.exe C:\\\\Users\\\\') and CommandLine has ('.wav') and CommandLine has ('//e:VBScript //b'))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n( CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \"SHA256\"\n),\n( imFileEvent\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and ActingProcessCommandLine has ('/tr \"wscript.exe') and ActingProcessCommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and ActingProcessCommandLine has ('//e:VBScript //b\" /F')) or (ActingProcessCommandLine has ('wscript.exe C:\\\\Users\\\\') and ActingProcessCommandLine has ('.wav') and ActingProcessCommandLine has ('//e:VBScript //b') \n or (ActingProcessCommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")))\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \"SHA256\"\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P\\w+)=(?P[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where (Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and CommandLine has ('/tr \"wscript.exe') and CommandLine has ('\"%PUBLIC%\\\\Pictures\\\\') and CommandLine has ('//e:VBScript //b\" /F')) or (CommandLine has ('wscript.exe C:\\\\Users\\\\') and CommandLine has ('.wav') and CommandLine has ('//e:VBScript //b') or (CommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")))\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \"SHA256\"\n),\n(DnsEvents\n| where Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\n),\n(DeviceNetworkEvents \n| where isnotempty(RemoteUrl) \n| where RemoteUrl in~ (domains) \n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceProcessEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1137" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BariumDomainIOC112020_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Barium domains", - "enabled": false, - "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n ), \n (_Im_Dns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (_Im_WebSession (url_has_any=DomainNames)\n | extend DNSName = tostring(parse_url(Url)[\"Host\"])\n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallNetworkRule\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n | parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n | parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n | parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule \n | extend IPCustomEntity = SourceIP\n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s has_any (DomainNames)\n | parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n | extend\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n SourcePort = tostring(SourcePortInt),\n QueryID = tostring(QueryID)\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n | order by TimeGenerated\n | extend IPCustomEntity = SourceIP\n ),\n (AZFWApplicationRule\n | where Fqdn has_any (DomainNames)\n | extend IPCustomEntity = SourceIp\n ),\n (AZFWDnsQuery\n | where isnotempty(QueryName)\n | where QueryName has_any (DomainNames)\n | extend DNSName = QueryName\n | extend IPCustomEntity = SourceIp\n )\n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Barium domains", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "BariumIPIOC112020_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] -Known Barium IP", - "enabled": false, - "query": "let IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", \"192.210.132.102\", \"67.230.163.214\", \n \"199.19.110.240\", \"107.148.130.176\", \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n \"149.28.150.195\", \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", \n \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", \"107.182.18.149\", \"107.174.45.134\", \n \"149.248.18.104\", \"65.49.192.74\", \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n \"107.182.24.70\", \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", \n \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", \"66.42.100.42\", \"45.76.31.159\", \n \"149.248.8.134\", \"216.24.182.48\", \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n \"124.156.164.19\", \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", \n \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", \"45.32.130.72\", \"89.35.178.10\", \n \"89.43.60.113\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\n), \n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\n), \n(WireData \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAZFWApplicationRule\n| where Fqdn has_any (IPList)\n| extend IPCustomEntity = SourceIp\n),\n(\nAZFWNetworkRule\n| where DestinationIp has_any (IPList)\n| extend IPCustomEntity = SourceIp\n)\n) \n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AWSS3", - "datatypes": [ - "AWSVPCFlow" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - }, - { - "connectorId": "MicrosoftSysmonForLinux", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "AzureMonitor(WireData)", - "dataTypes": [ - "WireData" - ] - }, - { - "connectorId": "AzureMonitor(IIS)", - "dataTypes": [ - "W3CIISLog" - ] - }, - { - "connectorId": "AzureActivity", - "dataTypes": [ - "AzureActivity" - ] - }, - { - "connectorId": "AWS", - "dataTypes": [ - "AWSCloudTrail" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWNetworkRule" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] -Known Barium IP", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RubySleetOct292020IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Ruby Sleet domains and hashes", - "enabled": false, - "query": "let DomainNames = \"miniodaum.ml\";\nlet SHA256Hash = dynamic ([\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\", \"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n (_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery \n| extend IPAddress = SrcIpAddr, Computer = Dvc\n), \n(_Im_WebSession(url_has_any=DomainNames) \n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress = SrcIpAddr, Account=User\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n| parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n| parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n| parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule \n| extend IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n| extend\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n SourcePort = tostring(SourcePortInt),\n QueryID = tostring(QueryID)\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n| order by TimeGenerated\n| extend IPCustomEntity = SourceIP\n),\n(AZFWApplicationRule\n| where Fqdn has_any (DomainNames)\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl", - "CredentialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Ruby Sleet domains and hashes", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ChiaCryptoMining_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL has_any (domains), \"RequestUrl\", \"NoMatch\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), Account = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), File = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = tostring(EventDetail.[4].[\"#text\"])\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\', -1)[-1]), IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n| extend FilePath = replace_string(Image, File, '')\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) or ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty (Fqdn)\n| where Fqdn has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains) or SourceIp in (IPList)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPEntity = SourceIp\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) \n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\"#text\"])\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(Image, File, '')\n),\n(DeviceFileEvents\n| where InitiatingProcessFolderPath has_any (process)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashAlgo = 'SHA256', Account = SourceUserID\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| project TimeGenerated, EventDetail, UserName, Computer, Type\n| extend Image = tostring(EventDetail.[4].[\"#text\"]), CommandLine = tostring(EventDetail.[10].[\"#text\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\"#text\"])\n| where Image has_any (process)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath= replace_string(Image, File, '')\n),\n(DeviceEvents\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName has_any (process)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1])\n| extend FilePath = replace_string(NewProcessName, File, '')\n)\n)\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceFileEvents", - "DeviceEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1496" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "FileCustomEntity" - }, - { - "identifier": "Directory", - "columnName": "FilePathCustomEntity" - } - ], - "entityType": "File" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "FileHashAlgo" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DEV-0322_SolarWinds_Serv-U_IOC_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet parentprocess = (iocs | where Type =~ \"parentprocess\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (IPList), \"RequestUrl\",\"NoMatch\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, IPMatch == \"RequestUrl\", RequestURL, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Dev-0322 IOC match', Type\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = DestinationHost\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = DestinationHost, AlertDetail = 'Dev-0322 IOC match'\n),\n(\nAZFWApplicationRule\n| where Fqdn has_any (IPList)\n| extend IPCustomEntity = SourceIp\n),\n(\nAZFWNetworkRule\n| where DestinationIp has_any (IPList)\n| extend IPCustomEntity = SourceIp\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ParentImage = EventDetail.[20].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceProcessEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\n),\n( SecurityEvent\n| where EventID == 4688\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceFileEvents", - "DeviceEvents", - "DeviceProcessEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWNetworkRule" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dev-0530_July2022_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Dev-0530 IOC - July 2022", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\n(union isfuzzy=true \n(DeviceProcessEvents\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') \nand InitiatingProcessCommandLine has ('sc minute /mo 1 /F /ru system'))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \"InitiatingProcessSHA256\", SHA256 in (sha256Hashes), \"SHA256\", \"No Match\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \"InitiatingProcessSHA256\", InitiatingProcessSHA256, FileHash == \"SHA256\", SHA256, \"No Match\")\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system'))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n( imFileEvent\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and ActingProcessCommandLine has ('/sc minute /mo 1 /F /ru system'))\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P\\w+)=(?P[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where Hashes[0] =~ \"SHA256\"\n| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system')) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\n),\n(DeviceFileEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(EmailEvents\n| where SenderFromAddress == 'H0lyGh0st@mail2tor.com'\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \n),\n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\"), FileHashCustomEntity = FileHash\n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAZFWApplicationRule\n| where Fqdn has_any (IPList)\n| extend IPCustomEntity = SourceIp\n),\n(\nAZFWNetworkRule\n| where DestinationIp has_any (IPList)\n| extend IPCustomEntity = SourceIp\n)\n)\n", - "queryFrequency": "PT12H", - "queryPeriod": "PT12H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents", - "DeviceProcessEvents", - "DeviceNetworkEvents", - "EmailEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "AzureMonitor(IIS)", - "dataTypes": [ - "W3CIISLog" - ] - }, - { - "connectorId": "AzureActivity", - "dataTypes": [ - "AzureActivity" - ] - }, - { - "connectorId": "AWS", - "dataTypes": [ - "AWSCloudTrail" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWNetworkRule" - ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1486" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Dev-0530 IOC - July 2022", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CadetBlizzard_Jan2022_IOC_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Cadet Blizzard Actor IOC - January 2022", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet Command_Line = (iocs | where Type =~ \"CommandLine\" | project IoC);\n(union isfuzzy=true\n(DeviceProcessEvents\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('127.0.0.1\\\\ADMIN$') and InitiatingProcessCommandLine has_any (Command_Line))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \"InitiatingProcessSHA256\", SHA256 in (sha256Hashes), \"SHA256\", \"No Match\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \"InitiatingProcessSHA256\", InitiatingProcessSHA256, FileHash == \"SHA256\", SHA256, \"No Match\"), AlgorithmCustomEntity = \"SHA256\"\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has (@'127.0.0.1\\\\ADMIN$') and CommandLine has_any (Command_Line))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n( CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \"SHA256\"\n),\n( imFileEvent\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has ('127.0.0.1\\\\ADMIN$') and ActingProcessCommandLine has_any (Command_Line))\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \"SHA256\"\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P\\w+)=(?P[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where (Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('127.0.0.1\\\\ADMIN$') and CommandLine has_any (Command_Line)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \"SHA256\"\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceProcessEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1561" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Cadet Blizzard Actor IOC - January 2022", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ExchangeServerVulnerabilitiesMarch2021IoCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(WindowsEvent\n| where EventID == 4663 and EventData has_any (file_paths)\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName in (file_paths)\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \"\\\\\", tostring(EventData.SubjectUserName))\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n or\n TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n (CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event // File iocs\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n (\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n(_Im_Dns(domain_has_any=dyndomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AWSS3", - "datatypes": [ - "AWSVPCFlow" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - }, - { - "connectorId": "AzureMonitor(IIS)", - "dataTypes": [ - "W3CIISLog" - ] - }, - { - "connectorId": "AzureMonitor(WireData)", - "dataTypes": [ - "WireData" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog (CheckPoint)" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog (Cisco)" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog (F5)" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog (Fortinet)" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog (PaloAlto)" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "MicrosoftSysmonForLinux", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "GraniteTyphoonIOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Granite Typhoon domains and hashes", - "enabled": false, - "query": "let DomainNames = dynamic([\"asyspy256.ddns.net\",\"hotkillmail9sddcc.ddns.net\",\"rosaf112.ddns.net\",\"cvdfhjh1231.myftp.biz\",\"sz2016rose.ddns.net\",\"dffwescwer4325.myftp.biz\",\"cvdfhjh1231.ddns.net\"]);\nlet SHA1Hash = dynamic ([\"53a44c2396d15c3a03723fa5e5db54cafd527635\", \"9c5e496921e3bc882dc40694f1dcc3746a75db19\", \"aeb573accfd95758550cf30bf04f389a92922844\", \"79ef78a797403a4ed1a616c68e07fff868a8650a\", \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\", \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\", \"e841a63e47361a572db9a7334af459ddca11347a\", \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\", \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\", \"dd44133716b8a241957b912fa6a02efde3ce3025\", \"8793bf166cb89eb55f0593404e4e933ab605e803\", \"a39b57032dbb2335499a51e13470a7cd5d86b138\", \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\", \"d209430d6af54792371174e70e27dd11d3def7a7\", \"1c6452026c56efd2c94cea7e0f671eb55515edb0\", \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\", \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\", \"f201504bd96e81d0d350c3a8332593ee1c9e09de\", \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\"]);\nlet SHA256Hash = dynamic ([\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\", \"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\", \"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\", \"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\", \"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\", \"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\", \"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\", \"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\", \"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\", \"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\", \"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\", \"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\", \"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\", \"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\", \"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\", \"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\", \"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\", \"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\", \"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\"]);\nlet SigNames = dynamic([\"TrojanDropper:Win32/BlackMould.A!dha\", \"Trojan:Win32/BlackMould.B!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"Trojan:Win32/Sidelod.A!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n( _Im_Dns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA1=' SHA1 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA1Hash) \n| extend Account = UserName\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames)\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames) \n| extend DNSName = Fqdn \n| extend IPAddress = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPAddress = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl", - "CredentialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Granite Typhoon domains and hashes", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName11')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SilkTyphoonUmServiceSuspiciousFile_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion11')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId11')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Silk Typhoon UM Service writing suspicious file", - "enabled": false, - "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n (WindowsEvent\n| where EventID == 4663 and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\") and EventData has_any (scriptExtensions) \n| where EventData has_any ('0x2','0x100', '0x10', '0x4')\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Process=tostring(split(NewProcessName, '\\\\')[-1])\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ObjectName = tostring(EventData.ObjectName)\n| where ObjectName has_any (scriptExtensions)\n| extend AccessMask = tostring(EventData.AccessMask)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend IpAddress = tostring(EventData.IpAddress)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n and\n TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "InitiatingProcessAccountUpn" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "DeviceName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 11", - "parentId": "[variables('analyticRuleId11')]", - "contentId": "[variables('_analyticRulecontentId11')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion11')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId11')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Silk Typhoon UM Service writing suspicious file", - "contentProductId": "[variables('_analyticRulecontentProductId11')]", - "id": "[variables('_analyticRulecontentProductId11')]", - "version": "[variables('analyticRuleVersion11')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName12')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "HiveRansomwareJuly2022_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion12')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId12')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Hive Ransomware IOC - July 2022", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\n(union isfuzzy=true\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\n),\n(imFileEvent\n| where TargetFileSHA256 has_any (sha256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P\\w+)=(?P[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes)\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceFileEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceImageLoadEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n)\n)\n", - "queryFrequency": "PT12H", - "queryPeriod": "PT12H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents", - "DeviceEvents", - "DeviceImageLoadEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1486" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 12", - "parentId": "[variables('analyticRuleId12')]", - "contentId": "[variables('_analyticRulecontentId12')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion12')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId12')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Hive Ransomware IOC - July 2022", - "contentProductId": "[variables('_analyticRulecontentProductId12')]", - "id": "[variables('_analyticRulecontentProductId12')]", - "version": "[variables('analyticRuleVersion12')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName13')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SeashellBlizzardIOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion13')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId13')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Seashell Blizzard IP", - "enabled": false, - "query": "let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n|extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\n),\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog \n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity \n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (IPList) \n| extend DestinationIP = Fqdn \n| extend IPCustomEntity = SourceIp\n),\n(AZFWNetworkRule\n| where isnotempty(DestinationIp)\n| where DestinationIp has_any (IPList) \n| extend DestinationIP = DestinationIp \n| extend IPCustomEntity = SourceIp\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n)\n)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AWSS3", - "datatypes": [ - "AWSVPCFlow" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - }, - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "MicrosoftSysmonForLinux", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "AzureMonitor(IIS)", - "dataTypes": [ - "W3CIISLog" - ] - }, - { - "connectorId": "AzureActivity", - "dataTypes": [ - "AzureActivity" - ] - }, - { - "connectorId": "AWS", - "dataTypes": [ - "AWSCloudTrail" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWNetworkRule" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 13", - "parentId": "[variables('analyticRuleId13')]", - "contentId": "[variables('_analyticRulecontentId13')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion13')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId13')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Seashell Blizzard IP", - "contentProductId": "[variables('_analyticRulecontentProductId13')]", - "id": "[variables('_analyticRulecontentProductId13')]", - "version": "[variables('analyticRuleVersion13')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName14')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DenimTsunamiAVDetection_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion14')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId14')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Denim Tsunami AV Detection", - "enabled": false, - "query": "let knotweed_sigs = dynamic([\"JumplumpDropper\", \"Jumplump\", \"Corelump\", \"Medcerc\", \"SuspModuleLoad\", \"Mexlib\"]);\n let mde_data = (DeviceInfo\n | extend DeviceName = tolower(DeviceName)\n | join kind=rightouter ( SecurityAlert\n | where ProviderName =~ \"MDATP\"\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\n | where ThreatFamilyName in~ (knotweed_sigs)\n | extend CompromisedEntity = tolower(CompromisedEntity)\n ) on $left.DeviceName == $right.CompromisedEntity);\n let event_data = ( Event\n | where EventID in (1006, 1009, 1116, 1119)\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\n | mv-expand ThreatData\n | where tostring(ThreatData.[\"@Name\"]) == \"Threat Name\"\n | extend EventData = parse_xml(EventData)\n | where tostring(ThreatData.[\"#text\"]) has_any (knotweed_sigs));\n union mde_data, event_data\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\"#text\"]))\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\"#text\"]), \"/\")[-1])\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceInfo" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1203" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "DeviceName" - } - ], - "entityType": "Host" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 14", - "parentId": "[variables('analyticRuleId14')]", - "contentId": "[variables('_analyticRulecontentId14')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion14')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId14')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Denim Tsunami AV Detection", - "contentProductId": "[variables('_analyticRulecontentProductId14')]", - "id": "[variables('_analyticRulecontentProductId14')]", - "version": "[variables('analyticRuleVersion14')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName15')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DenimTsunamiC2DomainsJuly2022_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion15')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId15')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Denim Tsunami C2 Domains July 2022", - "enabled": false, - "query": "let DomainNames = dynamic([\"acrobatrelay.com\", \"finconsult.cc\", \"realmetaldns.com\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where DNSName in~ (DomainNames) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n), \n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery \n| extend IPAddress = SrcIpAddr, Computer = Dvc\n), \n(_Im_WebSession (url_has_any=DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress = SrcIpAddr, Computer = Dvc\n), \n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n| where isnotempty(DNSName) \n| where DNSName in~ (DomainNames) \n| extend IPAddress = RemoteIp \n), \n( \n DeviceNetworkEvents \n| where isnotempty(RemoteUrl) \n| where RemoteUrl has_any (DomainNames) \n| extend IPAddress = RemoteIP \n| extend Computer = DeviceName \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n) \n) \n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 15", - "parentId": "[variables('analyticRuleId15')]", - "contentId": "[variables('_analyticRulecontentId15')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion15')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId15')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Denim Tsunami C2 Domains July 2022", - "contentProductId": "[variables('_analyticRulecontentProductId15')]", - "id": "[variables('_analyticRulecontentProductId15')]", - "version": "[variables('analyticRuleVersion15')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName16')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DenimTsunamiFileHashesJuly2022_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion16')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId16')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Denim Tsunami File Hashes July 2022", - "enabled": false, - "query": "let sha256Hashes = dynamic([\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\", \"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\", \"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\", \"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\", \"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\", \"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\", \"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\", \"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\", \"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\", \"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\", \"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\", \"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\", \"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\", \"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\", \"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashCustomEntity = 'SHA256', Account = SourceUserID\n),\n(imFileEvent\n| where TargetFileSHA256 has_any (sha256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(Event\n| where Source =~ \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P\\w+)=(?P[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where (Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceFileEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceImageLoadEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n)\n)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceEvents", - "DeviceFileEvents", - "DeviceImageLoadEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1203" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "File" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 16", - "parentId": "[variables('analyticRuleId16')]", - "contentId": "[variables('_analyticRulecontentId16')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion16')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId16')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Denim Tsunami File Hashes July 2022", - "contentProductId": "[variables('_analyticRulecontentProductId16')]", - "id": "[variables('_analyticRulecontentProductId16')]", - "version": "[variables('analyticRuleVersion16')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName17')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "KnownMintSandstormDomainsIP-October2020_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion17')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId17')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020", - "enabled": false, - "query": "let DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\n),\n(DnsEvents\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames) \n| extend timestamp = TimeGenerated),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog (Cisco)" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog (PaloAlto)" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog (Zscaler)" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog (Fortinet)" - ] - }, - { - "connectorId": "OfficeATP", - "dataTypes": [ - "SecurityAlert (OATP)" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics (Azure Firewall)", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - } - ], - "tactics": [ - "CommandAndControl", - "InitialAccess" - ], - "techniques": [ - "T1071", - "T1566" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 17", - "parentId": "[variables('analyticRuleId17')]", - "contentId": "[variables('_analyticRulecontentId17')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion17')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId17')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020", - "contentProductId": "[variables('_analyticRulecontentProductId17')]", - "id": "[variables('_analyticRulecontentProductId17')]", - "version": "[variables('analyticRuleVersion17')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName18')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Manganese_VPN-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion18')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId18')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Manganese IP and UserAgent activity", - "enabled": false, - "query": "\nlet IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\n| extend IPMatch = case(\nSourceIP in (IPList), \"SourceIP\", \nDestinationIP in (IPList), \"DestinationIP\",\n\"Message\") \n| where Message matches regex IOCTerms\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n| where isnotempty(UserAgent) and ClientIP in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - } - ], - "tactics": [ - "InitialAccess", - "Collection" - ], - "techniques": [ - "T1133", - "T1114" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 18", - "parentId": "[variables('analyticRuleId18')]", - "contentId": "[variables('_analyticRulecontentId18')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion18')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId18')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Manganese IP and UserAgent activity", - "contentProductId": "[variables('_analyticRulecontentProductId18')]", - "id": "[variables('_analyticRulecontentProductId18')]", - "version": "[variables('analyticRuleVersion18')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName19')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MSHTMLVuln_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion19')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId19')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack", - "enabled": false, - "query": "( union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| extend FileName = Process, ProcessCommandLine = CommandLine\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(DeviceProcessEvents\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\nor ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1 \n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\"), ProcessCommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend FileName = split(Image, '\\\\', -1)[-1]\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\n)\n)\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceProcessEvents" - ] - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1203" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 19", - "parentId": "[variables('analyticRuleId19')]", - "contentId": "[variables('_analyticRulecontentId19')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion19')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId19')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack", - "contentProductId": "[variables('_analyticRulecontentProductId19')]", - "id": "[variables('_analyticRulecontentProductId19')]", - "version": "[variables('analyticRuleVersion19')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName20')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NylonTyphoonIOCsNov2021_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion20')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId20')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Nylon Typhoon domains and hashes", - "enabled": false, - "query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(_Im_Dns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(_Im_WebSession(url_has_any = DomainNames)\n| extend DNSName = tostring(parse_url(Url)[\"Host\"])\n| extend IPAddress = SrcIpAddr\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 20", - "parentId": "[variables('analyticRuleId20')]", - "contentId": "[variables('_analyticRulecontentId20')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion20')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId20')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Nylon Typhoon domains and hashes", - "contentProductId": "[variables('_analyticRulecontentProductId20')]", - "id": "[variables('_analyticRulecontentProductId20')]", - "version": "[variables('analyticRuleVersion20')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName21')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MidnightBlizzard_DomainIOCsMarch2021_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion21')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId21')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021", - "enabled": false, - "query": "let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\nlet IPList = dynamic(['185.225.69.69']);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (DomainNames), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(_Im_WebSession(url_has_any=DomainNames)\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\"Host\"]), Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1102" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "DomainName", - "columnName": "DNSName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 21", - "parentId": "[variables('analyticRuleId21')]", - "contentId": "[variables('_analyticRulecontentId21')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion21')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId21')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021", - "contentProductId": "[variables('_analyticRulecontentProductId21')]", - "id": "[variables('_analyticRulecontentProductId21')]", - "version": "[variables('analyticRuleVersion21')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName22')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MidnightBlizzard_FoggyWeb_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion22')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId22')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type == \"sha256\" | project IoC);\nlet FilePaths = (iocs | where Type =~ \"FilePath\" | project IoC);\nlet POST_URI = (iocs | where Type =~ \"URI1\" | project IoC);\nlet GET_URI = (iocs | where Type =~ \"URI2\" | project IoC);\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\nlet ADFS_Servers1 = datatable(Computer:string)\n[ \"..\",\n\"..\"\n];\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \"Microsoft.IdentityServer.ServiceHost.exe\".\nlet ADFS_Servers2 = \n(union isfuzzy=true\n(SecurityEvent\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n( WindowsEvent\n| where EventID == 4688 and EventData has \"Microsoft.IdentityServer.ServiceHost.exe\"// and not(EventData has \"0x3e4\")\n| extend ProcessName = tostring(EventData.ProcessName)\n| where ProcessName == \"Microsoft.IdentityServer.ServiceHost.exe\"\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\n| where SubjectLogonId != \"0x3e4\"\n| distinct Computer\n),\n(DeviceProcessEvents\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\n| extend Computer = DeviceName\n| distinct Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n);\nlet ADFS_Servers =\nADFS_Servers1\n| union (ADFS_Servers2 | distinct Computer);\n(union isfuzzy=true\n(DeviceNetworkEvents\n| where DeviceName in (ADFS_Servers)\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\" and EventID == '7'\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ImageLoaded = EventDetail.[5].[\"#text\"], Hashes = EventDetail.[11].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 '\",' *\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\n| extend Type = strcat(Type,\":\",EventID, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where DeviceName in (ADFS_Servers)\n| extend FilePath = strcat(FolderPath, '\\\\', FileName)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceImageLoadEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| where EventDetail has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(W3CIISLog \n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \nby cIP, cIP_MethodCountType = \"Count of repeated entries, this is to reduce rowsets returned\", csMethod, \ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\n),\n(imFileEvent\n| where DvcHostname in (ADFS_Servers)\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceFileEvents", - "DeviceEvents", - "DeviceImageLoadEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureMonitor(IIS)", - "dataTypes": [ - "W3CIISLog" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - } - ], - "tactics": [ - "Collection" - ], - "techniques": [ - "T1005" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 22", - "parentId": "[variables('analyticRuleId22')]", - "contentId": "[variables('_analyticRulecontentId22')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion22')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId22')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor", - "contentProductId": "[variables('_analyticRulecontentProductId22')]", - "id": "[variables('_analyticRulecontentProductId22')]", - "version": "[variables('analyticRuleVersion22')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName23')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MidnightBlizzard_IOCsMay2021_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion23')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId23')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet ips_list=toscalar(ips | summarize makeset(IoC));\nlet full_ip_list= array_concat(ips_list, IPList);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet domain_list=toscalar(domains | summarize make_set(IoC));\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(_Im_Dns (domain_has_any=todynamic(domain_list))\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\n | extend IPMatch = \"SourceIP\"\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\n),\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\n | extend IPMatch = \"DestinationIP\"\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\n),\n(_Im_WebSession(url_has_any=domains)\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\"Host\"]), AccountCustomEntity=User\n),\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\"Host\"]), AccountCustomEntity=User\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (domains)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AWSS3", - "datatypes": [ - "AWSVPCFlow" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - }, - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "MicrosoftSysmonForLinux", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceFileEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl", - "Execution" - ], - "techniques": [ - "T1102", - "T1204" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "DomainName", - "columnName": "DNSName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 23", - "parentId": "[variables('analyticRuleId23')]", - "contentId": "[variables('_analyticRulecontentId23')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion23')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId23')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021", - "contentProductId": "[variables('_analyticRulecontentProductId23')]", - "id": "[variables('_analyticRulecontentProductId23')]", - "version": "[variables('analyticRuleVersion23')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName24')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PHOSPHORUSMarch2019IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion24')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId24')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Phosphorus group domains/IP", - "enabled": false, - "query": "let DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\",\n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' *\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))\nor (isnotempty(Message) and MessageIP in (IPList))\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), \"RequestUrl\", \"NoMatch\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), Account = SourceUserID, Host = DeviceName\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(_Im_WebSession(url_has_any=DomainNames)\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\"Host\"]), Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer),\n(OfficeActivity\n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames)\n| extend DNSName = Request_Name \n| extend IPCustomEntity = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames) \n| extend DNSName = Fqdn \n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 24", - "parentId": "[variables('analyticRuleId24')]", - "contentId": "[variables('_analyticRulecontentId24')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion24')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId24')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Phosphorus group domains/IP", - "contentProductId": "[variables('_analyticRulecontentProductId24')]", - "id": "[variables('_analyticRulecontentProductId24')]", - "version": "[variables('analyticRuleVersion24')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName25')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PlaidRainIPIoC_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion25')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId25')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Plaid Rain IP", - "enabled": false, - "query": "let IPList = dynamic([\"135.125.147.170:80\",\"185.244.129.79:63047\",\"185.244.129.79:80\",\"45.80.149.108:63047\",\"45.80.149.108:80\",\"45.80.149.57:63047\",\"45.80.149.68:63047\",\"45.80.149.71:80\",\"185.244.129.109\",\"172.96.188.51\",\"51.83.246.73\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\n), \n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\n), \n(WireData \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(AZFWNetworkRule\n| where isnotempty(DestinationIp)\n| where DestinationIp has_any (IPList) \n| extend DestinationIP = DestinationIp \n| extend IPCustomEntity = SourceIp\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (IPList) \n| extend DestinationIP = Fqdn \n| extend IPCustomEntity = SourceIp\n)\n) \n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AWSS3", - "datatypes": [ - "AWSVPCFlow" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - }, - { - "connectorId": "MicrosoftSysmonForLinux", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "AzureMonitor(WireData)", - "dataTypes": [ - "WireData" - ] - }, - { - "connectorId": "AzureMonitor(IIS)", - "dataTypes": [ - "W3CIISLog" - ] - }, - { - "connectorId": "AzureActivity", - "dataTypes": [ - "AzureActivity" - ] - }, - { - "connectorId": "AWS", - "dataTypes": [ - "AWSCloudTrail" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWNetworkRule" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 25", - "parentId": "[variables('analyticRuleId25')]", - "contentId": "[variables('_analyticRulecontentId25')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion25')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId25')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Plaid Rain IP", - "contentProductId": "[variables('_analyticRulecontentProductId25')]", - "id": "[variables('_analyticRulecontentProductId25')]", - "version": "[variables('analyticRuleVersion25')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName26')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Solorigate-Network-Beacon_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion26')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId26')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Solorigate Network Beacon", - "enabled": false, - "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(_Im_Dns (domain_has_any=domains)\n | extend DNSName = DnsQuery\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallNetworkRule\"\n | where msg_s has_any (domains)\n | parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n | parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n | parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n | parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule \n | extend DNSName = TargetIP \n | extend IPCustomEntity = SourceIP\n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s has_any (domains)\n | parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n | extend\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n SourcePort = tostring(SourcePortInt),\n QueryID = tostring(QueryID)\n | extend DNSName = hostname\n | extend IPCustomEntity = SourceIP\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n | order by TimeGenerated\n ),\n(AZFWApplicationRule\n | where Fqdn has_any (domains)\n | extend DNSName = Fqdn\n | extend IPCustomEntity = SourceIp\n ),\n(AZFWDnsQuery\n | where isnotempty(QueryName)\n | where QueryName has_any (domains)\n | extend DNSName = QueryName\n | extend IPCustomEntity = SourceIp\n )\n )\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1102" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "DomainName", - "columnName": "DNSName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 26", - "parentId": "[variables('analyticRuleId26')]", - "contentId": "[variables('_analyticRulecontentId26')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion26')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId26')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Solorigate Network Beacon", - "contentProductId": "[variables('_analyticRulecontentProductId26')]", - "id": "[variables('_analyticRulecontentProductId26')]", - "version": "[variables('analyticRuleVersion26')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName27')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Solorigate-VM-Network_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion27')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId27')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Solorigate Domains Found in VM Insights", - "enabled": false, - "query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMProcess" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMComputer" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1102" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "DomainName", - "columnName": "DNSName" - } - ], - "entityType": "DNS" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "FirstPid" - }, - { - "identifier": "CommandLine", - "columnName": "CommandLine" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "Directory", - "columnName": "DirectoryName" - }, - { - "identifier": "Name", - "columnName": "Filename" - } - ], - "entityType": "File" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 27", - "parentId": "[variables('analyticRuleId27')]", - "contentId": "[variables('_analyticRulecontentId27')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion27')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId27')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Solorigate Domains Found in VM Insights", - "contentProductId": "[variables('_analyticRulecontentProductId27')]", - "id": "[variables('_analyticRulecontentProductId27')]", - "version": "[variables('analyticRuleVersion27')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName28')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CaramelTsunami_IOC_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion28')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId28')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Caramel Tsunami Actor IOC - July 2021", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\n(union isfuzzy=true\n(CommonSecurityLog\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\n| parse Message with * '(' DNSName ')' *\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\n),\n(DnsEvents\n| where Name in~ (domains)\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = EventDetail.[4].[\"#text\"]\n| where Image has_any (file_path1) or Image has_any (file_path3)\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP\n), \n(DeviceNetworkEvents\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, UrlCustomEntity =RemoteUrl\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWDnsQuery\n| where QueryName has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\n),\n(AZFWApplicationRule\n| where Fqdn has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"]\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n),\n(DeviceRegistryEvents\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n(DeviceProcessEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n(DeviceFileEvents\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n(DeviceEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend CommandLine = InitiatingProcessCommandLine\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceRegistryEvents", - "DeviceFileEvents", - "DeviceEvents", - "DeviceProcessEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1546" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 28", - "parentId": "[variables('analyticRuleId28')]", - "contentId": "[variables('_analyticRulecontentId28')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion28')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId28')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Caramel Tsunami Actor IOC - July 2021", - "contentProductId": "[variables('_analyticRulecontentProductId28')]", - "id": "[variables('_analyticRulecontentProductId28')]", - "version": "[variables('analyticRuleVersion28')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName29')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ForestBlizzardOct292020IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion29')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId29')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020", - "enabled": false, - "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n", - "queryFrequency": "P7D", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity" - ] - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 29", - "parentId": "[variables('analyticRuleId29')]", - "contentId": "[variables('_analyticRulecontentId29')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion29')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId29')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020", - "contentProductId": "[variables('_analyticRulecontentProductId29')]", - "id": "[variables('_analyticRulecontentProductId29')]", - "version": "[variables('analyticRuleVersion29')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName30')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SUNSPOTLogFile_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion30')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId30')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - SUNSPOT log file creation", - "enabled": false, - "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(WindowsEvent\n| where EventID == 4663 and EventData has \"vmware-vmdmp.log\"\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1554" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 30", - "parentId": "[variables('analyticRuleId30')]", - "contentId": "[variables('_analyticRulecontentId30')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion30')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId30')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - SUNSPOT log file creation", - "contentProductId": "[variables('_analyticRulecontentProductId30')]", - "id": "[variables('_analyticRulecontentProductId30')]", - "version": "[variables('analyticRuleVersion30')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName31')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "TarraskHashIoC_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion31')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId31')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Tarrask malware IOC - April 2022", - "enabled": false, - "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\n(union isfuzzy=true\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\n),\n(imFileEvent\n| where TargetFileSHA256 has_any (sha256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"], Hashes = tostring(EventDetail.[17].[\"#text\"])\n| extend Hashes = extract_all(@\"(?P\\w+)=(?P[a-zA-Z0-9]+)\", dynamic([\"key\",\"value\"]), Hashes)\n| extend Hashes = column_ifexists(\"Hashes\", \"\"), CommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\n| where Hashes[0] =~ \"SHA256\" and Hashes[1] has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source)\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceFileEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n),\n(DeviceImageLoadEvents\n| where SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\n)\n)\n", - "queryFrequency": "PT12H", - "queryPeriod": "PT12H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents", - "DeviceEvents", - "DeviceImageLoadEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1053" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 31", - "parentId": "[variables('analyticRuleId31')]", - "contentId": "[variables('_analyticRulecontentId31')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion31')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId31')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Tarrask malware IOC - April 2022", - "contentProductId": "[variables('_analyticRulecontentProductId31')]", - "id": "[variables('_analyticRulecontentProductId31')]", - "version": "[variables('analyticRuleVersion31')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName32')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EmeraldSleetIOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion32')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId32')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Emerald Sleet domains included in DCU takedown", - "enabled": false, - "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(_Im_Dns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n| parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n| parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n| parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule\n| extend IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| where msg_s has_any (DomainNames)\n| parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\n| extend\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\n SourcePort = tostring(SourcePortInt),\n QueryID = tostring(QueryID)\n| extend IPCustomEntity = SourceIP\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\n| order by TimeGenerated\n),\n(AZFWApplicationRule\n| where Fqdn has_any (DomainNames)\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - } - ], - "tactics": [ - "CommandAndControl", - "CredentialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 32", - "parentId": "[variables('analyticRuleId32')]", - "contentId": "[variables('_analyticRulecontentId32')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion32')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId32')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Emerald Sleet domains included in DCU takedown", - "contentProductId": "[variables('_analyticRulecontentProductId32')]", - "id": "[variables('_analyticRulecontentProductId32')]", - "version": "[variables('analyticRuleVersion32')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName33')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "WSLMalwareCorrelation_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion33')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId33')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021", - "enabled": false, - "query": "let IPList = dynamic([\"185.63.90.137\"]); \nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = \ndynamic([\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\",\n\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\",\n\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\",\n\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\",\n\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\",\n\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\",\n\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\",\n\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\"\n]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", MessageIP in (IPList), \"Message\", \"NoMatch\")\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost) \n| where SourceHost in (IPList) or DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where SourceIp in (IPList) or Fqdn in (IPList)\n| extend timestamp = TimeGenerated\n| extend DNSName = Fqdn\n| extend IPCustomEntity = SourceIp\n),\n(AZFWDnsQuery\n| where isnotempty(QueryName)\n| where SourceIp in (IPList) or QueryName in (IPList)\n| extend timestamp = TimeGenerated\n| extend DNSName = QueryName\n| extend IPCustomEntity = SourceIp\n),\n(DeviceFileEvents\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n| where FileHash in (sha256Hashes)\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(SecurityEvent\n| where EventID == '4688'\n| where CommandLine has_any (IPList) \n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n),\n(WindowsEvent\n| where EventID == '4688' and has_any_ipv4(EventData, toscalar(IPList)) \n| extend NewProcessName = tostring(EventData.NewProcessName)\n| where NewProcessName in (IPList) \n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend NewProcessId = tostring(EventData.NewProcessId)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "F5", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "Fortinet", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CheckPoint", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents", - "DeviceFileEvents", - "DeviceEvents" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "WindowsFirewall", - "dataTypes": [ - "WindowsFirewall" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1496" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "identifier": "ProcessId", - "columnName": "ProcessCustomEntity" - } - ], - "entityType": "Process" - }, - { - "fieldMappings": [ - { - "identifier": "Algorithm", - "columnName": "AlgorithmCustomEntity" - }, - { - "identifier": "Value", - "columnName": "FileHashCustomEntity" - } - ], - "entityType": "FileHash" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 33", - "parentId": "[variables('analyticRuleId33')]", - "contentId": "[variables('_analyticRulecontentId33')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion33')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId33')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021", - "contentProductId": "[variables('_analyticRulecontentProductId33')]", - "id": "[variables('_analyticRulecontentProductId33')]", - "version": "[variables('analyticRuleVersion33')]" - } + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "e2629949-2043-4421-8064-bca23c8491dd", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e2629949-2043-4421-8064-bca23c8491dd')))]" }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName34')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DiamondSleetJan272021IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion34')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId34')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes", - "enabled": false, - "query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(_Im_Dns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where EventID == 4688\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n( WindowsEvent\n| where EventID == 4688\n| where EventData has_any (\"powershell.exe\", \"rundll32.exe\") and EventData has_any (tokens, \"Debug\\\\Browse\",\"is64bitoperatingsystem\" ) \n| extend ProcessName = tostring(EventData.ProcessName)\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| extend CommandLine = tostring(EventData.CommandLine) \n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames)\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP\n),\n(AZFWApplicationRule\n| where isnotempty(Fqdn)\n| where Fqdn has_any (DomainNames)\n| extend DNSName = Fqdn \n| extend IPAddress = SourceIp\n),\n(AZFWDnsQuery\n| where QueryName has_any (DomainNames)\n| extend DNSName = QueryName\n| extend IPAddress = SourceIp\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "AzureMonitor(VMInsights)", - "dataTypes": [ - "VMConnection" - ] - }, - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceProcessEvents" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceFileEvents" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceNetworkEvents" - ] - }, - { - "connectorId": "AzureFirewall", - "dataTypes": [ - "AzureDiagnostics", - "AZFWApplicationRule", - "AZFWDnsQuery" - ] - }, - { - "connectorId": "Zscaler", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "InfobloxNIOS", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "GCPDNSDataConnector", - "dataTypes": [ - "GCP_DNS_CL" - ] - }, - { - "connectorId": "NXLogDnsLogs", - "dataTypes": [ - "NXLog_DNS_Server_CL" - ] - }, - { - "connectorId": "CiscoUmbrellaDataConnector", - "dataTypes": [ - "Cisco_Umbrella_dns_CL" - ] - }, - { - "connectorId": "Corelight", - "dataTypes": [ - "Corelight_CL" - ] - }, - { - "connectorId": "WindowsForwardedEvents", - "dataTypes": [ - "WindowsEvent" - ] - } - ], - "tactics": [ - "CommandAndControl", - "Execution" - ], - "techniques": [ - "T1071", - "T1204" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 34", - "parentId": "[variables('analyticRuleId34')]", - "contentId": "[variables('_analyticRulecontentId34')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion34')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId34')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes", - "contentProductId": "[variables('_analyticRulecontentProductId34')]", - "id": "[variables('_analyticRulecontentProductId34')]", - "version": "[variables('analyticRuleVersion34')]" - } + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "6bfea14f-2122-46b3-8f8b-3947e0fb6d92", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6bfea14f-2122-46b3-8f8b-3947e0fb6d92')))]" }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName35')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DiamondSleetOct292020IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion35')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId35')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy", - "displayName": "[Deprecated] - Known Diamond Sleet related maldoc hash", - "enabled": false, - "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CiscoASA", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - } - ], - "tactics": [ - "CommandAndControl", - "CredentialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "FullName", - "columnName": "HostCustomEntity" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]", - "properties": { - "description": "Legacy IOC based Threat Protection Analytics Rule 35", - "parentId": "[variables('analyticRuleId35')]", - "contentId": "[variables('_analyticRulecontentId35')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion35')]", - "source": { - "kind": "Solution", - "name": "Legacy IOC based Threat Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId35')]", - "contentKind": "AnalyticsRule", - "displayName": "[Deprecated] - Known Diamond Sleet related maldoc hash", - "contentProductId": "[variables('_analyticRulecontentProductId35')]", - "id": "[variables('_analyticRulecontentProductId35')]", - "version": "[variables('analyticRuleVersion35')]" - } + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "78fa22f9-0c13-4847-bbe6-6a7aa1b47547", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('78fa22f9-0c13-4847-bbe6-6a7aa1b47547')))]" }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "9b72769e-6ab1-4736-988b-018d92dc5e62", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9b72769e-6ab1-4736-988b-018d92dc5e62')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "5bf2d4d8-ea03-4673-aaf8-716a61446022", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5bf2d4d8-ea03-4673-aaf8-716a61446022')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.1", + "_huntingQuerycontentId6": "767b8f6d-8029-4c92-afe1-282167d9d49a", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('767b8f6d-8029-4c92-afe1-282167d9d49a')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.1", + "_huntingQuerycontentId7": "bb30abbc-9af6-4a37-9536-e9207e023989", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bb30abbc-9af6-4a37-9536-e9207e023989')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "1.0.1", + "_huntingQuerycontentId8": "f090f8f4a-b986-42d2-b536-e0795c723e25", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f090f8f4a-b986-42d2-b536-e0795c723e25')))]" + }, + "huntingQueryObject9": { + "huntingQueryVersion9": "1.0.1", + "_huntingQuerycontentId9": "278592b5-612b-48a4-bb38-4c01ff8ee2a5", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('278592b5-612b-48a4-bb38-4c01ff8ee2a5')))]" + }, + "huntingQueryObject10": { + "huntingQueryVersion10": "1.0.2", + "_huntingQuerycontentId10": "b8b7574f-1cd6-4308-822a-ab07256106f8", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b8b7574f-1cd6-4308-822a-ab07256106f8')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dev-0056CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Dev-0056CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ @@ -6865,13 +135,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -6896,27 +166,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Dev-0056 Command Line Activity November 2021", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dev-0322CommandLineActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Dev-0322CommandLineActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ @@ -6934,7 +204,7 @@ "tags": [ { "name": "description", - "value": "This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization" + "value": "This query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized." }, { "name": "tactics", @@ -6950,13 +220,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -6981,27 +251,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "Dev-0322 Command Line Activity November 2021 (ASIM Version)", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dev-0322CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Dev-0322CommandLineActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ @@ -7019,7 +289,7 @@ "tags": [ { "name": "description", - "value": "This hunting query looks for process command line activity related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The command lines this query hunts for are used as part of the threat actor's post exploitation activity. Some or all of the commands may be run by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first." + "value": "This query hunts for command line activity linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on commands used in post-exploitation activity. Hosts with higher risk scores should be prioritized." }, { "name": "tactics", @@ -7035,13 +305,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7066,27 +336,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "contentKind": "HuntingQuery", "displayName": "Dev-0322 Command Line Activity November 2021", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dev-0322FileDropActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Dev-0322FileDropActivityNovember2021(ASIMVersion)_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ @@ -7104,7 +374,7 @@ "tags": [ { "name": "description", - "value": "This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization" + "value": "This query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized." }, { "name": "tactics", @@ -7120,13 +390,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7151,27 +421,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "contentKind": "HuntingQuery", "displayName": "Dev-0322 File Drop Activity November 2021 (ASIM Version)", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dev-0322FileDropActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Dev-0322FileDropActivityNovember2021_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ @@ -7189,7 +459,7 @@ "tags": [ { "name": "description", - "value": "This hunting query looks for file creation events related to activity observed by Dev-0322 relating to compromise of systems running the ZOHO ManageEngine ADSelfService Plus software.\n The files this query hunts for are dropped as part of the threat actors post exploitation activity. Some or all of the files may be dropped by the threat actor.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first." + "value": "This query hunts for file creation events linked to Dev-0322's compromise of ZOHO ManageEngine ADSelfService Plus software. It focuses on files dropped during post-exploitation activity. Hosts with higher risk scores should be prioritized." }, { "name": "tactics", @@ -7205,13 +475,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7236,27 +506,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "contentKind": "HuntingQuery", "displayName": "Dev-0322 File Drop Activity November 2021", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName6')]", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetworkConnectiontoOMIPorts_HuntingQueries Hunting Query with template version 3.0.1", + "description": "NetworkConnectiontoOMIPorts_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ @@ -7274,7 +544,7 @@ "tags": [ { "name": "description", - "value": "This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). \n OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. \n The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) \n as well as a few other logs to look for this activity. The Network normalizing parsers can be deployed in a click using an ARM Template shared in the link below:\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimNetworkSession" + "value": "This query detects attempts to exploit OMI vulnerability (CVE-2021-38647) by identifying external IP connections to management ports (5985,5986,1270). It uses the imNetworkSession schema and other logs for this purpose." }, { "name": "tactics", @@ -7290,13 +560,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7321,27 +591,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId6')]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "contentKind": "HuntingQuery", "displayName": "Connection from external IP to OMI related Ports", - "contentProductId": "[variables('_huntingQuerycontentProductId6')]", - "id": "[variables('_huntingQuerycontentProductId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]", + "version": "1.0.1" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName7')]", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NylonTyphoonCommandLineActivity-Nov2021_HuntingQueries Hunting Query with template version 3.0.1", + "description": "NylonTyphoonCommandLineActivity-Nov2021_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", "parameters": {}, "variables": {}, "resources": [ @@ -7359,7 +629,7 @@ "tags": [ { "name": "description", - "value": "This hunting query looks for process command line activity related to data collection and staging observed by Nylon Typhoon.\nIt hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to Nylon Typhoon actor." + "value": "This query hunts for Nylon Typhoon-related activity, specifically data collection and staging. It looks for use of tools like xcopy and renamed archiving tools on hosts with observed signatures." }, { "name": "tactics", @@ -7375,13 +645,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7406,27 +676,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId7')]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "contentKind": "HuntingQuery", "displayName": "Nylon Typhoon Command Line Activity November 2021", - "contentProductId": "[variables('_huntingQuerycontentProductId7')]", - "id": "[variables('_huntingQuerycontentProductId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]", + "version": "1.0.1" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName8')]", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NylonTyphoonRegIOCPatterns_HuntingQueries Hunting Query with template version 3.0.1", + "description": "NylonTyphoonRegIOCPatterns_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", "parameters": {}, "variables": {}, "resources": [ @@ -7460,13 +730,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7491,27 +761,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId8')]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "contentKind": "HuntingQuery", "displayName": "Known Nylon Typhoon Registry modifications patterns", - "contentProductId": "[variables('_huntingQuerycontentProductId8')]", - "id": "[variables('_huntingQuerycontentProductId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]", + "version": "1.0.1" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName9')]", + "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWindsInventory_HuntingQueries Hunting Query with template version 3.0.1", + "description": "SolarWindsInventory_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", "parameters": {}, "variables": {}, "resources": [ @@ -7529,7 +799,7 @@ "tags": [ { "name": "description", - "value": "Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes" + "value": "Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This query helps discover any systems that have SolarWinds processes." }, { "name": "tactics", @@ -7545,13 +815,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7576,27 +846,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId9')]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", "contentKind": "HuntingQuery", "displayName": "SolarWinds Inventory", - "contentProductId": "[variables('_huntingQuerycontentProductId9')]", - "id": "[variables('_huntingQuerycontentProductId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.1')))]", + "version": "1.0.1" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName10')]", + "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ForestBlizzard_IOC_RetroHunt_HuntingQueries Hunting Query with template version 3.0.1", + "description": "ForestBlizzard_IOC_RetroHunt_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", + "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", "parameters": {}, "variables": {}, "resources": [ @@ -7614,7 +884,7 @@ "tags": [ { "name": "description", - "value": "Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes.\nThe query is scoped in the time window that these IOCs were active.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy." + "value": "Matches domain name IOCs related to Forest Blizzard group activity with CommonSecurityLog and SecurityAlert dataTypes.\nThe query is scoped in the time window that these IOCs were active." }, { "name": "tactics", @@ -7630,13 +900,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", "properties": { "description": "Legacy IOC based Threat Protection Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", "source": { "kind": "Solution", "name": "Legacy IOC based Threat Protection", @@ -7661,12 +931,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId10')]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "contentKind": "HuntingQuery", "displayName": "Retrospective hunt for Forest Blizzard IP IOCs", - "contentProductId": "[variables('_huntingQuerycontentProductId10')]", - "id": "[variables('_huntingQuerycontentProductId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.2')))]", + "version": "1.0.2" } }, { @@ -7674,12 +944,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Legacy IOC based Threat Protection", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Microsoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.

\n

Pre-requisites:

\n

This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.

\n
    \n

  1. Squid Proxy

    \n
    2. \n

  2. Microsoft Windows DNS

    \n
    3. \n

  3. Cisco ASA

    \n
    4. \n

  4. Palo Alto Networks

    \n
    5. \n

  5. Microsoft Defender XDR

    \n
    6. \n

  6. Azure Firewall

    \n
    7. \n

  7. ZScaler Internet Access

    \n
    8. \n

  8. Infoblox NIOS

    \n
    9. \n

  9. Google Cloud Platform DNS

    \n
    10. \n

  10. NXLog DNS

    \n
    11. \n

  11. Cisco Umbrella

    \n
    12. \n

  12. Corelight

    \n
    13. \n

  13. Amazon Web Services

    \n
    14. \n

  14. Windows Forwarded Events

    \n
    15. \n

  15. Sysmon for Linux

    \n
    16. \n

  16. Microsoft 365

    \n
    17. \n

  17. Windows Security Events

    \n
    18. \n

  18. Microsoft Entra ID

    \n
    19. \n

  19. Azure Activity

    \n
    20. \n

  20. F5 Advanced WAF

    \n
    21. \n

  21. Fortinet FortiGate

    \n
    22. \n

  22. Check Point

    \n
    23. \n

  23. Common Event Format

    \n
    24. \n

  24. Windows Firewall

    \n
    25. \n
\n

Analytic Rules: 35, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Microsoft Security Research, based on ongoing trends and exploits creates content that help identify existence of known IOCs based on known prevalent attacks and threat actor tactics/techniques, such as Nobelium, Gallium, Solorigate, etc. This solution contains packaged content written on some legacy IOCs that have been prevalent in the past but may still be relevant.

\n

Pre-requisites:

\n

This is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.

\n
    \n

  1. Squid Proxy

    \n
    2. \n

  2. Microsoft Windows DNS

    \n
    3. \n

  3. Cisco ASA

    \n
    4. \n

  4. Palo Alto Networks

    \n
    5. \n

  5. Microsoft Defender XDR

    \n
    6. \n

  6. Azure Firewall

    \n
    7. \n

  7. ZScaler Internet Access

    \n
    8. \n

  8. Infoblox NIOS

    \n
    9. \n

  9. Google Cloud Platform DNS

    \n
    10. \n

  10. NXLog DNS

    \n
    11. \n

  11. Cisco Umbrella

    \n
    12. \n

  12. Corelight

    \n
    13. \n

  13. Amazon Web Services

    \n
    14. \n

  14. Windows Forwarded Events

    \n
    15. \n

  15. Sysmon for Linux

    \n
    16. \n

  16. Microsoft 365

    \n
    17. \n

  17. Windows Security Events

    \n
    18. \n

  18. Microsoft Entra ID

    \n
    19. \n

  19. Azure Activity

    \n
    20. \n

  20. F5 Advanced WAF

    \n
    21. \n

  21. Fortinet FortiGate

    \n
    22. \n

  22. Check Point

    \n
    23. \n

  23. Common Event Format

    \n
    24. \n

  24. Windows Firewall

    \n
    25. \n
\n

Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7704,230 +974,55 @@ "dependencies": { "operator": "AND", "criteria": [ - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId11')]", - "version": "[variables('analyticRuleVersion11')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId12')]", - "version": "[variables('analyticRuleVersion12')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId13')]", - "version": "[variables('analyticRuleVersion13')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId14')]", - "version": "[variables('analyticRuleVersion14')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId15')]", - "version": "[variables('analyticRuleVersion15')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId16')]", - "version": "[variables('analyticRuleVersion16')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId17')]", - "version": "[variables('analyticRuleVersion17')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId18')]", - "version": "[variables('analyticRuleVersion18')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId19')]", - "version": "[variables('analyticRuleVersion19')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId20')]", - "version": "[variables('analyticRuleVersion20')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId21')]", - "version": "[variables('analyticRuleVersion21')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId22')]", - "version": "[variables('analyticRuleVersion22')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId23')]", - "version": "[variables('analyticRuleVersion23')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId24')]", - "version": "[variables('analyticRuleVersion24')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId25')]", - "version": "[variables('analyticRuleVersion25')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId26')]", - "version": "[variables('analyticRuleVersion26')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId27')]", - "version": "[variables('analyticRuleVersion27')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId28')]", - "version": "[variables('analyticRuleVersion28')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId29')]", - "version": "[variables('analyticRuleVersion29')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId30')]", - "version": "[variables('analyticRuleVersion30')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId31')]", - "version": "[variables('analyticRuleVersion31')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId32')]", - "version": "[variables('analyticRuleVersion32')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId33')]", - "version": "[variables('analyticRuleVersion33')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId34')]", - "version": "[variables('analyticRuleVersion34')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId35')]", - "version": "[variables('analyticRuleVersion35')]" - }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" } ] }, diff --git a/Solutions/Legacy IOC based Threat Protection/Package/testParameters.json b/Solutions/Legacy IOC based Threat Protection/Package/testParameters.json new file mode 100644 index 0000000000..e55ec41a9a --- /dev/null +++ b/Solutions/Legacy IOC based Threat Protection/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md b/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md index 7eb92c3724..fcdd84c939 100644 --- a/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md +++ b/Solutions/Legacy IOC based Threat Protection/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| +| 3.0.2 | 12-12-2023 | Removed deprecated **Analytical Rules** | | 3.0.1 | 07-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID & Microsoft 365 Defender to Microsoft Defender XDR | | 3.0.0 | 19-05-2023 | Deprecating outdated IOC Based **Analytic Rules** | diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip index bee663dcec..082acb92dc 100644 Binary files a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip and b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/LookoutCSConn.zip differ diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt index 5986ffb378..891d37da8a 100644 --- a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt +++ b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Data Connectors/LookoutCSConnector/requirements.txt @@ -4,7 +4,7 @@ azure-storage-file-share==12.3.0 certifi==2023.7.22 cffi==1.16.0 charset-normalizer==3.3.1 -cryptography==41.0.5 +cryptography==41.0.6 idna==3.4 isodate==0.6.1 msrest==0.7.1 diff --git a/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON b/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON index c9beada92b..4d5ccd9cdb 100644 --- a/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON +++ b/Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON @@ -90,7 +90,8 @@ "EmailEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", "EmailUrlInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", "EmailAttachmentInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "UrlClickEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" ] }, { @@ -180,6 +181,10 @@ "name": "EmailPostDeliveryEvents", "lastDataReceivedQuery": "EmailPostDeliveryEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, + { + "name": "UrlClickEvents", + "lastDataReceivedQuery": "UrlClickEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { "name": "IdentityLogonEvents", "lastDataReceivedQuery": "IdentityLogonEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json index 3df31bddc8..e35ad7bdb5 100644 --- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json +++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json @@ -30,7 +30,7 @@ "Workbooks/MicrosoftDefenderForIdentity.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR", - "Version": "3.0.0", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": true diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.2.zip b/Solutions/Microsoft Defender XDR/Package/3.0.2.zip new file mode 100644 index 0000000000..de5d4aa9a4 Binary files /dev/null and b/Solutions/Microsoft Defender XDR/Package/3.0.2.zip differ diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json index d3211d028e..5e1e4f70f4 100644 --- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json +++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json @@ -57,7 +57,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Defender XDR", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "MicrosoftThreatProtection", @@ -190,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Defender XDR data connector with template version 3.0.1", + "description": "Microsoft Defender XDR data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -274,7 +274,8 @@ "EmailEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", "EmailUrlInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", "EmailAttachmentInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "UrlClickEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" ] }, { @@ -363,6 +364,10 @@ "name": "EmailPostDeliveryEvents", "lastDataReceivedQuery": "EmailPostDeliveryEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, + { + "name": "UrlClickEvents", + "lastDataReceivedQuery": "UrlClickEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { "name": "IdentityLogonEvents", "lastDataReceivedQuery": "IdentityLogonEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" @@ -571,6 +576,10 @@ "name": "EmailPostDeliveryEvents", "lastDataReceivedQuery": "EmailPostDeliveryEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, + { + "name": "UrlClickEvents", + "lastDataReceivedQuery": "UrlClickEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { "name": "IdentityLogonEvents", "lastDataReceivedQuery": "IdentityLogonEvents\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" @@ -620,7 +629,8 @@ "EmailEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", "EmailUrlInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", "EmailAttachmentInfo\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", - "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + "EmailPostDeliveryEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)", + "UrlClickEvents\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" ] }, { @@ -657,7 +667,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -868,7 +878,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -977,7 +987,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1086,7 +1096,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1220,7 +1230,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1372,7 +1382,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1502,7 +1512,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1610,7 +1620,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1727,7 +1737,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1844,7 +1854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1944,13 +1954,13 @@ "incidentConfiguration": { "createIncident": false, "groupingConfiguration": { + "reopenClosedIncident": false, "matchingMethod": "Selected", "enabled": false, - "reopenClosedIncident": false, - "lookbackDuration": "5h", "groupByEntities": [ "Account" - ] + ], + "lookbackDuration": "5h" } } } @@ -2006,7 +2016,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2091,7 +2101,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2176,7 +2186,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2261,7 +2271,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.1", + "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2346,7 +2356,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO Insights Workbook with template version 3.0.1", + "description": "MDO Insights Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2434,7 +2444,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.1", + "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -2509,7 +2519,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.1", + "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -2601,7 +2611,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Defender XDR", diff --git a/Solutions/Microsoft Defender XDR/ReleaseNotes.md b/Solutions/Microsoft Defender XDR/ReleaseNotes.md index f69c8eacd1..b0135e2df7 100644 --- a/Solutions/Microsoft Defender XDR/ReleaseNotes.md +++ b/Solutions/Microsoft Defender XDR/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------------------| +| 3.0.2 | 04-12-2023 | Added UrlClickEvents datatype to the solution | | 3.0.1 | 12-10-2023 | Solution name changed from **Microsoft 365 Defender** to **Microsoft Defender XDR**. | | 3.0.0 | 26-07-2023 | Updated **Workbook** template to remove unused variables. | diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml index 68914d08ef..725e803134 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml @@ -36,7 +36,7 @@ query: | | where TimeGenerated > ago(starttime) | summarize arg_max(TimeGenerated, *) by AccountUPN | mv-expand AssignedRoles - | where AssignedRoles contains 'Admin' + | where AssignedRoles contains 'Admin' or GroupMembership has "Admin" | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN) | join kind=inner ( table(tableName) @@ -81,5 +81,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.4 +version: 1.1.0 kind: Scheduled diff --git a/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json b/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json index 7efa9ce50f..55b26335b9 100644 --- a/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json +++ b/Solutions/OracleWebLogicServer/Data Connectors/Connector_OracleWebLogicServer_agent.json @@ -62,7 +62,7 @@ "instructionSteps": [ { "title": "", - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt). The function usually takes 10-15 minutes to activate after solution installation/update.", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml). The function usually takes 10-15 minutes to activate after solution installation/update.", "instructions": [ ] }, diff --git a/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json b/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json index db7d531a80..0eb1898218 100644 --- a/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json +++ b/Solutions/OracleWebLogicServer/Data/Solution_OracleWebLogicServer.json @@ -7,7 +7,7 @@ "Workbooks/OracleWorkbook.json" ], "Parsers": [ - "Parsers/OracleWebLogicServerEvent.txt" + "Parsers/OracleWebLogicServerEvent.yaml" ], "Hunting Queries": [ "Hunting Queries/OracleWebLogic403RequestsFiles.yaml", @@ -38,7 +38,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OracleWebLogicServer", - "Version": "2.0.1", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/OracleWebLogicServer/Package/3.0.0.zip b/Solutions/OracleWebLogicServer/Package/3.0.0.zip new file mode 100644 index 0000000000..e41ad37ed6 Binary files /dev/null and b/Solutions/OracleWebLogicServer/Package/3.0.0.zip differ diff --git a/Solutions/OracleWebLogicServer/Package/createUiDefinition.json b/Solutions/OracleWebLogicServer/Package/createUiDefinition.json index ce501e8714..b99b562735 100644 --- a/Solutions/OracleWebLogicServer/Package/createUiDefinition.json +++ b/Solutions/OracleWebLogicServer/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Oracle](https://www.oracle.com/index.html) WebLogic Server solution for Microsoft Sentinel provides the capability to ingest [Oracle Web Logic Server](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Installation of the OracleWebLogicServer data connector requires installation of a collection agent on the Oracle WebLogic Server where logs are generated.  Refer to Oracle Web Logic Server documentation for more information. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for OracleWebLogicServer. You can get OracleWebLogicServer custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the OracleWebLogicServerEvent Kusto Function alias." + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." } }, { diff --git a/Solutions/OracleWebLogicServer/Package/mainTemplate.json b/Solutions/OracleWebLogicServer/Package/mainTemplate.json index 7a116d0d5c..0ffea8df1d 100644 --- a/Solutions/OracleWebLogicServer/Package/mainTemplate.json +++ b/Solutions/OracleWebLogicServer/Package/mainTemplate.json @@ -38,162 +38,168 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-oracleweblogicserver", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "OracleWebLogicServer", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-oracleweblogicserver", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "OracleWeblogicServerWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "parserVersion1": "1.0.0", - "parserContentId1": "OracleWebLogicServerEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "parserName1": "OracleWebLogicServer Data Parser", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "5c2f090d-2072-4ad9-a749-394593d7091b", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "419a91d4-5741-11ec-bf63-0242ac130002", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "877125e6-5779-11ec-bf63-0242ac130002", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "41aec744-5778-11ec-bf63-0242ac130002", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "34d32bf0-5741-11ec-bf63-0242ac130002", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", - "huntingQueryVersion6": "1.0.0", - "huntingQuerycontentId6": "0a58d21c-5741-11ec-bf63-0242ac130002", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", - "huntingQueryVersion7": "1.0.0", - "huntingQuerycontentId7": "f917b23e-5740-11ec-bf63-0242ac130002", - "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", - "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", - "huntingQueryVersion8": "1.0.0", - "huntingQuerycontentId8": "e6c42fe0-5740-11ec-bf63-0242ac130002", - "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", - "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", - "huntingQueryVersion9": "1.0.0", - "huntingQuerycontentId9": "b89b3474-5740-11ec-bf63-0242ac130002", - "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", - "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", - "huntingQueryVersion10": "1.0.0", - "huntingQuerycontentId10": "a5767caa-5740-11ec-bf63-0242ac130002", - "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", - "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','OracleWebLogicServer Data Parser')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OracleWebLogicServer Data Parser')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OracleWebLogicServerEvent-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "OracleWebLogicServerEvent-Parser" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "5c2f090d-2072-4ad9-a749-394593d7091b", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5c2f090d-2072-4ad9-a749-394593d7091b')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "419a91d4-5741-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('419a91d4-5741-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "877125e6-5779-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('877125e6-5779-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "41aec744-5778-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('41aec744-5778-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "34d32bf0-5741-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('34d32bf0-5741-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "0a58d21c-5741-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a58d21c-5741-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.0", + "_huntingQuerycontentId7": "f917b23e-5740-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f917b23e-5740-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "1.0.0", + "_huntingQuerycontentId8": "e6c42fe0-5740-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e6c42fe0-5740-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject9": { + "huntingQueryVersion9": "1.0.0", + "_huntingQuerycontentId9": "b89b3474-5740-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b89b3474-5740-11ec-bf63-0242ac130002')))]" + }, + "huntingQueryObject10": { + "huntingQueryVersion10": "1.0.0", + "_huntingQuerycontentId10": "a5767caa-5740-11ec-bf63-0242ac130002", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a5767caa-5740-11ec-bf63-0242ac130002')))]" + }, "uiConfigId1": "OracleWebLogicServer", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "OracleWebLogicServer", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", - "analyticRuleVersion1": "1.0.1", - "analyticRulecontentId1": "6ae36a5e-573f-11ec-bf63-0242ac130002", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.0.1", - "analyticRulecontentId2": "44c7d12a-573f-11ec-bf63-0242ac130002", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.0.1", - "analyticRulecontentId3": "67950168-5740-11ec-bf63-0242ac130002", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.0.1", - "analyticRulecontentId4": "51d050ee-5740-11ec-bf63-0242ac130002", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.0.1", - "analyticRulecontentId5": "41775080-5740-11ec-bf63-0242ac130002", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.0.1", - "analyticRulecontentId6": "268f4fde-5740-11ec-bf63-0242ac130002", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", - "analyticRuleVersion7": "1.0.1", - "analyticRulecontentId7": "153ce6d8-5740-11ec-bf63-0242ac130002", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", - "analyticRuleVersion8": "1.0.0", - "analyticRulecontentId8": "033e98d2-5740-11ec-bf63-0242ac130002", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", - "analyticRuleVersion9": "1.0.1", - "analyticRulecontentId9": "edc2f2b4-573f-11ec-bf63-0242ac130002", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", - "analyticRuleVersion10": "1.0.1", - "analyticRulecontentId10": "9cc9ed36-573f-11ec-bf63-0242ac130002", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]" + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.1", + "_analyticRulecontentId1": "6ae36a5e-573f-11ec-bf63-0242ac130002", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ae36a5e-573f-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ae36a5e-573f-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ae36a5e-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.1", + "_analyticRulecontentId2": "44c7d12a-573f-11ec-bf63-0242ac130002", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44c7d12a-573f-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44c7d12a-573f-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44c7d12a-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.1", + "_analyticRulecontentId3": "67950168-5740-11ec-bf63-0242ac130002", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '67950168-5740-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('67950168-5740-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67950168-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.1", + "_analyticRulecontentId4": "51d050ee-5740-11ec-bf63-0242ac130002", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '51d050ee-5740-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('51d050ee-5740-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','51d050ee-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.1", + "_analyticRulecontentId5": "41775080-5740-11ec-bf63-0242ac130002", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '41775080-5740-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('41775080-5740-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','41775080-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.1", + "_analyticRulecontentId6": "268f4fde-5740-11ec-bf63-0242ac130002", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '268f4fde-5740-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('268f4fde-5740-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','268f4fde-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.1", + "_analyticRulecontentId7": "153ce6d8-5740-11ec-bf63-0242ac130002", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '153ce6d8-5740-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('153ce6d8-5740-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','153ce6d8-5740-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.0", + "_analyticRulecontentId8": "033e98d2-5740-11ec-bf63-0242ac130002", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '033e98d2-5740-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('033e98d2-5740-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','033e98d2-5740-11ec-bf63-0242ac130002','-', '1.0.0')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.1", + "_analyticRulecontentId9": "edc2f2b4-573f-11ec-bf63-0242ac130002", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edc2f2b4-573f-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edc2f2b4-573f-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edc2f2b4-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.1", + "_analyticRulecontentId10": "9cc9ed36-573f-11ec-bf63-0242ac130002", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cc9ed36-573f-11ec-bf63-0242ac130002')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cc9ed36-573f-11ec-bf63-0242ac130002')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cc9ed36-573f-11ec-bf63-0242ac130002','-', '1.0.1')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "OracleWebLogicServer Workbook with template", - "displayName": "OracleWebLogicServer workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWorkbookWorkbook Workbook with template version 2.0.1", + "description": "OracleWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -258,59 +264,53 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('parserTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "OracleWebLogicServerEvent Data Parser with template", - "displayName": "OracleWebLogicServerEvent Data Parser template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicServerEvent Data Parser with template version 2.0.1", + "description": "OracleWebLogicServerEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('parserObject1').parserVersion1]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "OracleWebLogicServer Data Parser", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "OracleWebLogicServerEvent", - "query": "\nlet owl_serverlog =() {\r\nOracleWebLogicServer_CL\r\n| where RawData startswith \"####\"\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'ServerLog'\r\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\r\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\r\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\r\n| extend EventSeverity = tostring(EventData[1])\r\n| extend Subsystem = tostring(EventData[2])\r\n| extend DvcHostname = tostring(EventData[3])\r\n| extend SrcDvcHostname = tostring(EventData[4])\r\n| extend TreadId = tostring(EventData[5])\r\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\r\n| extend TransactionId = tostring(EventData[7])\r\n| extend DiagnosticContextId = tostring(EventData[8])\r\n| extend RawTimeValue = tostring(EventData[9])\r\n| extend EventOriginalUid = tostring(EventData[10])\r\n| extend EventMessage = tostring(EventData[11])\r\n};\r\nlet owl_accesslog=() {\r\nOracleWebLogicServer_CL\r\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'AccessLog'\r\n| extend EventData = split(RawData, '\"')\r\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\r\n| extend SubEventData1 = split(EventData[1], ' ')\r\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\r\n| extend SrcIpAddr = tostring(SubEventData0[0])\r\n| extend ClientIdentity = tostring(SubEventData0[1])\r\n| extend SrcUserName = tostring(SubEventData0[2])\r\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\r\n| extend HttpRequestMethod = tostring(SubEventData1[0])\r\n| extend UrlOriginal = tostring(SubEventData1[1])\r\n| extend HttpVersion = tostring(SubEventData1[2])\r\n| extend HttpStatusCode = toint(SubEventData2[0])\r\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\r\n| extend HttpReferrerOriginal = tostring(EventData[3])\r\n| extend HttpUserAgentOriginal = tostring(EventData[5])\r\n};\r\nunion isfuzzy=true owl_serverlog, owl_accesslog\r\n| project TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , EventType\r\n , EventStartTime\r\n , DvcTimeZone\r\n , EventSeverity\r\n , Subsystem\r\n , DvcHostname\r\n , SrcDvcHostname\r\n , TreadId\r\n , SrcUserName\r\n , TransactionId\r\n , DiagnosticContextId\r\n , RawTimeValue\r\n , EventOriginalUid\r\n , EventMessage\r\n , SrcIpAddr\r\n , ClientIdentity\r\n , HttpRequestMethod\r\n , UrlOriginal\r\n , HttpVersion\r\n , HttpStatusCode\r\n , HttpResponseBodyBytes\r\n , HttpReferrerOriginal\r\n , HttpUserAgentOriginal\r\n", - "version": 1, + "query": "let owl_serverlog =() {\nOracleWebLogicServer_CL\n| where RawData startswith \"####\"\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'ServerLog'\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\n| extend EventSeverity = tostring(EventData[1])\n| extend Subsystem = tostring(EventData[2])\n| extend DvcHostname = tostring(EventData[3])\n| extend SrcDvcHostname = tostring(EventData[4])\n| extend ThreadId = tostring(EventData[5])\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\n| extend TransactionId = tostring(EventData[7])\n| extend DiagnosticContextId = tostring(EventData[8])\n| extend RawTimeValue = tostring(EventData[9])\n| extend EventOriginalUid = tostring(EventData[10])\n| extend EventMessage = tostring(EventData[11])\n};\nlet owl_accesslog=() {\nOracleWebLogicServer_CL\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'AccessLog'\n| extend EventData = split(RawData, '\"')\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\n| extend SubEventData1 = split(EventData[1], ' ')\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\n| extend SrcIpAddr = tostring(SubEventData0[0])\n| extend ClientIdentity = tostring(SubEventData0[1])\n| extend SrcUserName = tostring(SubEventData0[2])\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\n| extend HttpRequestMethod = tostring(SubEventData1[0])\n| extend UrlOriginal = tostring(SubEventData1[1])\n| extend HttpVersion = tostring(SubEventData1[2])\n| extend HttpStatusCode = toint(SubEventData2[0])\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\n| extend HttpReferrerOriginal = tostring(EventData[3])\n| extend HttpUserAgentOriginal = tostring(EventData[5])\n};\nunion isfuzzy=true owl_serverlog, owl_accesslog\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , EventType\n , EventStartTime\n , DvcTimeZone\n , EventSeverity\n , Subsystem\n , DvcHostname\n , SrcDvcHostname\n , ThreadId\n , SrcUserName\n , TransactionId\n , DiagnosticContextId\n , RawTimeValue\n , EventOriginalUid\n , EventMessage\n , SrcIpAddr\n , ClientIdentity\n , HttpRequestMethod\n , UrlOriginal\n , HttpVersion\n , HttpStatusCode\n , HttpResponseBodyBytes\n , HttpReferrerOriginal\n , HttpUserAgentOriginal\n", + "functionParameters": "", + "version": 2, "tags": [ { "name": "description", - "value": "OracleWebLogicServer Data Parser" + "value": "" } ] } @@ -318,15 +318,15 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", "dependsOn": [ - "[variables('_parserName1')]" + "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OracleWebLogicServer Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", - "version": "[variables('parserVersion1')]", + "version": "[variables('parserObject1').parserVersion1]", "source": { "name": "OracleWebLogicServer", "kind": "Solution", @@ -345,36 +345,54 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "OracleWebLogicServer Data Parser", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", - "name": "[variables('_parserName1')]", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "OracleWebLogicServer Data Parser", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "OracleWebLogicServerEvent", - "query": "\nlet owl_serverlog =() {\r\nOracleWebLogicServer_CL\r\n| where RawData startswith \"####\"\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'ServerLog'\r\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\r\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\r\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\r\n| extend EventSeverity = tostring(EventData[1])\r\n| extend Subsystem = tostring(EventData[2])\r\n| extend DvcHostname = tostring(EventData[3])\r\n| extend SrcDvcHostname = tostring(EventData[4])\r\n| extend TreadId = tostring(EventData[5])\r\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\r\n| extend TransactionId = tostring(EventData[7])\r\n| extend DiagnosticContextId = tostring(EventData[8])\r\n| extend RawTimeValue = tostring(EventData[9])\r\n| extend EventOriginalUid = tostring(EventData[10])\r\n| extend EventMessage = tostring(EventData[11])\r\n};\r\nlet owl_accesslog=() {\r\nOracleWebLogicServer_CL\r\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\r\n| extend EventVendor = \"Oracle\"\r\n| extend EventProduct = 'Oracle WebLogic Server'\r\n| extend EventType = 'AccessLog'\r\n| extend EventData = split(RawData, '\"')\r\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\r\n| extend SubEventData1 = split(EventData[1], ' ')\r\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\r\n| extend SrcIpAddr = tostring(SubEventData0[0])\r\n| extend ClientIdentity = tostring(SubEventData0[1])\r\n| extend SrcUserName = tostring(SubEventData0[2])\r\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\r\n| extend HttpRequestMethod = tostring(SubEventData1[0])\r\n| extend UrlOriginal = tostring(SubEventData1[1])\r\n| extend HttpVersion = tostring(SubEventData1[2])\r\n| extend HttpStatusCode = toint(SubEventData2[0])\r\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\r\n| extend HttpReferrerOriginal = tostring(EventData[3])\r\n| extend HttpUserAgentOriginal = tostring(EventData[5])\r\n};\r\nunion isfuzzy=true owl_serverlog, owl_accesslog\r\n| project TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , EventType\r\n , EventStartTime\r\n , DvcTimeZone\r\n , EventSeverity\r\n , Subsystem\r\n , DvcHostname\r\n , SrcDvcHostname\r\n , TreadId\r\n , SrcUserName\r\n , TransactionId\r\n , DiagnosticContextId\r\n , RawTimeValue\r\n , EventOriginalUid\r\n , EventMessage\r\n , SrcIpAddr\r\n , ClientIdentity\r\n , HttpRequestMethod\r\n , UrlOriginal\r\n , HttpVersion\r\n , HttpStatusCode\r\n , HttpResponseBodyBytes\r\n , HttpReferrerOriginal\r\n , HttpUserAgentOriginal\r\n", - "version": 1 + "query": "let owl_serverlog =() {\nOracleWebLogicServer_CL\n| where RawData startswith \"####\"\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'ServerLog'\n| extend EventData = extract_all(@\"<(.*?)>\", RawData)\n| extend EventStartTime = todatetime(replace(@',\\d+', @'', replace(@'(\\s\\d{1,2}),', @'\\1', extract(@'\\A(.*(PM|AM))', 1, tostring(EventData[0])))))\n| extend DvcTimeZone = extract(@'\\A.*(PM|AM)(.*)', 2, tostring(EventData[0]))\n| extend EventSeverity = tostring(EventData[1])\n| extend Subsystem = tostring(EventData[2])\n| extend DvcHostname = tostring(EventData[3])\n| extend SrcDvcHostname = tostring(EventData[4])\n| extend ThreadId = tostring(EventData[5])\n| extend SrcUserName = replace(@'<', '', tostring(EventData[6]))\n| extend TransactionId = tostring(EventData[7])\n| extend DiagnosticContextId = tostring(EventData[8])\n| extend RawTimeValue = tostring(EventData[9])\n| extend EventOriginalUid = tostring(EventData[10])\n| extend EventMessage = tostring(EventData[11])\n};\nlet owl_accesslog=() {\nOracleWebLogicServer_CL\n| where RawData matches regex @'\\A\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\[.*\\]\\s\\\"(GET|POST)'\n| extend EventVendor = \"Oracle\"\n| extend EventProduct = 'Oracle WebLogic Server'\n| extend EventType = 'AccessLog'\n| extend EventData = split(RawData, '\"')\n| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')\n| extend SubEventData1 = split(EventData[1], ' ')\n| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')\n| extend SrcIpAddr = tostring(SubEventData0[0])\n| extend ClientIdentity = tostring(SubEventData0[1])\n| extend SrcUserName = tostring(SubEventData0[2])\n| extend EventStartTime = todatetime(replace(@'\\/', @'-', replace(@'(\\d{2}\\/\\w{3}\\/\\d{4}):(\\d{2}\\:\\d{2}\\:\\d{2})', @'\\1 \\2', extract(@'\\[(.*?)(\\-|\\+)\\d+\\]', 1, RawData))))\n| extend HttpRequestMethod = tostring(SubEventData1[0])\n| extend UrlOriginal = tostring(SubEventData1[1])\n| extend HttpVersion = tostring(SubEventData1[2])\n| extend HttpStatusCode = toint(SubEventData2[0])\n| extend HttpResponseBodyBytes = toint(SubEventData2[1])\n| extend HttpReferrerOriginal = tostring(EventData[3])\n| extend HttpUserAgentOriginal = tostring(EventData[5])\n};\nunion isfuzzy=true owl_serverlog, owl_accesslog\n| project TimeGenerated\n , EventVendor\n , EventProduct\n , EventType\n , EventStartTime\n , DvcTimeZone\n , EventSeverity\n , Subsystem\n , DvcHostname\n , SrcDvcHostname\n , ThreadId\n , SrcUserName\n , TransactionId\n , DiagnosticContextId\n , RawTimeValue\n , EventOriginalUid\n , EventMessage\n , SrcIpAddr\n , ClientIdentity\n , HttpRequestMethod\n , UrlOriginal\n , HttpVersion\n , HttpStatusCode\n , HttpResponseBodyBytes\n , HttpReferrerOriginal\n , HttpUserAgentOriginal\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", "dependsOn": [ - "[variables('_parserId1')]" + "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OracleWebLogicServer Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", - "version": "[variables('parserVersion1')]", + "version": "[variables('parserObject1').parserVersion1]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -393,42 +411,24 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 1 with template", - "displayName": "OracleWebLogicServer Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogic403RequestsFiles_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogic403RequestsFiles_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -456,13 +456,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -481,46 +481,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 2 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Request to forbidden files", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicAbnormalRequestSize_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicAbnormalRequestSize_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -548,13 +541,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -573,46 +566,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 3 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Abnormal request size", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicCriticalEventSeverity_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicCriticalEventSeverity_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -640,13 +626,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -665,46 +651,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 4 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Critical event severity", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicErrors_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicErrors_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -732,13 +711,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -757,46 +736,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 5 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Error messages", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicFilesErrorRequests_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicFilesErrorRequests_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -824,13 +796,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -849,46 +821,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 6 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Top files requested by users with error", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicRareUAWithClientErrors_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicRareUAWithClientErrors_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -916,13 +881,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -941,46 +906,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 7 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Rare user agents with client errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicRareURLsRequested_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicRareURLsRequested_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -1008,13 +966,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -1033,46 +991,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 8 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Rare URLs requested", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicUncommonUserAgents_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicUncommonUserAgents_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -1100,13 +1051,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -1125,46 +1076,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 9 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Rare user agents", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicUrlClienterrors_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicUrlClienterrors_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { @@ -1192,13 +1136,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -1217,46 +1161,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "OracleWebLogicServer Hunting Query 10 with template", - "displayName": "OracleWebLogicServer Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Top URLs client errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicUrlServerErrors_HuntingQueries Hunting Query with template version 2.0.1", + "description": "OracleWebLogicUrlServerErrors_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", + "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "OracleWebLogicServer_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { @@ -1284,13 +1221,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", "properties": { "description": "OracleWebLogicServer Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -1309,37 +1246,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "contentKind": "HuntingQuery", + "displayName": "Oracle - Top URLs server errors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "OracleWebLogicServer data connector with template", - "displayName": "OracleWebLogicServer template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicServer data connector with template version 2.0.1", + "description": "OracleWebLogicServer data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1355,7 +1285,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Oracle WebLogic Server", + "title": "Oracle WebLogic Server (using Azure Functions)", "publisher": "Oracle", "descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.", "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", @@ -1416,7 +1346,7 @@ }, "instructionSteps": [ { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt). The function usually takes 10-15 minutes to activate after solution installation/update." + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml). The function usually takes 10-15 minutes to activate after solution installation/update." }, { "description": "Install the agent on the Oracle WebLogic Server where the logs are generated.\n\n> Logs from Oracle WebLogic Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.", @@ -1513,7 +1443,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -1538,12 +1468,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Oracle WebLogic Server (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -1579,7 +1520,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Oracle WebLogic Server", + "title": "Oracle WebLogic Server (using Azure Functions)", "publisher": "Oracle", "descriptionMarkdown": "OracleWebLogicServer data connector provides the capability to ingest [OracleWebLogicServer](https://docs.oracle.com/en/middleware/standalone/weblogic-server/index.html) events into Microsoft Sentinel. Refer to [OracleWebLogicServer documentation](https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/index.html) for more information.", "graphQueries": [ @@ -1639,7 +1580,7 @@ }, "instructionSteps": [ { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt). The function usually takes 10-15 minutes to activate after solution installation/update." + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OracleWebLogicServerEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml). The function usually takes 10-15 minutes to activate after solution installation/update." }, { "description": "Install the agent on the Oracle WebLogic Server where the logs are generated.\n\n> Logs from Oracle WebLogic Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.", @@ -1737,42 +1678,24 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 1 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicCommandInURI_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicCommandInURI_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1791,10 +1714,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -1806,13 +1729,13 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ], - "entityType": "URL" + ] } ] } @@ -1820,13 +1743,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -1845,46 +1768,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 2 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Command in URI", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicDifferentUAsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicDifferentUAsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1903,10 +1819,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -1918,13 +1834,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -1932,13 +1848,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -1957,46 +1873,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 3 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Multiple user agents for single source", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicExploitCVE-2021-2109_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicExploitCVE-2021-2109_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2015,10 +1924,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2029,13 +1938,13 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ], - "entityType": "URL" + ] } ] } @@ -2043,13 +1952,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2068,46 +1977,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 4 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Oracle WebLogic Exploit CVE-2021-2109", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicKnownMaliciousUserAgents_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicKnownMaliciousUserAgents_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2126,10 +2028,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2141,13 +2043,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -2155,13 +2057,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2180,46 +2082,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 5 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Malicious user agent", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicMultipleClientErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicMultipleClientErrorsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2238,10 +2133,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2253,13 +2148,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -2267,13 +2162,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2292,46 +2187,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 6 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Multiple client errors from single IP", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicMultipleServerErrorsRequestsFromSingleIP_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicMultipleServerErrorsRequestsFromSingleIP_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2350,10 +2238,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2367,13 +2255,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -2381,13 +2269,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2406,46 +2294,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 7 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Multiple server errors from single IP", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicPrivateIpInUrl_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicPrivateIpInUrl_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2464,10 +2345,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2479,22 +2360,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -2502,13 +2383,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2527,46 +2408,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 8 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Private IP in URL", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicPutAndGetFileFromSameIP_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicPutAndGetFileFromSameIP_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2585,10 +2459,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2600,22 +2474,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ], - "entityType": "URL" + ] } ] } @@ -2623,13 +2497,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2648,46 +2522,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 9 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Put file and get file from same IP address", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicPutSuspiciousFiles_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicPutSuspiciousFiles_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2706,10 +2573,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2723,31 +2590,31 @@ ], "entityMappings": [ { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "FileCustomEntity" } - ], - "entityType": "File" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -2755,13 +2622,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2780,46 +2647,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "OracleWebLogicServer Analytics Rule 10 with template", - "displayName": "OracleWebLogicServer Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Put suspicious file", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleWebLogicRequestToSensitiveFiles_AnalyticalRules Analytics Rule with template version 2.0.1", + "description": "OracleWebLogicRequestToSensitiveFiles_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -2838,10 +2698,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "OracleWebLogicServer", "dataTypes": [ "OracleWebLogicServerEvent" - ] + ], + "connectorId": "OracleWebLogicServer" } ], "tactics": [ @@ -2852,22 +2712,22 @@ ], "entityMappings": [ { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "FileCustomEntity" } - ], - "entityType": "File" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ], - "entityType": "URL" + ] } ] } @@ -2875,13 +2735,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { "description": "OracleWebLogicServer Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "OracleWebLogicServer", @@ -2900,17 +2760,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "Oracle - Request to sensitive files", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "OracleWebLogicServer", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Oracle WebLogic Server solution for Microsoft Sentinel provides the capability to ingest Oracle Web Logic Server events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Azure Monitor HTTP Data Collector API
    2. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -2938,58 +2816,58 @@ }, { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, { "kind": "DataConnector", @@ -2998,53 +2876,53 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } ] }, diff --git a/Solutions/OracleWebLogicServer/Package/testParameters.json b/Solutions/OracleWebLogicServer/Package/testParameters.json new file mode 100644 index 0000000000..5187368f6d --- /dev/null +++ b/Solutions/OracleWebLogicServer/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Oracle WebLogic Server", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt b/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt deleted file mode 100644 index 232cce9e5b..0000000000 --- a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.txt +++ /dev/null @@ -1,72 +0,0 @@ -// This function parses Oracle WebLogic Server server.log and access.log -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let owl_serverlog =() { -OracleWebLogicServer_CL -| where RawData startswith "####" -| extend EventVendor = "Oracle" -| extend EventProduct = 'Oracle WebLogic Server' -| extend EventType = 'ServerLog' -| extend EventData = extract_all(@"<(.*?)>", RawData) -| extend EventStartTime = todatetime(replace(@',\d+', @'', replace(@'(\s\d{1,2}),', @'\1', extract(@'\A(.*(PM|AM))', 1, tostring(EventData[0]))))) -| extend DvcTimeZone = extract(@'\A.*(PM|AM)(.*)', 2, tostring(EventData[0])) -| extend EventSeverity = tostring(EventData[1]) -| extend Subsystem = tostring(EventData[2]) -| extend DvcHostname = tostring(EventData[3]) -| extend SrcDvcHostname = tostring(EventData[4]) -| extend TreadId = tostring(EventData[5]) -| extend SrcUserName = replace(@'<', '', tostring(EventData[6])) -| extend TransactionId = tostring(EventData[7]) -| extend DiagnosticContextId = tostring(EventData[8]) -| extend RawTimeValue = tostring(EventData[9]) -| extend EventOriginalUid = tostring(EventData[10]) -| extend EventMessage = tostring(EventData[11]) -}; -let owl_accesslog=() { -OracleWebLogicServer_CL -| where RawData matches regex @'\A\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*\[.*\]\s\"(GET|POST)' -| extend EventVendor = "Oracle" -| extend EventProduct = 'Oracle WebLogic Server' -| extend EventType = 'AccessLog' -| extend EventData = split(RawData, '"') -| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ') -| extend SubEventData1 = split(EventData[1], ' ') -| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ') -| extend SrcIpAddr = tostring(SubEventData0[0]) -| extend ClientIdentity = tostring(SubEventData0[1]) -| extend SrcUserName = tostring(SubEventData0[2]) -| extend EventStartTime = todatetime(replace(@'\/', @'-', replace(@'(\d{2}\/\w{3}\/\d{4}):(\d{2}\:\d{2}\:\d{2})', @'\1 \2', extract(@'\[(.*?)(\-|\+)\d+\]', 1, RawData)))) -| extend HttpRequestMethod = tostring(SubEventData1[0]) -| extend UrlOriginal = tostring(SubEventData1[1]) -| extend HttpVersion = tostring(SubEventData1[2]) -| extend HttpStatusCode = toint(SubEventData2[0]) -| extend HttpResponseBodyBytes = toint(SubEventData2[1]) -| extend HttpReferrerOriginal = tostring(EventData[3]) -| extend HttpUserAgentOriginal = tostring(EventData[5]) -}; -union isfuzzy=true owl_serverlog, owl_accesslog -| project TimeGenerated - , EventVendor - , EventProduct - , EventType - , EventStartTime - , DvcTimeZone - , EventSeverity - , Subsystem - , DvcHostname - , SrcDvcHostname - , TreadId - , SrcUserName - , TransactionId - , DiagnosticContextId - , RawTimeValue - , EventOriginalUid - , EventMessage - , SrcIpAddr - , ClientIdentity - , HttpRequestMethod - , UrlOriginal - , HttpVersion - , HttpStatusCode - , HttpResponseBodyBytes - , HttpReferrerOriginal - , HttpUserAgentOriginal diff --git a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml b/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml index d134fd3b71..0f8d6ba105 100644 --- a/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml +++ b/Solutions/OracleWebLogicServer/Parsers/OracleWebLogicServerEvent.yaml @@ -20,7 +20,7 @@ FunctionQuery: | | extend Subsystem = tostring(EventData[2]) | extend DvcHostname = tostring(EventData[3]) | extend SrcDvcHostname = tostring(EventData[4]) - | extend TreadId = tostring(EventData[5]) + | extend ThreadId = tostring(EventData[5]) | extend SrcUserName = replace(@'<', '', tostring(EventData[6])) | extend TransactionId = tostring(EventData[7]) | extend DiagnosticContextId = tostring(EventData[8]) @@ -61,7 +61,7 @@ FunctionQuery: | , Subsystem , DvcHostname , SrcDvcHostname - , TreadId + , ThreadId , SrcUserName , TransactionId , DiagnosticContextId diff --git a/Solutions/OracleWebLogicServer/ReleaseNotes.md b/Solutions/OracleWebLogicServer/ReleaseNotes.md new file mode 100644 index 0000000000..93073e71e4 --- /dev/null +++ b/Solutions/OracleWebLogicServer/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------------------------------------| +| 3.0.0 | 15-12-2023 | Updated the **Parser** field TreadId to ThreadId | \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip b/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip index a3e786bfd3..9f1e61db92 100644 Binary files a/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip and b/Solutions/PaloAlto-PAN-OS/Package/3.0.0.zip differ diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json index 27926a28b3..36f7b8965c 100644 --- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json +++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json @@ -61,18 +61,16 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.2", - "huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a57accf-3548-4e38-a861-99687c958f59')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.2", + "_huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2f8522fc-7807-4f0a-b53d-458296edab8d')))]" + }, "workbookVersion1": "1.2.0", "workbookContentId1": "PaloAltoOverviewWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -86,30 +84,34 @@ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "analyticRuleVersion1": "1.0.0", - "analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.3.1", - "analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.2", - "analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.2", - "analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.3.1", + "_analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2be4ef67-a93f-4d8a-981a-88158cb73abd')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2be4ef67-a93f-4d8a-981a-88158cb73abd')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.1')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.2", + "_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.2')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.2", + "_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.2')))]" + }, "PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector", "_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]", "TemplateEmptyArray": "[json('[]')]", @@ -152,6 +154,7 @@ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", "PaloAlto-PAN-OS-BlockIP": "PaloAlto-PAN-OS-BlockIP", "_PaloAlto-PAN-OS-BlockIP": "[variables('PaloAlto-PAN-OS-BlockIP')]", + "TemplateEmptyObject": "[json('{}')]", "playbookVersion6": "1.0", "playbookContentId6": "PaloAlto-PAN-OS-BlockIP", "_playbookContentId6": "[variables('playbookContentId6')]", @@ -545,7 +548,7 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -554,7 +557,7 @@ "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ @@ -584,13 +587,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "PaloAlto-PAN-OS Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -615,18 +618,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Palo Alto - high-risk ports", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -635,7 +638,7 @@ "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ @@ -669,13 +672,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "PaloAlto-PAN-OS Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -700,12 +703,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "Palo Alto - potential beaconing detected", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.2')))]", + "version": "1.0.2" } }, { @@ -717,7 +720,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoOverviewWorkbook Workbook with template version 3.0.0", + "description": "PaloAltoOverview Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -805,7 +808,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoNetworkThreatWorkbook Workbook with template version 3.0.0", + "description": "PaloAltoNetworkThreat Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -887,7 +890,7 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -896,13 +899,13 @@ "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -921,10 +924,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] } ], "tactics": [ @@ -939,13 +942,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -953,13 +956,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "PaloAlto-PAN-OS Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -984,18 +987,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", "displayName": "Palo Alto Threat signatures from Unusual IP addresses", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1004,13 +1007,13 @@ "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1029,10 +1032,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] } ], "tactics": [ @@ -1040,44 +1043,44 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ], - "entityType": "FileHash" + ] } ] } @@ -1085,13 +1088,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "PaloAlto-PAN-OS Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -1116,18 +1119,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "Microsoft COVID-19 file hash indicator matches", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1136,13 +1139,13 @@ "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1161,10 +1164,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] } ], "tactics": [ @@ -1176,31 +1179,31 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1208,13 +1211,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "PaloAlto-PAN-OS Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -1239,18 +1242,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "Palo Alto - potential beaconing detected", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1259,13 +1262,13 @@ "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1284,10 +1287,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ], - "connectorId": "PaloAltoNetworks" + ] } ], "tactics": [ @@ -1298,31 +1301,31 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1330,13 +1333,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "PaloAlto-PAN-OS Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -1361,12 +1364,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "Palo Alto - possible internal to external port scanning", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { @@ -5575,7 +5578,8 @@ }, "type": "AppendToArrayVariable", "inputs": { - "name": "AdaptiveCardBody" + "name": "AdaptiveCardBody", + "value": "[variables('TemplateEmptyObject')]" }, "description": "append security policies which the IP address is exist" } @@ -6728,7 +6732,8 @@ }, "type": "AppendToArrayVariable", "inputs": { - "name": "AdaptiveCardBody" + "name": "AdaptiveCardBody", + "value": "[variables('TemplateEmptyObject')]" }, "description": "append security policies which the URL address is exist" } @@ -7859,7 +7864,8 @@ }, "type": "AppendToArrayVariable", "inputs": { - "name": "AdaptiveCardBody" + "name": "AdaptiveCardBody", + "value": "[variables('TemplateEmptyObject')]" }, "description": "append security policies which the URL address is exist" } @@ -8962,7 +8968,8 @@ }, "type": "AppendToArrayVariable", "inputs": { - "name": "AdaptiveCardBody" + "name": "AdaptiveCardBody", + "value": "[variables('TemplateEmptyObject')]" }, "description": "append security policies which the IP address is exist" } @@ -9523,13 +9530,13 @@ }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "Workbook", @@ -9543,23 +9550,23 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "LogicAppsCustomConnector", diff --git a/Solutions/PaloAlto-PAN-OS/Package/testParameters.json b/Solutions/PaloAlto-PAN-OS/Package/testParameters.json new file mode 100644 index 0000000000..2b232aa407 --- /dev/null +++ b/Solutions/PaloAlto-PAN-OS/Package/testParameters.json @@ -0,0 +1,40 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Palo Alto overview", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Palo Alto Network Threat", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json index 85de002f05..ed9ac8a7d3 100644 --- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json +++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoPlaybooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json @@ -5,7 +5,7 @@ "comments": "This playbook uses the PaloAlto connector to take necessary actions on URL address like Block URL/Unblock URL from predefined address group and also gives an option to close the incident.", "title": "PaloAlto-PAN-OS-BlockURL", "description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.", - "prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."], + "prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."], "lastUpdateTime": "2023-05-30T00:00:00.000Z", "entities": ["Url"], "prerequisitesDeployTemplateFile": "../../PaloAltoCustomConnector/PaloAlto_PAN-OS_Rest_API_CustomConnector/azuredeploy.json", diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md index d47a636115..7e42a6ec10 100644 --- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md +++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md @@ -1,3 +1,3 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.0 | 06-10-2023 | Fixed **Playbooks** issue | \ No newline at end of file +| 3.0.0 | 12-12-2023 | Fixed **Playbooks** issue | \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip index ca8377b487..f2b2f0456f 100644 Binary files a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip and b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip differ diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json index 18937c93c7..d6f5cd738c 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json @@ -155,7 +155,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.9" } }, "resources": [ diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt index eaa2c3a65a..24d73bd5bb 100644 --- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt +++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/requirements.txt @@ -2,6 +2,6 @@ # The Python Worker is managed by Azure Functions platform # Manually managing azure-functions-worker may cause unexpected issues -azure-functions -azure-functions-durable -requests \ No newline at end of file +azure-functions==1.14.0 +azure-functions-durable==1.2.3 +requests==2.31.0 \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml index 891c8035c7..8cf4a93e84 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdADAttacksPathways.yaml @@ -30,6 +30,13 @@ query: | | where MessageType == 0 and Codename in~ (codeNameList) | lookup kind=leftouter SeverityTable on Severity | order by Level -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml index b998b344af..d5755fc9c0 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdDCShadow.yaml @@ -21,6 +21,13 @@ query: | // Then, create the Kusto Function with alias afad_parser afad_parser | where MessageType == 2 and Codename == "DCShadow" -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml index 00fec99e8b..780b01c55d 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdDCSync.yaml @@ -21,6 +21,13 @@ query: | // Then, create the Kusto Function with alias afad_parser afad_parser | where MessageType == 2 and Codename == "DCSync" -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml index 5dc91bf94e..dbd430f305 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml @@ -21,6 +21,13 @@ query: | // Then, create the Kusto Function with alias afad_parser afad_parser | where MessageType == 2 and Codename == "Golden Ticket" -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml index 200a8f1f54..5446adb10a 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfAttack.yaml @@ -29,6 +29,13 @@ query: | | where MessageType == 2 | lookup kind=leftouter SeverityTable on Severity | order by Level -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml index 7c27db2311..9899a81d26 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdIndicatorsOfExposures.yaml @@ -29,6 +29,13 @@ query: | | where MessageType == 0 | lookup kind=leftouter SeverityTable on Severity | order by Level -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml index b7eccbe503..8949b88fa6 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml @@ -21,6 +21,13 @@ query: | // Then, create the Kusto Function with alias afad_parser afad_parser | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory" -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml index 6f11e512a4..e6b14f68e9 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordGuessing.yaml @@ -21,6 +21,13 @@ query: | // Then, create the Kusto Function with alias afad_parser afad_parser | where MessageType == 2 and Codename == "Password Guessing" -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml index 292e80cb5c..32eeedfe27 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordIssues.yaml @@ -30,6 +30,13 @@ query: | | where MessageType == 0 and Codename in~ (codeNameList) | lookup kind=leftouter SeverityTable on Severity | order by Level -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml index 83cceb632f..abd5c6c230 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml @@ -21,6 +21,13 @@ query: | // Then, create the Kusto Function with alias afad_parser afad_parser | where MessageType == 2 and Codename == "Password Spraying" -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml index 74c52de853..c824368207 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdPrivilegedAccountIssues.yaml @@ -30,6 +30,13 @@ query: | | where MessageType == 0 and Codename in~ (codeNameList) | lookup kind=leftouter SeverityTable on Severity | order by Level -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml b/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml index 4655dd7be8..a8eaa4a644 100644 --- a/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml +++ b/Solutions/TenableAD/Analytic Rules/TenableAdUserAccountIssues.yaml @@ -30,6 +30,13 @@ query: | | where MessageType == 0 and Codename in~ (codeNameList) | lookup kind=leftouter SeverityTable on Severity | order by Level -entityMappings: null -version: 1.0.0 + | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml index 0e07756ac0..688339a944 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml @@ -1,7 +1,7 @@ id: dd0a6029-ecef-4507-89c4-fc355ac52111 -name: TI map Domain entity to CommonSecurityLog +name: TI map Domain entity to PaloAlto CommonSecurityLog description: | - Identifies a match in CommonSecurityLog table from any Domain IOC from TI + Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence @@ -23,35 +23,8 @@ query: | let dt_lookBack = 1h; // Look back 1 hour let ioc_lookBack = 14d; // Look back 14 days // Create a list of top-level domains (TLDs) from the threat feed data for later validation - let list_tlds = - ThreatIntelligenceIndicator - // Filter indicators based on the specified time range and active indicators - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - | where isnotempty(DomainName) - // Convert domain names to lowercase for consistency - | extend DomainName = tolower(DomainName) - // Split domain names into parts and extract the TLD - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts) - 1)] - // Count the occurrences of each TLD - | summarize count() by tostring(tld) - // Create a list of TLDs - | summarize make_list(tld); - // Retrieve threat intelligence indicators within the specified time range - let Domain_Indicators = - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - // Filter indicators that have a non-empty domain name - | where isnotempty(DomainName) - | extend TI_DomainEntity = DomainName; - // Join threat intelligence indicators with common security logs - Domain_Indicators - | join kind=innerunique ( - CommonSecurityLog + let SecurityLog = materialize( + CommonSecurityLog // Filter common security logs based on the specified time range | extend IngestionTime = ingestion_time() | where IngestionTime > ago(dt_lookBack) @@ -65,12 +38,20 @@ query: | | extend Domain = trim('"', tostring(parse_url(PA_Url).Host)) | where isnotempty(Domain) | extend Domain = tolower(Domain) - | extend parts = split(Domain, '.') - | extend tld = parts[(array_length(parts) - 1)] - // Validate parsed domain by checking if the TLD is in the threat feed's TLD list - | where tld in~ (list_tlds) | extend CommonSecurityLog_TimeGenerated = TimeGenerated - ) on $left.TI_DomainEntity == $right.Domain + ); + let LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain); + // Retrieve threat intelligence indicators within the specified time range + let Domain_Indicators = materialize( + ThreatIntelligenceIndicator + | where isnotempty(DomainName) + | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_DomainEntity = tolower(DomainName) + | where TI_DomainEntity in (LogDomains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now()); + // Join threat intelligence indicators with common security logs + Domain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity @@ -88,5 +69,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: PA_Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml new file mode 100644 index 0000000000..09784fa9eb --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml @@ -0,0 +1,72 @@ +id: c308b2f3-eebe-4a20-905c-cb8293b062db +name: TI Map Domain Entity to DeviceNetworkEvents +description: | + 'This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.' +severity: Medium +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceNetworkEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let DeviceNetworkEvents_ = DeviceNetworkEvents + | where isnotempty(RemoteUrl) + | where TimeGenerated >= ago(dt_lookBack) + | where ActionType !has "ConnectionFailed" + | extend Domain = tostring(parse_url(tolower(RemoteUrl)).Host) + | where isnotempty(Domain) + | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated; + let DeviceNetworkEventDomains = DeviceNetworkEvents_ + | distinct Domain + | summarize make_list(Domain); + ThreatIntelligenceIndicator + | where isnotempty(DomainName) + | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_Domain = tolower(DomainName) + | where TI_Domain in (DeviceNetworkEventDomains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique (DeviceNetworkEvents_) on $left.TI_Domain == $right.Domain + | where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime + | summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, TI_Domain + | project DeviceNetworkEvents_TimeGenerated, IndicatorId, TI_Domain, Url = RemoteUrl, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort + | extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0]) + | extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: DeviceName + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url + - entityType: Process + fieldMappings: + - identifier: CommandLine + columnName: InitiatingProcessCommandLine +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml index 26bb96db16..36fdfff3e2 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml @@ -28,11 +28,11 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to domains let Domain_Indicators = ThreatIntelligenceIndicator + // Filter out indicators without domain names + | where isnotempty(DomainName) | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true and ExpirationDateTime > now() - // Filter out indicators without domain names - | where isnotempty(DomainName) | extend TI_DomainEntity = DomainName; // Create a list of TLDs in our threat feed for later validation let maxListSize = 100000; // Define the maximum allowed size for each list @@ -81,5 +81,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml new file mode 100644 index 0000000000..96ab3a9ff0 --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml @@ -0,0 +1,55 @@ +id: 96307710-8bb9-4b45-8363-a90c72ebf86f +name: TI map Domain entity to EmailEvents +description: | + 'Identifies a match in EmailEvents table from any Domain IOC from TI' +severity: Medium +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - EmailEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has "Blocked" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromDomain = tolower(SenderFromDomain) | extend RecipientEmailDomain = tolower(tostring(split(RecipientEmailAddress, '@', 1)))); + let SenderDomains = EmailEvents_ | distinct SenderFromDomain | summarize make_list(SenderFromDomain); + let RecipientDomains = EmailEvents_ | distinct RecipientEmailDomain | summarize make_list(RecipientEmailDomain); + let TI = materialize(ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) + | where isnotempty(DomainName) + | extend TI_Domain = tolower(DomainName) + | where TI_Domain in (SenderDomains) or TI_Domain in (RecipientDomains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"); + (union + (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.SenderFromDomain), + (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.RecipientEmailDomain)) + | where EmailEvents_TimeGenerated < ExpirationDateTime + | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress + | project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_Domain, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection + | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]) + | extend timestamp = EmailEvents_TimeGenerated +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml new file mode 100644 index 0000000000..e15544a83c --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml @@ -0,0 +1,76 @@ +id: 87cc75df-d7b2-44f1-b064-ee924edfc879 +name: TI map Domain entity to EmailUrlInfo +description: | + 'Identifies a match in EmailUrlInfo table from any Domain IOC from TI.' +severity: Medium +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - EmailUrlInfo + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let EmailUrlInfo_ = materialize(EmailUrlInfo + | where isnotempty(UrlDomain) + | where TimeGenerated > ago(dt_lookBack) + | project-rename Email_Url = Url); + let Domains = EmailUrlInfo_ + | distinct UrlDomain + | summarize make_list(UrlDomain); + let Candidates = ThreatIntelligenceIndicator + | where isnotempty(DomainName) + | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_Domain = tolower(DomainName) + | where TI_Domain in (Domains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain + | join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId + | where DeliveryLocation !has "Quarantine" + // Customize and uncomment the following line to remove security related mailboxes + //| where tolower(RecipientEmailAddress) !in ("secmailbox1@example.com", "secmailbox2@example.com") + | where EmailEvents_TimeGenerated < ExpirationDateTime + | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress; + let Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain); + ThreatIntelligenceIndicator + | where isnotempty(Url) + | where TimeGenerated > ago(ioc_lookBack) + | extend Host = tostring(parse_url(Url).Host) + | where Host in (Candidate_Domains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, "://", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl + | where DeliveryAction !has "Blocked" + | project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject + | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]) + | extend timestamp = EmailEvents_TimeGenerated +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml index 27a1248acf..fcd925e541 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml @@ -28,10 +28,10 @@ query: | // Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains let list_tlds = ThreatIntelligenceIndicator + | where isnotempty(DomainName) | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true and ExpirationDateTime > now() - | where isnotempty(DomainName) | extend DomainName = tolower(DomainName) | extend parts = split(DomainName, '.') | extend tld = parts[(array_length(parts)-1)] @@ -39,11 +39,11 @@ query: | | summarize make_list(tld); let Domain_Indicators = ThreatIntelligenceIndicator + // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName) + | where isnotempty(DomainName) | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true and ExpirationDateTime > now() - // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName) - | where isnotempty(DomainName) | extend TI_DomainEntity = DomainName; Domain_Indicators // Join with CommonSecurityLog to find potential malicious activity @@ -90,5 +90,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: PA_Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml index 31859ac00c..7e0eb62428 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml @@ -26,55 +26,40 @@ triggerThreshold: 0 tactics: - Impact query: | - let dt_lookBack = 1h; // Lookback time for recent data, set to 1 hour - let ioc_lookBack = 14d; // Lookback time for threat feed data, set to 14 days - // Create a list of TLDs in our threat feed for later validation - let list_tlds = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - | where isnotempty(DomainName) - | extend parts = split(DomainName, '.') - | extend tld = parts[(array_length(parts)-1)] - | summarize count() by tostring(tld) - | summarize make_list(tld); - let Domain_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName) - | extend TI_DomainEntity = DomainName; - Domain_Indicators - // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - SecurityAlert - | where TimeGenerated > ago(dt_lookBack) - | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) - | where MSTI == false - // Extract domain patterns from message - | extend domain = todynamic(dynamic_to_json(extract_all(@"(((xn--)?[a-z0-9\-]+\.)+([a-z]+|(xn--[a-z0-9]+)))", dynamic([1,1]), tolower(Entities)))) - | mv-expand domain - | extend domain = tostring(domain[0]) - | extend parts = split(domain, '.') - // Split out the TLD - | extend tld = parts[(array_length(parts)-1)] - // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed - | where tld in~ (list_tlds) - // Converting Entities into dynamic data type and use mv-expand to unpack the array - | extend EntitiesDynamicArray = parse_json(Entities) - | mv-apply EntitiesDynamicArray on - (summarize + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let SecurityAlerts = SecurityAlert + | where TimeGenerated > ago(dt_lookBack) + | extend domain = todynamic(dynamic_to_json(extract_all(@"(((xn--)?[a-z0-9\-]+\.)+([a-z]+|(xn--[a-z0-9]+)))", dynamic([1]), tolower(Entities)))) + | where isnotempty(domain) + | mv-expand domain + | extend domain = tostring(domain) + | extend EntitiesDynamicArray = parse_json(Entities) + | mv-apply EntitiesDynamicArray on + (summarize HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == "host"), IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == "ip") - ) - | extend Alert_TimeGenerated = TimeGenerated - | extend Alert_Description = Description - ) on $left.TI_DomainEntity == $right.domain - | where Alert_TimeGenerated < ExpirationDateTime - | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName - | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity - | extend timestamp = Alert_TimeGenerated + ) + | extend Alert_TimeGenerated = TimeGenerated + | extend Alert_Description = Description; + let AlertDomains = SecurityAlerts + | distinct domain + | summarize make_list(domain); + let Domain_Indicators = materialize(ThreatIntelligenceIndicator + | where isnotempty(DomainName) + | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_DomainEntity = tolower(DomainName) + | where TI_DomainEntity in (AlertDomains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"); + Domain_Indicators + // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain + | where Alert_TimeGenerated < ExpirationDateTime + | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName + | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity + | extend timestamp = Alert_TimeGenerated entityMappings: - entityType: Host fieldMappings: @@ -88,5 +73,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.1 +version: 1.4.2 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml index d5115e2160..583024e680 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml @@ -27,20 +27,20 @@ query: | let ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days) // Create a list of top-level domains (TLDs) from the threat feed for later validation let list_tlds = ThreatIntelligenceIndicator + | where isnotempty(DomainName) | where TimeGenerated > ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true and ExpirationDateTime > now() - | where isnotempty(DomainName) | extend parts = split(DomainName, '.') | extend tld = parts[(array_length(parts)-1)] | summarize count() by tostring(tld) | summarize make_list(tld); // Fetch the latest active domain indicators from the threat intelligence data within the specified time range let Domain_Indicators = ThreatIntelligenceIndicator + | where isnotempty(DomainName) | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true and ExpirationDateTime > now() - | where isnotempty(DomainName) | extend TI_DomainEntity = DomainName; // Join the threat intelligence indicators with syslog data on matching domain entities Domain_Indicators @@ -83,5 +83,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml index 456273bb25..c7e5f7cf0e 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml @@ -1,7 +1,7 @@ id: b1832f60-6c3d-4722-a0a5-3d564ee61a63 name: TI map Domain entity to Web Session Events (ASIM Web Session schema) description: | - 'This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' + 'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.' severity: Medium requiredDataConnectors: - connectorId: SquidProxy @@ -13,6 +13,9 @@ requiredDataConnectors: - connectorId: ThreatIntelligence dataTypes: - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - ThreatIntelligenceIndicator @@ -28,11 +31,11 @@ query: | let ioc_lookBack = 14d; //Create a list of TLDs in our threat feed for later validation let DOMAIN_TI=ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true // Picking up only IOC's that contain the entities we want - | where isnotempty(DomainName); + | where isnotempty(DomainName) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) )); DOMAIN_TI @@ -68,5 +71,5 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator. -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml index 53f1aed8ca..ea7869cc6b 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml @@ -27,11 +27,11 @@ query: | let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller) @@ -62,5 +62,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.4 +version: 1.2.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml new file mode 100644 index 0000000000..1a6df21b87 --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml @@ -0,0 +1,54 @@ +id: 11f7c6e3-f066-4b3c-9a81-b487ec0a6873 +name: TI map Email entity to EmailEvents +description: | + 'Identifies a match in EmailEvents table from any Email IOC from TI' +severity: Medium +requiredDataConnectors: + - connectorId: Office365 + dataTypes: + - EmailEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has "Blocked" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromAddress = tolower(SenderFromAddress) | extend RecipientEmailAddress = tolower(RecipientEmailAddress)); + let SenderAddresses = EmailEvents_ | distinct SenderFromAddress | summarize make_list(SenderFromAddress); + let RecipientAddresses = EmailEvents_ | distinct RecipientEmailAddress | summarize make_list(RecipientEmailAddress); + let TI = materialize(ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) + | where isnotempty(EmailSenderAddress) + | extend TI_EmailAddress = tolower(EmailSenderAddress) + | where TI_EmailAddress in (SenderAddresses) or TI_EmailAddress in (RecipientAddresses) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now()); + (union + (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.SenderFromAddress), + (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.RecipientEmailAddress)) + | where EmailEvents_TimeGenerated < ExpirationDateTime + | summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, TI_EmailAddress + | project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_EmailAddress, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection + | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]) + | extend timestamp = EmailEvents_TimeGenerated +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml index 4d57ff925f..3cae8c7985 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml @@ -26,23 +26,25 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; + let OfficeEvents = materialize( + OfficeActivity + | where isnotempty(UserId) + | where TimeGenerated >= ago(dt_lookBack) + | where UserId matches regex emailregex + | project-rename OfficeActivity_TimeGenerated = TimeGenerated); + let OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId); ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) + | where TimeGenerated >= ago(ioc_lookBack) + | where tolower(EmailSenderAddress) in (OfficeActivityUPNs) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId) - | where UserId matches regex emailregex - | extend OfficeActivity_TimeGenerated = TimeGenerated - ) - on $left.EmailSenderAddress == $right.UserId + | join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId | where OfficeActivity_TimeGenerated < ExpirationDateTime | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId - | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, - EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters + | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters | extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0]) | extend timestamp = OfficeActivity_TimeGenerated entityMappings: @@ -60,5 +62,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.4 +version: 1.2.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml index 04199d7dc7..db7b384ef7 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml @@ -27,11 +27,11 @@ query: | let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID) @@ -61,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.4 +version: 1.2.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml index d859239f10..b424fe2452 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml @@ -27,11 +27,11 @@ query: | let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( SecurityAlert @@ -67,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.5 +version: 1.2.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml index 98872d798c..537c228c67 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml @@ -33,11 +33,11 @@ query: | let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( (union isfuzzy=true @@ -85,5 +85,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.3.4 +version: 1.3.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml index f302b0ddc8..3b4542ea36 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml @@ -29,37 +29,31 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$'; - let aadFunc = (tableName:string){ + let Signins = materialize(union isfuzzy=true + ( SigninLogs | where TimeGenerated >= ago(dt_lookBack)), + ( AADNonInteractiveUserSignInLogs | where TimeGenerated >= ago(dt_lookBack) + | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)) + | where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex + | extend UserPrincipalName = tolower(UserPrincipalName) + | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails) + | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) + | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) + | extend SigninLogs_TimeGenerated = TimeGenerated); + let SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName); ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true //Filtering the table for Email related IOCs | where isnotempty(EmailSenderAddress) - // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName) - //Normalizing the column to lower case for exact match with EmailSenderAddress column - | extend UserPrincipalName = tolower(UserPrincipalName) - | where UserPrincipalName matches regex emailregex - | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails) - | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) - | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) - // renaming timestamp column so it is clear the log this came from SigninLogs table - | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type - ) - on $left.EmailSenderAddress == $right.UserPrincipalName + | where TimeGenerated >= ago(ioc_lookBack) + | where EmailSenderAddress in (SigninUPNs) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName | where SigninLogs_TimeGenerated < ExpirationDateTime | summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName - | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, - EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, - StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type + | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type | extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0]) | extend timestamp = SigninLogs_TimeGenerated - }; - let aadSignin = aadFunc("SigninLogs"); - let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); - union isfuzzy=true aadSignin, aadNonInt entityMappings: - entityType: Account fieldMappings: @@ -75,5 +69,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.4 +version: 1.2.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml index 5e93d7a428..9a5e9c581e 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml @@ -26,10 +26,10 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let fileHashIndicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() + | where isnotempty(FileHashValue) + | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - | where isnotempty(FileHashValue); + | where Active == true and ExpirationDateTime > now(); // Handle matches against both lower case and uppercase versions of the hash: (fileHashIndicators | extend FileHashValue = tolower(FileHashValue) | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue))) @@ -75,5 +75,5 @@ entityMappings: columnName: FileHashValue - identifier: Algorithm columnName: FileHashType -version: 1.3.3 +version: 1.3.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml new file mode 100644 index 0000000000..a3d3750991 --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_DeviceFileEvents.yaml @@ -0,0 +1,64 @@ +id: bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7 +name: TI map File Hash to DeviceFileEvents Event +description: | + 'Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI' +severity: Medium +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceFileEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let DeviceFileEvents_ = (union + (DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1), + (DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256)); + let Hashes = DeviceFileEvents_ | distinct FileHashValue; + ThreatIntelligenceIndicator + | where isnotempty(FileHashValue) + | where TimeGenerated > ago(ioc_lookBack) + | where FileHashValue in (Hashes) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue + | where TimeGenerated < ExpirationDateTime + | summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, DeviceId + | project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup + | extend timestamp = TimeGenerated +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: RequestAccountName + - identifier: Sid + columnName: RequestAccountSid + - identifier: NTDomain + columnName: RequestAccountDomain + - entityType: FileHash + fieldMappings: + - identifier: Value + columnName: FileHashValue + - identifier: Algorithm + columnName: FileHashType + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DeviceName +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml index 0f4686c379..6a1bf2b2c2 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml @@ -32,11 +32,11 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true | where isnotempty(FileHashValue) + | where TimeGenerated >= ago(ioc_lookBack) | extend FileHashValue = toupper(FileHashValue) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( union isfuzzy=true (SecurityEvent | where TimeGenerated >= ago(dt_lookBack) @@ -81,5 +81,5 @@ entityMappings: columnName: FileHashValue - identifier: Algorithm columnName: FileHashType -version: 1.4.3 +version: 1.4.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml index d660af1aac..4852279f41 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml @@ -27,17 +27,17 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() // Filter out indicators without relevant IP address fields | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) // Select the IP entity based on availability of different IP fields | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml index 254f81bf3a..8e2d9de037 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml @@ -24,23 +24,23 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() // Filter out indicators without relevant IP address fields | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) + // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. + | where ConfidenceScore > 50 // Select the IP entity based on availability of different IP fields | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. - | where ConfidenceScore > 50 // Determine AlertPriority based on ConfidenceScore | extend AlertPriority = case(ConfidenceScore > 82, "High", ConfidenceScore > 74, "Medium", "Low") // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -86,6 +86,6 @@ entityMappings: columnName: _ResourceId alertDetailsOverride: alertSeverityColumnName: AlertPriority -version: 1.5.0 +version: 1.5.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml index 19dc9d3bab..14477b09a4 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml @@ -27,17 +27,17 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() // Filter out indicators without relevant IP address fields | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) // Select the IP entity based on availability of different IP fields | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity IP_Indicators // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated @@ -76,5 +76,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml index 84f0a3c58c..ec2958a18f 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml @@ -27,17 +27,17 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() // Filter out indicators without relevant IP address fields | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) // Select the IP entity based on availability of different IP fields | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -72,5 +72,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.3.0 +version: 1.3.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml index d66fa97a01..622926efb4 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml @@ -27,14 +27,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) - | where LatestIndicatorTime >= ago(ioc_lookBack) and ExpirationDateTime > now() + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -64,5 +64,5 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 1.3.2 +version: 1.3.3 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml index a40c6d3023..ff4b1c4396 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml @@ -24,14 +24,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -71,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml index 02904d27bf..4b9e7abf0d 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml @@ -27,14 +27,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -64,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 1.3.0 +version: 1.3.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml index 036f8ebcf1..8e70f03286 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml @@ -28,14 +28,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and CommonSecurityLog events IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -59,5 +59,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: CS_ipEntity -version: 1.2.0 +version: 1.2.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DeviceNetworkEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DeviceNetworkEvents.yaml new file mode 100644 index 0000000000..f98efcb90b --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DeviceNetworkEvents.yaml @@ -0,0 +1,67 @@ +id: b2df4979-d34a-48b3-a7d9-f473a4bf8058 +name: TI Map IP Entity to DeviceNetworkEvents +description: | + 'Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.' +severity: Medium +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceNetworkEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let DeviceNetworkEvents_ = DeviceNetworkEvents + | where isnotempty(RemoteIP) + | where TimeGenerated > ago(dt_lookBack) + | where ActionType !has "ConnectionFailed" + | extend isPrivate = ipv4_is_private(RemoteIP) + | where isPrivate != true; + let IPs = DeviceNetworkEvents_ | distinct RemoteIP | summarize make_list(RemoteIP); + ThreatIntelligenceIndicator + | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP) + | where TI_ipEntity in (IPs) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique (DeviceNetworkEvents_) on $left.TI_ipEntity == $right.RemoteIP + | summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, TI_ipEntity, DeviceName + // DeviceName, TI_ipEntity, RemoteUrl, InitiatingProcessAccountUpn + | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0]) +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: TI_ipEntity + - entityType: URL + fieldMappings: + - identifier: Url + columnName: RemoteUrl + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DeviceName +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml index cf06146455..1a1f08aaac 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml @@ -27,14 +27,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and DNS events IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -69,5 +69,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml index 5b6c869607..85e929aa04 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml @@ -26,16 +26,16 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. // Taking the first non-empty value based on potential IOC match availability | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() | join ( DuoSecurityAuthentication_CL | where TimeGenerated >= ago(dt_lookBack) @@ -44,7 +44,9 @@ query: | | extend Duo_TimeGenerated = isotimestamp_t ) on $left.TI_ipEntity == $right.access_device_ip_s + | where TimeGenerated >= ago(ioc_lookBack) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated, TI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s | extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0]) @@ -59,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: access_device_ip_s -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml index 5a20c7ea64..2acecd3255 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml @@ -25,36 +25,33 @@ tactics: query: | let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators + let OfficeActivity_ = materialize(OfficeActivity + | where isnotempty(ClientIP) + | where TimeGenerated >= ago(dt_lookBack) + | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] + | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '') + | project-rename OfficeActivity_TimeGenerated = TimeGenerated); + let ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress); // Fetch threat intelligence indicators related to IP addresses - let IP_Indicators = ThreatIntelligenceIndicator + let IP_Indicators = materialize(ThreatIntelligenceIndicator + | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress) + | where TI_ipEntity in (ActivityIPs) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() - | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) - | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) - | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) - | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; - // Perform a join between IP indicators and OfficeActivity events + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"); IP_Indicators - // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation - | join kind=innerunique ( - OfficeActivity - | where TimeGenerated >= ago(dt_lookBack) - | where isnotempty(ClientIP) - | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] - | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '') - | extend OfficeActivity_TimeGenerated = TimeGenerated - ) + // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation + | join kind=innerunique (OfficeActivity_) on $left.TI_ipEntity == $right.IPAddress - // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator - | where OfficeActivity_TimeGenerated < ExpirationDateTime - // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp - | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId - // Select the desired output fields - | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, - TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type - | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0]) + // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator + | where OfficeActivity_TimeGenerated < ExpirationDateTime + // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp + | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId + // Select the desired output fields + | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type + | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0]) entityMappings: - entityType: Account fieldMappings: @@ -70,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml index b50795e12c..ebb0f1256d 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_SigninLogs.yaml @@ -28,37 +28,30 @@ tactics: query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; - let aadFunc = (tableName:string){ - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) - // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. - // Taking the first non-empty value based on potential IOC match availability - | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) - | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) - | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + let Signins = materialize(union isfuzzy=true + (SigninLogs + | where TimeGenerated >= ago(dt_lookBack)), + (AADNonInteractiveUserSignInLogs + | where TimeGenerated >= ago(dt_lookBack) + | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))); + let SigninIPs = Signins | summarize make_list(IPAddress); + let TI = materialize(ThreatIntelligenceIndicator + | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) + | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP) + | where TI_ipEntity in (SigninIPs) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;"); + TI // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - table(tableName) | where TimeGenerated >= ago(dt_lookBack) - | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails) - | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason) - | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) - // renaming time column so it is clear the log this came from - | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type - ) - on $left.TI_ipEntity == $right.IPAddress + | join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress + | project-rename SigninLogs_TimeGenerated = TimeGenerated | where SigninLogs_TimeGenerated < ExpirationDateTime + | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason) | summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress - | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, - TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type + | project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type | extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0]) - }; - let aadSignin = aadFunc("SigninLogs"); - let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); - union isfuzzy=true aadSignin, aadNonInt entityMappings: - entityType: Account fieldMappings: @@ -74,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.5 +version: 1.2.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml index 2abc531a14..341c7d6312 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml @@ -27,14 +27,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and VMConnection events IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -67,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml index 047bbd16ac..b4ca8f6bc1 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml @@ -27,14 +27,14 @@ query: | let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); // Perform a join between IP indicators and W3CIISLog events IP_Indicators // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation @@ -71,5 +71,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.4.0 +version: 1.4.1 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml index 4868d5e72b..07c3f7492d 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imNetworkSession.yaml @@ -1,8 +1,7 @@ id: e2399891-383c-4caf-ae67-68a008b9f89e name: TI map IP entity to Network Session Events (ASIM Network Session schema) description: | - 'This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC.

- This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' + 'This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' severity: Medium status: Available requiredDataConnectors: @@ -58,6 +57,9 @@ requiredDataConnectors: dataTypes: - Syslog - CiscoMerakiNativePoller + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator queryFrequency: 1h queryPeriod: 14d @@ -70,11 +72,11 @@ query: | let ioc_lookBack = 14d; let IP_TI = materialize ( ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true + | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP") | where TI_ipEntity != "NO_IP" + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() ); IP_TI // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated @@ -119,5 +121,5 @@ tags: - Schema: ASIMNetworkSession SchemaVersion: 0.2.4 -version: 1.2.4 +version: 1.2.5 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml index 0be5ccd716..0fd952f9e7 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml @@ -1,7 +1,7 @@ id: e2559891-383c-4caf-ae67-55a008b9f89e name: TI map IP entity to Web Session Events (ASIM Web Session schema) description: | - This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. + This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. severity: Medium requiredDataConnectors: - connectorId: SquidProxy @@ -31,15 +31,15 @@ query: | let ioc_lookBack = 14d; let IP_TI = ThreatIntelligenceIndicator | where TimeGenerated >= ago(ioc_lookBack) - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true and ExpirationDateTime > now() // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. // Taking the first non-empty value based on potential IOC match availability | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, "NO_IP") // Picking up only IOC's that contain the entities we want | where TI_ipEntity != "NO_IP" // Exclude local addresses, using the ipv4_is_private operator - | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."; + | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); let IP_TI_list = toscalar(IP_TI | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity) | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs)); @@ -72,5 +72,5 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: The IP {{SrcIpAddr}} of the web request matches an IP IoC alertDescriptionFormat: The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator. -version: 1.2.3 +version: 1.2.4 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml index 576680f6f1..4347c76d4d 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml @@ -14,26 +14,31 @@ requiredDataConnectors: dataTypes: - ThreatIntelligenceIndicator queryFrequency: 1h -queryPeriod: 1d +queryPeriod: 14d triggerOperator: gt triggerThreshold: 0 tactics: - Impact query: | + let dt_lookBack = 1h; // Look back 1 hour for VMConnection events + let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators ThreatIntelligenceIndicator - | where Action == true // Picking up only IOC's that contain the entities we want | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) + | where Action == true + | where TimeGenerated >= ago(ioc_lookBack) // Taking the first non-empty value based on potential IOC match availability | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() | join ( GitHubAudit + | where TimeGenerated >= ago(dt_lookBack) | extend GitHubAudit_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.IPaddress - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor entityMappings: @@ -45,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml index 3e1511c765..403a566c0f 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml @@ -25,23 +25,24 @@ tactics: query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(Url) - // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - AuditLogs + let AuditEvents = materialize(AuditLogs | where TimeGenerated >= ago(dt_lookBack) // Extract the URL that is contained within the JSON data | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,tostring(TargetResources)) | where isnotempty(Url) | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName) - | extend Audit_TimeGenerated = TimeGenerated - ) on Url + | extend Audit_TimeGenerated = TimeGenerated); + let AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url); + ThreatIntelligenceIndicator + | where isnotempty(Url) + | where TimeGenerated >= ago(ioc_lookBack) + | where tolower(Url) in (AuditUrls) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique (AuditEvents) on Url | where Audit_TimeGenerated < ExpirationDateTime | summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url | project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, @@ -60,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLCustomEntity -version: 1.2.4 +version: 1.2.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_DeviceNetworkEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_DeviceNetworkEvents.yaml new file mode 100644 index 0000000000..a8605523cd --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_DeviceNetworkEvents.yaml @@ -0,0 +1,71 @@ +id: 6ddbd892-a9be-47be-bab7-521241695bd6 +name: TI Map URL Entity to AuditLogs +description: | + 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.' +severity: Medium +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceNetworkEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let DeviceNetworkEvents_ = DeviceNetworkEvents + | where isnotempty(RemoteUrl) + | where TimeGenerated >= ago(dt_lookBack) + | where ActionType !has "ConnectionFailed" + | extend RemoteUrl = tolower(RemoteUrl) + | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated; + let DeviceNetworkEventUrls = DeviceNetworkEvents_ + | distinct Url = RemoteUrl + | summarize make_list(Url); + ThreatIntelligenceIndicator + | where isnotempty(Url) + | where TimeGenerated >= ago(ioc_lookBack) + | extend Url = tolower(Url) + | where Url in (DeviceNetworkEventUrls) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" + | join kind=innerunique (DeviceNetworkEvents_) on $left.Url == $right.RemoteUrl + | where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime + | summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, Url + | project DeviceNetworkEvents_TimeGenerated, IndicatorId, Url, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort + | extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0]) + | extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: DeviceName + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url + - entityType: Process + fieldMappings: + - identifier: CommandLine + columnName: InitiatingProcessCommandLine +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_EmailUrlInfo.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_EmailUrlInfo.yaml new file mode 100644 index 0000000000..223535be3f --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_EmailUrlInfo.yaml @@ -0,0 +1,65 @@ +id: a0038239-72f4-4f7b-90ff-37f89f7881e0 +name: TI Map URL Entity to EmailUrlInfo +description: | + 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo.' +severity: Medium +requiredDataConnectors: + - connectorId: AzureActiveDirectory + dataTypes: + - EmailUrlInfo + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let EmailUrlInfo_ = materialize(EmailUrlInfo + | where isnotempty(Url) + | where TimeGenerated >= ago(dt_lookBack) + | extend Url = tolower(Url) + | extend EmailUrlInfo_TimeGenerated = TimeGenerated); + let EmailUrls = EmailUrlInfo_ | distinct Url | summarize make_list(Url); + let EmailUrlDomains = EmailUrlInfo_ | distinct UrlDomain | summarize make_list(UrlDomain); + let EmailEvents_ = materialize(EmailEvents + | where TimeGenerated >= ago(dt_lookBack)); + let TI = materialize(ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) + | where (isnotempty(Url) or isnotempty(DomainName)) + | where tolower(Url) in (EmailUrls) or tolower(DomainName) in (EmailUrlDomains) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now()); + (union + (TI | join kind=innerunique (EmailUrlInfo_) on Url), + (TI | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain)) + | where EmailUrlInfo_TimeGenerated < ExpirationDateTime + | summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url + | project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlDomain, UrlLocation, NetworkMessageId + | extend timestamp = EmailUrlInfo_TimeGenerated + | join kind=inner (EmailEvents_) on NetworkMessageId + | where DeliveryAction !has "Blocked" + | extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0]) +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml index 0a09429b5d..d929ae98bf 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml @@ -1,7 +1,7 @@ id: 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b -name: TI Map URL Entity to OfficeActivity Data +name: TI Map URL Entity to OfficeActivity Data [Deprecated] description: | - 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.' + 'This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.' severity: Medium requiredDataConnectors: - connectorId: Office365 @@ -13,6 +13,9 @@ requiredDataConnectors: - connectorId: MicrosoftDefenderThreatIntelligence dataTypes: - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -21,31 +24,32 @@ tactics: - Impact query: | let dt_lookBack = 1h; - let ioc_lookBack = 14d; - ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want - | where isnotempty(Url) - // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - OfficeActivity - | where TimeGenerated >= ago(dt_lookBack) - //Extract the Url from a number of potential fields - | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue)) - | where isnotempty(Url) - // Ensure we get a clean URL - | extend Url = tostring(split(Url, ';')[0]) - | extend OfficeActivity_TimeGenerated = TimeGenerated - // Project a single user identity that we can use for entity mapping - | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value))) - ) on Url - | where OfficeActivity_TimeGenerated < ExpirationDateTime - | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url - | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, - UserType, OfficeWorkload, Parameters, Url, User - | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0]) + // let ioc_lookBack = 14d; + // ThreatIntelligenceIndicator + // // Picking up only IOC's that contain the entities we want + // | where isnotempty(Url) + // | where TimeGenerated >= ago(ioc_lookBack) + // | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + // | where Active == true and ExpirationDateTime > now() + // // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + // | join kind=innerunique ( + // OfficeActivity + // | where TimeGenerated >= ago(dt_lookBack) + // //Extract the Url from a number of potential fields + // | extend Url = iif(OfficeWorkload == "AzureActiveDirectory",extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue)) + // | where isnotempty(Url) + // // Ensure we get a clean URL + // | extend Url = tostring(split(Url, ';')[0]) + // | extend OfficeActivity_TimeGenerated = TimeGenerated + // // Project a single user identity that we can use for entity mapping + // | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value))) + // ) on Url + // | where OfficeActivity_TimeGenerated < ExpirationDateTime + // | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url + // | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, + // UserType, OfficeWorkload, Parameters, Url, User + // | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0]) + datatable() [] entityMappings: - entityType: Account fieldMappings: @@ -57,5 +61,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.5 +version: 1.2.6 kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml index 0b532cdfa8..6960697068 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml @@ -26,11 +26,11 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( CommonSecurityLog @@ -64,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: PA_Url -version: 1.2.3 +version: 1.2.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml index 3ede7de1e3..49a172956d 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml @@ -29,28 +29,30 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let URLRegex = "((https?|ftp|ldap|wss?|file):\\/\\/(([\\:\\%\\w\\_\\-]+(\\.|@))*((xn--)?[a-zA-Z0-9\\-]+\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{0,3})[.,:\\w@?^=%&\\/~+#-]*[\\w@?^=%&\\/~+#-])"; + let SecurityEvents = materialize(SecurityAlert + | where TimeGenerated >= ago(dt_lookBack) + | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) + | where MSTI == false + // Extract URL from JSON data + | mv-expand parse_json(Entities) + | where isnotempty(Entities.Url) or isnotempty(Entities.Urls) + | extend Url = coalesce(Entities.Url, Entities.Urls) + | mv-expand Url + | extend Url = tolower(Url) + // Extract hostname from JSON data for entity mapping + | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) + | extend Alert_TimeGenerated = TimeGenerated); + let EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url)); ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true - // Picking up only IOC's that contain the entities we want | where isnotempty(Url) + | where TimeGenerated >= ago(ioc_lookBack) + | extend Url = tolower(Url) + | where tolower(Url) in (EventUrls) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated - | join kind=innerunique ( - SecurityAlert - | where TimeGenerated >= ago(dt_lookBack) - | extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false) - | where MSTI == false - // Extract URL from JSON data - | extend Url = todynamic(dynamic_to_json(extract_all(URLRegex, dynamic([1]), Entities))) - | mv-expand Url - | extend Url = tostring(Url[0]) - // We only want alerts that actually contain URL data - | where isnotempty(Url) - // Extract hostname from JSON data for entity mapping - | extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"]) - | extend Alert_TimeGenerated = TimeGenerated - ) on Url + | join kind=innerunique (SecurityEvents) on Url | where Alert_TimeGenerated < ExpirationDateTime | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName | project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host @@ -63,5 +65,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.6 +version: 1.2.7 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml index a1f74dad0f..ce3c31d6d8 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml @@ -26,11 +26,11 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(Url) + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( Syslog @@ -56,5 +56,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url -version: 1.2.4 +version: 1.2.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_UrlClickEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_UrlClickEvents.yaml new file mode 100644 index 0000000000..718104a076 --- /dev/null +++ b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_UrlClickEvents.yaml @@ -0,0 +1,68 @@ +id: 23391c84-87d8-452f-a84c-47a62f01e115 +name: TI Map URL Entity to UrlClickEvents +description: | + 'This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents.' +severity: Medium +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - UrlClickEvents + - connectorId: ThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: ThreatIntelligenceTaxii + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let UrlClickEvents_ = materialize(UrlClickEvents + | where TimeGenerated >= ago(dt_lookBack) + | extend UrlClickEvents_TimeGenerated = TimeGenerated); + let ChainReportID = UrlClickEvents_ + | mv-expand todynamic(UrlChain) + | extend UrlChain = tolower(UrlChain) + | project ReportId, Url, UrlChain; + // Url is not always in UrlChain, so we need to check both + let ClickedUrls = + (union isfuzzy=false (ChainReportID), (ChainReportID | project Url = UrlChain)) + | distinct Url + | summarize make_list(Url); + let TI = materialize(ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) + | where isnotempty(Url) and tolower(Url) in (ClickedUrls) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | project-rename TI_Url = Url, TI_Type = Type + ); + (union isfuzzy=false (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.UrlChain), + (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.Url)) + | project-away UrlChain + | join kind=innerunique (UrlClickEvents_) on ReportId + | where UrlClickEvents_TimeGenerated < ExpirationDateTime + | summarize UrlClickEvents_TimeGenerated = arg_max(UrlClickEvents_TimeGenerated, *) by IndicatorId + | project UrlClickEvents_TimeGenerated, AccountUpn, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, NetworkMessageId + | extend timestamp = UrlClickEvents_TimeGenerated + | extend timestamp = UrlClickEvents_TimeGenerated, Name = tostring(split(AccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(AccountUpn, '@', 1)[0]) +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml index b8b8d971f0..934a931cba 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml @@ -35,7 +35,6 @@ requiredDataConnectors: - connectorId: CiscoUmbrellaDataConnector dataTypes: - Cisco_Umbrella_dns_CL - - connectorId: Corelight dataTypes: - Corelight_CL @@ -55,11 +54,11 @@ query: | let dt_lookBack = 1h; let ioc_lookBack = 14d; let DomainTIs= ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() // Picking up only IOC's that contain the entities we want | where isnotempty(DomainName) - | where Active == true - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId; + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); let Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ; DomainTIs @@ -70,7 +69,6 @@ query: | | where DNS_TimeGenerated < ExpirationDateTime | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url - entityMappings: - entityType: Host fieldMappings: @@ -96,5 +94,5 @@ customDetails: SourceIPAddress: SrcIpAddr DnsQuery: DnsQuery QueryType: DnsQueryType -version: 1.1.4 +version: 1.1.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml index e14de01d8a..a300fa7f7f 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/imDns_IPEntity_DnsEvents.yaml @@ -1,8 +1,7 @@ id: 67775878-7f8b-4380-ac54-115e1e828901 name: TI map IP entity to DNS Events (ASIM DNS schema) description: | - 'This rule identifies DNS requests for which response IP address is a known IoC.

- This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.' + 'This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.' severity: Medium requiredDataConnectors: - connectorId: ThreatIntelligence @@ -38,7 +37,6 @@ requiredDataConnectors: - connectorId: Corelight dataTypes: - Corelight_CL - queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -55,12 +53,11 @@ query: | let ioc_lookBack = 14d; let IP_TI = ThreatIntelligenceIndicator - | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() - | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId - | where Active == true + | where TimeGenerated >= ago(ioc_lookBack) | extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP") | where IoC != "NO_IP" - ; + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now(); IP_TI | join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated ( @@ -73,7 +70,6 @@ query: | on IoC | where imDns_mintime < ExpirationDateTime | project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName - entityMappings: - entityType: Host fieldMappings: @@ -87,7 +83,6 @@ entityMappings: fieldMappings: - identifier: Address columnName: SrcIpAddr - customDetails: LatestIndicatorTime: LatestIndicatorTime Description: Description @@ -99,10 +94,8 @@ customDetails: DNSRequestTime: imDns_mintime SourceIPAddress: SrcIpAddr DnsQuery: DnsQuery - alertDetailsOverride: alertDisplayNameFormat: The response {{IoC}} to DNS query matched an IoC alertDescriptionFormat: The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator. - -version: 1.2.2 +version: 1.2.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json b/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json index e4ddb848fd..8bc1575959 100644 --- a/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json +++ b/Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json @@ -1,5 +1,5 @@ { - "id": "PremiumMicrosoftDefenderThreatIntelligence", + "id": "PremiumMicrosoftDefenderForThreatIntelligence", "title": "Premium Microsoft Defender Threat Intelligence (Preview)", "publisher": "Microsoft", "logo": { @@ -28,7 +28,7 @@ { "type": "SentinelKinds", "value": [ - "PremiumMicrosoftThreatIntelligence" + "PremiumMicrosoftDefenderForThreatIntelligence" ] } ], @@ -73,9 +73,9 @@ { "instructions": [ { - "type": "PremiumMicrosoftThreatIntelligence", + "type": "PremiumMicrosoftDefenderForThreatIntelligence", "parameters": { - "connectorKind": "PremiumMicrosoftThreatIntelligence" + "connectorKind": "PremiumMicrosoftDefenderForThreatIntelligence" } } ] diff --git a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json index cbdaf00abb..f44962b07b 100644 --- a/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json +++ b/Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json @@ -21,18 +21,23 @@ ], "Analytic Rules": [ "Analytic Rules/DomainEntity_CommonSecurityLog.yaml", + "Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml", "Analytic Rules/DomainEntity_DnsEvents.yaml", + "Analytic Rules/DomainEntity_EmailEvents.yaml", + "Analytic Rules/DomainEntity_EmailUrlInfo.yaml", "Analytic Rules/DomainEntity_imWebSession.yaml", "Analytic Rules/DomainEntity_PaloAlto.yaml", "Analytic Rules/DomainEntity_SecurityAlert.yaml", "Analytic Rules/DomainEntity_Syslog.yaml", "Analytic Rules/EmailEntity_AzureActivity.yaml", + "Analytic Rules/EmailEntity_EmailEvents.yaml", "Analytic Rules/EmailEntity_OfficeActivity.yaml", "Analytic Rules/EmailEntity_PaloAlto.yaml", "Analytic Rules/EmailEntity_SecurityAlert.yaml", "Analytic Rules/EmailEntity_SecurityEvent.yaml", "Analytic Rules/EmailEntity_SigninLogs.yaml", "Analytic Rules/FileHashEntity_CommonSecurityLog.yaml", + "Analytic Rules/FileHashEntity_DeviceFileEvents.yaml", "Analytic Rules/FileHashEntity_SecurityEvent.yaml", "Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml", "Analytic Rules/IPEntity_AWSCloudTrail.yaml", @@ -42,6 +47,7 @@ "Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml", "Analytic Rules/IPEntity_AzureSQL.yaml", "Analytic Rules/IPEntity_CustomSecurityLog.yaml", + "Analytic Rules/IPEntity_DeviceNetworkEvents.yaml", "Analytic Rules/IPEntity_DnsEvents.yaml", "Analytic Rules/IPEntity_imWebSession.yaml", "Analytic Rules/IPEntity_OfficeActivity.yaml", @@ -49,10 +55,13 @@ "Analytic Rules/IPEntity_VMConnection.yaml", "Analytic Rules/IPEntity_W3CIISLog.yaml", "Analytic Rules/URLEntity_AuditLogs.yaml", + "Analytic Rules/URLEntity_DeviceNetworkEvents.yaml", + "Analytic Rules/URLEntity_EmailUrlInfo.yaml", "Analytic Rules/URLEntity_OfficeActivity.yaml", "Analytic Rules/URLEntity_PaloAlto.yaml", "Analytic Rules/URLEntity_SecurityAlerts.yaml", "Analytic Rules/URLEntity_Syslog.yaml", + "Analytic Rules/URLEntity_UrlClickEvents.yaml", "Analytic Rules/IPEntity_DuoSecurity.yaml", "Analytic Rules/imDns_DomainEntity_DnsEvents.yaml", "Analytic Rules/imDns_IPEntity_DnsEvents.yaml", @@ -61,7 +70,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\", - "Version": "3.0.1", + "Version": "3.0.2", "TemplateSpec": true, "Is1PConnector": true } \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Package/3.0.2.zip b/Solutions/Threat Intelligence/Package/3.0.2.zip new file mode 100644 index 0000000000..db0a5ef2e8 Binary files /dev/null and b/Solutions/Threat Intelligence/Package/3.0.2.zip differ diff --git a/Solutions/Threat Intelligence/Package/createUiDefinition.json b/Solutions/Threat Intelligence/Package/createUiDefinition.json index ef11906573..0c5b3c5f7d 100644 --- a/Solutions/Threat Intelligence/Package/createUiDefinition.json +++ b/Solutions/Threat Intelligence/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 38, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 47, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,7 +51,7 @@ } ], "steps": [ - { + { "name": "dataconnectors", "label": "Data Connectors", "bladeTitle": "Data Connectors", @@ -60,77 +60,28 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs four (4) data connectors for ingesting threat indicators (IP addresses, domains, URLs and file hashes) into Microsoft Sentinel. The ingested threat indicators can be used for correlation to enable monitoring, alerting, and hunting using your threat intelligence." + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The data connectors installed are:" + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { - "name": "DC1", - "type": "Microsoft.Common.Section", - "label": "(1)\t\tThreat Intelligence Platforms", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications." - } - } - ] - }, - { - "name": "DC2", - "type": "Microsoft.Common.Section", - "label": "(2)\t\tThreat Intelligence - TAXII", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Use this connector to bring in threat intelligence to Microsoft Sentinel from a TAXII 2.0 or 2.1 server." - } - } - ] - }, - { - "name": "DC3", - "type": "Microsoft.Common.Section", - "label": "(3)\t\tThreat Intelligence Upload Indicators API", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Microsoft Sentinel offer a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses." - } - } - ] - }, - { - "name": "DC4", - "type": "Microsoft.Common.Section", - "label": "(4)\t\tMicrosoft Defender Threat Intelligence", - "elements": [ - { - "name": "DC1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc." - } - } - ] + "name": "dataconnectors3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } }, { - "name": "dataconnectors3-text", + "name": "dataconnectors4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "After installing the solution, configure and enable these data connectors by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Threat Intelligence. You can get Threat Intelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -216,13 +167,13 @@ { "name": "analytic1", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to CommonSecurityLog", + "label": "TI map Domain entity to PaloAlto CommonSecurityLog", "elements": [ { "name": "analytic1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI" + "text": "Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI" } } ] @@ -230,13 +181,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to DnsEvents", + "label": "TI Map Domain Entity to DeviceNetworkEvents", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in DnsEvents from any Domain IOC from TI" + "text": "This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents." } } ] @@ -244,13 +195,13 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to Web Session Events (ASIM Web Session schema)", + "label": "TI map Domain entity to DnsEvents", "elements": [ { "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM." + "text": "Identifies a match in DnsEvents from any Domain IOC from TI" } } ] @@ -258,13 +209,13 @@ { "name": "analytic4", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to PaloAlto", + "label": "TI map Domain entity to EmailEvents", "elements": [ { "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI" + "text": "Identifies a match in EmailEvents table from any Domain IOC from TI" } } ] @@ -272,13 +223,13 @@ { "name": "analytic5", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to SecurityAlert", + "label": "TI map Domain entity to EmailUrlInfo", "elements": [ { "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in SecurityAlert table from any Domain IOC from TI" + "text": "Identifies a match in EmailUrlInfo table from any Domain IOC from TI." } } ] @@ -286,13 +237,13 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to Syslog", + "label": "TI map Domain entity to Web Session Events (ASIM Web Session schema)", "elements": [ { "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in Syslog table from any Domain IOC from TI" + "text": "This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM." } } ] @@ -300,13 +251,13 @@ { "name": "analytic7", "type": "Microsoft.Common.Section", - "label": "TI map Email entity to AzureActivity", + "label": "TI map Domain entity to PaloAlto", "elements": [ { "name": "analytic7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in AzureActivity table from any Email IOC from TI" + "text": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI" } } ] @@ -314,13 +265,13 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "TI map Email entity to OfficeActivity", + "label": "TI map Domain entity to SecurityAlert", "elements": [ { "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in OfficeActivity table from any Email IOC from TI" + "text": "Identifies a match in SecurityAlert table from any Domain IOC from TI" } } ] @@ -328,13 +279,13 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "TI map Email entity to PaloAlto CommonSecurityLog", + "label": "TI map Domain entity to Syslog", "elements": [ { "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in CommonSecurityLog table from any Email IOC from TI" + "text": "Identifies a match in Syslog table from any Domain IOC from TI" } } ] @@ -342,13 +293,13 @@ { "name": "analytic10", "type": "Microsoft.Common.Section", - "label": "TI map Email entity to SecurityAlert", + "label": "TI map Email entity to AzureActivity", "elements": [ { "name": "analytic10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others" + "text": "Identifies a match in AzureActivity table from any Email IOC from TI" } } ] @@ -356,13 +307,13 @@ { "name": "analytic11", "type": "Microsoft.Common.Section", - "label": "TI map Email entity to SecurityEvent", + "label": "TI map Email entity to EmailEvents", "elements": [ { "name": "analytic11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in SecurityEvent table from any Email IOC from TI" + "text": "Identifies a match in EmailEvents table from any Email IOC from TI" } } ] @@ -370,13 +321,13 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "TI map Email entity to SigninLogs", + "label": "TI map Email entity to OfficeActivity", "elements": [ { "name": "analytic12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in SigninLogs table from any Email IOC from TI" + "text": "Identifies a match in OfficeActivity table from any Email IOC from TI" } } ] @@ -384,13 +335,13 @@ { "name": "analytic13", "type": "Microsoft.Common.Section", - "label": "TI map File Hash to CommonSecurityLog Event", + "label": "TI map Email entity to PaloAlto CommonSecurityLog", "elements": [ { "name": "analytic13-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI" + "text": "Identifies a match in CommonSecurityLog table from any Email IOC from TI" } } ] @@ -398,13 +349,13 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "TI map File Hash to Security Event", + "label": "TI map Email entity to SecurityAlert", "elements": [ { "name": "analytic14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in Security Event data from any File Hash IOC from TI" + "text": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others" } } ] @@ -412,13 +363,13 @@ { "name": "analytic15", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to AppServiceHTTPLogs", + "label": "TI map Email entity to SecurityEvent", "elements": [ { "name": "analytic15-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI" + "text": "Identifies a match in SecurityEvent table from any Email IOC from TI" } } ] @@ -426,13 +377,13 @@ { "name": "analytic16", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to AWSCloudTrail", + "label": "TI map Email entity to SigninLogs", "elements": [ { "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in AWSCloudTrail from any IP IOC from TI" + "text": "Identifies a match in SigninLogs table from any Email IOC from TI" } } ] @@ -440,13 +391,13 @@ { "name": "analytic17", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to AzureActivity", + "label": "TI map File Hash to CommonSecurityLog Event", "elements": [ { "name": "analytic17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity." + "text": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI" } } ] @@ -454,13 +405,13 @@ { "name": "analytic18", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to AzureFirewall", + "label": "TI map File Hash to DeviceFileEvents Event", "elements": [ { "name": "analytic18-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI" + "text": "Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI" } } ] @@ -468,13 +419,13 @@ { "name": "analytic19", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to Azure Key Vault logs", + "label": "TI map File Hash to Security Event", "elements": [ { "name": "analytic19-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in Azure Key Vault logs from any IP IOC from TI" + "text": "Identifies a match in Security Event data from any File Hash IOC from TI" } } ] @@ -482,13 +433,13 @@ { "name": "analytic20", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", + "label": "TI map IP entity to AppServiceHTTPLogs", "elements": [ { "name": "analytic20-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed" + "text": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI" } } ] @@ -496,13 +447,13 @@ { "name": "analytic21", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to Azure SQL Security Audit Events", + "label": "TI map IP entity to AWSCloudTrail", "elements": [ { "name": "analytic21-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events." + "text": "Identifies a match in AWSCloudTrail from any IP IOC from TI" } } ] @@ -510,13 +461,13 @@ { "name": "analytic22", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to CommonSecurityLog", + "label": "TI Map IP Entity to AzureActivity", "elements": [ { "name": "analytic22-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity." } } ] @@ -524,13 +475,13 @@ { "name": "analytic23", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to DnsEvents", + "label": "TI map IP entity to AzureFirewall", "elements": [ { "name": "analytic23-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents." + "text": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI" } } ] @@ -538,13 +489,13 @@ { "name": "analytic24", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to Web Session Events (ASIM Web Session schema)", + "label": "TI map IP entity to Azure Key Vault logs", "elements": [ { "name": "analytic24-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM." + "text": "Identifies a match in Azure Key Vault logs from any IP IOC from TI" } } ] @@ -552,13 +503,13 @@ { "name": "analytic25", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to OfficeActivity", + "label": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", "elements": [ { "name": "analytic25-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity." + "text": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed" } } ] @@ -566,13 +517,13 @@ { "name": "analytic26", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to SigninLogs", + "label": "TI Map IP Entity to Azure SQL Security Audit Events", "elements": [ { "name": "analytic26-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events." } } ] @@ -580,13 +531,13 @@ { "name": "analytic27", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to VMConnection", + "label": "TI Map IP Entity to CommonSecurityLog", "elements": [ { "name": "analytic27-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog." } } ] @@ -594,13 +545,13 @@ { "name": "analytic28", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to W3CIISLog", + "label": "TI Map IP Entity to DeviceNetworkEvents", "elements": [ { "name": "analytic28-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog." + "text": "Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI." } } ] @@ -608,13 +559,13 @@ { "name": "analytic29", "type": "Microsoft.Common.Section", - "label": "TI Map URL Entity to AuditLogs", + "label": "TI Map IP Entity to DnsEvents", "elements": [ { "name": "analytic29-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents." } } ] @@ -622,13 +573,13 @@ { "name": "analytic30", "type": "Microsoft.Common.Section", - "label": "TI Map URL Entity to OfficeActivity Data", + "label": "TI map IP entity to Web Session Events (ASIM Web Session schema)", "elements": [ { "name": "analytic30-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data." + "text": "This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM." } } ] @@ -636,13 +587,13 @@ { "name": "analytic31", "type": "Microsoft.Common.Section", - "label": "TI Map URL Entity to PaloAlto Data", + "label": "TI map IP entity to OfficeActivity", "elements": [ { "name": "analytic31-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity." } } ] @@ -650,13 +601,13 @@ { "name": "analytic32", "type": "Microsoft.Common.Section", - "label": "TI Map URL Entity to SecurityAlert Data", + "label": "TI Map IP Entity to SigninLogs", "elements": [ { "name": "analytic32-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs." } } ] @@ -664,13 +615,13 @@ { "name": "analytic33", "type": "Microsoft.Common.Section", - "label": "TI Map URL Entity to Syslog Data", + "label": "TI Map IP Entity to VMConnection", "elements": [ { "name": "analytic33-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection." } } ] @@ -678,13 +629,13 @@ { "name": "analytic34", "type": "Microsoft.Common.Section", - "label": "TI Map IP Entity to Duo Security", + "label": "TI Map IP Entity to W3CIISLog", "elements": [ { "name": "analytic34-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity." + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog." } } ] @@ -692,13 +643,13 @@ { "name": "analytic35", "type": "Microsoft.Common.Section", - "label": "TI map Domain entity to Dns Events (ASIM DNS Schema)", + "label": "TI Map URL Entity to AuditLogs", "elements": [ { "name": "analytic35-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'" + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs." } } ] @@ -706,13 +657,13 @@ { "name": "analytic36", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to DNS Events (ASIM DNS schema)", + "label": "TI Map URL Entity to AuditLogs", "elements": [ { "name": "analytic36-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema." + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents." } } ] @@ -720,13 +671,13 @@ { "name": "analytic37", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to Network Session Events (ASIM Network Session schema)", + "label": "TI Map URL Entity to EmailUrlInfo", "elements": [ { "name": "analytic37-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema" + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo." } } ] @@ -734,11 +685,137 @@ { "name": "analytic38", "type": "Microsoft.Common.Section", - "label": "TI map IP entity to GitHub_CL", + "label": "TI Map URL Entity to OfficeActivity Data [Deprecated]", "elements": [ { "name": "analytic38-text", "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data." + } + } + ] + }, + { + "name": "analytic39", + "type": "Microsoft.Common.Section", + "label": "TI Map URL Entity to PaloAlto Data", + "elements": [ + { + "name": "analytic39-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data." + } + } + ] + }, + { + "name": "analytic40", + "type": "Microsoft.Common.Section", + "label": "TI Map URL Entity to SecurityAlert Data", + "elements": [ + { + "name": "analytic40-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data." + } + } + ] + }, + { + "name": "analytic41", + "type": "Microsoft.Common.Section", + "label": "TI Map URL Entity to Syslog Data", + "elements": [ + { + "name": "analytic41-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data." + } + } + ] + }, + { + "name": "analytic42", + "type": "Microsoft.Common.Section", + "label": "TI Map URL Entity to UrlClickEvents", + "elements": [ + { + "name": "analytic42-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents." + } + } + ] + }, + { + "name": "analytic43", + "type": "Microsoft.Common.Section", + "label": "TI Map IP Entity to Duo Security", + "elements": [ + { + "name": "analytic43-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity." + } + } + ] + }, + { + "name": "analytic44", + "type": "Microsoft.Common.Section", + "label": "TI map Domain entity to Dns Events (ASIM DNS Schema)", + "elements": [ + { + "name": "analytic44-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'" + } + } + ] + }, + { + "name": "analytic45", + "type": "Microsoft.Common.Section", + "label": "TI map IP entity to DNS Events (ASIM DNS schema)", + "elements": [ + { + "name": "analytic45-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema." + } + } + ] + }, + { + "name": "analytic46", + "type": "Microsoft.Common.Section", + "label": "TI map IP entity to Network Session Events (ASIM Network Session schema)", + "elements": [ + { + "name": "analytic46-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema" + } + } + ] + }, + { + "name": "analytic47", + "type": "Microsoft.Common.Section", + "label": "TI map IP entity to GitHub_CL", + "elements": [ + { + "name": "analytic47-text", + "type": "Microsoft.Common.TextBlock", "options": { "text": "Identifies a match in GitHub_CL table from any IP IOC from TI" } diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json index 3421e204aa..0f3728c8c3 100644 --- a/Solutions/Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -87,266 +87,361 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "huntingQueryVersion1": "1.0.3", - "huntingQuerycontentId1": "410da56d-4a63-4d22-b68c-9fb1a303be6d", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.3", - "huntingQuerycontentId2": "233441b9-cc92-4c9b-87fa-73b855fcd4b8", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", - "huntingQueryVersion3": "1.0.3", - "huntingQuerycontentId3": "18f7de84-de55-4983-aca3-a18bc846b4e0", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", - "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", - "huntingQueryVersion4": "1.0.3", - "huntingQuerycontentId4": "172a321b-c46b-4508-87c6-e2691c778107", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", - "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", - "huntingQueryVersion5": "1.0.3", - "huntingQuerycontentId5": "689a9475-440b-4e69-8ab1-a5e241685f39", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", - "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", - "analyticRuleVersion1": "1.4.0", - "analyticRulecontentId1": "dd0a6029-ecef-4507-89c4-fc355ac52111", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.4.0", - "analyticRulecontentId2": "85aca4d1-5d15-4001-abd9-acb86ca1786a", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.4", - "analyticRulecontentId3": "b1832f60-6c3d-4722-a0a5-3d564ee61a63", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.4.0", - "analyticRulecontentId4": "ec21493c-2684-4acd-9bc2-696dbad72426", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.4.1", - "analyticRulecontentId5": "87890d78-3e05-43ec-9ab9-ba32f4e01250", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "1.4.0", - "analyticRulecontentId6": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "analyticRuleVersion7": "1.2.4", - "analyticRulecontentId7": "cca3b4d9-ac39-4109-8b93-65bb284003e6", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.2.4", - "analyticRulecontentId8": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.2.4", - "analyticRulecontentId9": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", - "analyticRuleVersion10": "1.2.5", - "analyticRulecontentId10": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "analyticRuleVersion11": "1.3.4", - "analyticRulecontentId11": "2fc5d810-c9cc-491a-b564-841427ae0e50", - "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]", - "analyticRuleVersion12": "1.2.4", - "analyticRulecontentId12": "30fa312c-31eb-43d8-b0cc-bcbdfb360822", - "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]", - "analyticRuleVersion13": "1.3.3", - "analyticRulecontentId13": "5d33fc63-b83b-4913-b95e-94d13f0d379f", - "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", - "analyticRuleVersion14": "1.4.3", - "analyticRulecontentId14": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf", - "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]", - "analyticRuleVersion15": "1.4.0", - "analyticRulecontentId15": "f9949656-473f-4503-bf43-a9d9890f7d08", - "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", - "analyticRuleVersion16": "1.4.0", - "analyticRulecontentId16": "f110287e-1358-490d-8147-ed804b328514", - "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", - "analyticRuleVersion17": "1.3.2", - "analyticRulecontentId17": "2441bce9-02e4-407b-8cc7-7d597f38b8b0", - "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]", - "analyticRuleVersion18": "1.3.0", - "analyticRulecontentId18": "0b904747-1336-4363-8d84-df2710bfe5e7", - "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]", - "analyticRuleVersion19": "1.3.1", - "analyticRulecontentId19": "57c7e832-64eb-411f-8928-4133f01f4a25", - "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]", - "analyticRuleVersion20": "1.4.0", - "analyticRulecontentId20": "a4025a76-6490-4e6b-bb69-d02be4b03f07", - "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]", - "analyticRuleVersion21": "1.3.0", - "analyticRulecontentId21": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85", - "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]", - "analyticRuleVersion22": "1.2.0", - "analyticRulecontentId22": "66c81ae2-1f89-4433-be00-2fbbd9ba5ebe", - "_analyticRulecontentId22": "[variables('analyticRulecontentId22')]", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", - "analyticRuleVersion23": "1.4.0", - "analyticRulecontentId23": "69b7723c-2889-469f-8b55-a2d355ed9c87", - "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId23'))))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId23'),'-', variables('analyticRuleVersion23'))))]", - "analyticRuleVersion24": "1.2.3", - "analyticRulecontentId24": "e2559891-383c-4caf-ae67-55a008b9f89e", - "_analyticRulecontentId24": "[variables('analyticRulecontentId24')]", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId24'))]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId24'))))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId24'),'-', variables('analyticRuleVersion24'))))]", - "analyticRuleVersion25": "1.4.0", - "analyticRulecontentId25": "f15370f4-c6fa-42c5-9be4-1d308f40284e", - "_analyticRulecontentId25": "[variables('analyticRulecontentId25')]", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", - "analyticRuleVersion26": "1.2.5", - "analyticRulecontentId26": "f2eb15bd-8a88-4b24-9281-e133edfba315", - "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId26'))))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId26'),'-', variables('analyticRuleVersion26'))))]", - "analyticRuleVersion27": "1.4.0", - "analyticRulecontentId27": "9713e3c0-1410-468d-b79e-383448434b2d", - "_analyticRulecontentId27": "[variables('analyticRulecontentId27')]", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", - "analyticRuleVersion28": "1.4.0", - "analyticRulecontentId28": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f", - "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId28'))))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId28'),'-', variables('analyticRuleVersion28'))))]", - "analyticRuleVersion29": "1.2.4", - "analyticRulecontentId29": "712fab52-2a7d-401e-a08c-ff939cc7c25e", - "_analyticRulecontentId29": "[variables('analyticRulecontentId29')]", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId29'))]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId29'))))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId29'),'-', variables('analyticRuleVersion29'))))]", - "analyticRuleVersion30": "1.2.5", - "analyticRulecontentId30": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b", - "_analyticRulecontentId30": "[variables('analyticRulecontentId30')]", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId30'))]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId30'))))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId30'),'-', variables('analyticRuleVersion30'))))]", - "analyticRuleVersion31": "1.2.3", - "analyticRulecontentId31": "106813db-679e-4382-a51b-1bfc463befc3", - "_analyticRulecontentId31": "[variables('analyticRulecontentId31')]", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId31'))]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId31'))))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId31'),'-', variables('analyticRuleVersion31'))))]", - "analyticRuleVersion32": "1.2.6", - "analyticRulecontentId32": "f30a47c1-65fb-42b1-a7f4-00941c12550b", - "_analyticRulecontentId32": "[variables('analyticRulecontentId32')]", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", - "analyticRuleVersion33": "1.2.4", - "analyticRulecontentId33": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf", - "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", - "analyticRuleVersion34": "1.0.3", - "analyticRulecontentId34": "d23ed927-5be3-4902-a9c1-85f841eb4fa1", - "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", - "analyticRuleVersion35": "1.1.4", - "analyticRulecontentId35": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", - "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", - "analyticRuleVersion36": "1.2.2", - "analyticRulecontentId36": "67775878-7f8b-4380-ac54-115e1e828901", - "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]", - "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]", - "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]", - "analyticRuleVersion37": "1.2.4", - "analyticRulecontentId37": "e2399891-383c-4caf-ae67-68a008b9f89e", - "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]", - "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]", - "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]", - "analyticRuleVersion38": "1.0.2", - "analyticRulecontentId38": "aac495a9-feb1-446d-b08e-a1164a539452", - "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]", - "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]", - "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", - "management": "[concat('https://management','.azure','.com/')]" + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.3", + "_huntingQuerycontentId1": "410da56d-4a63-4d22-b68c-9fb1a303be6d", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('410da56d-4a63-4d22-b68c-9fb1a303be6d')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.3", + "_huntingQuerycontentId2": "233441b9-cc92-4c9b-87fa-73b855fcd4b8", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('233441b9-cc92-4c9b-87fa-73b855fcd4b8')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.3", + "_huntingQuerycontentId3": "18f7de84-de55-4983-aca3-a18bc846b4e0", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('18f7de84-de55-4983-aca3-a18bc846b4e0')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.3", + "_huntingQuerycontentId4": "172a321b-c46b-4508-87c6-e2691c778107", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('172a321b-c46b-4508-87c6-e2691c778107')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.3", + "_huntingQuerycontentId5": "689a9475-440b-4e69-8ab1-a5e241685f39", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('689a9475-440b-4e69-8ab1-a5e241685f39')))]" + }, + "analyticRuleObject1": { + "analyticRuleVersion1": "1.4.1", + "_analyticRulecontentId1": "dd0a6029-ecef-4507-89c4-fc355ac52111", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dd0a6029-ecef-4507-89c4-fc355ac52111')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dd0a6029-ecef-4507-89c4-fc355ac52111')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd0a6029-ecef-4507-89c4-fc355ac52111','-', '1.4.1')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "c308b2f3-eebe-4a20-905c-cb8293b062db", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c308b2f3-eebe-4a20-905c-cb8293b062db')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c308b2f3-eebe-4a20-905c-cb8293b062db')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c308b2f3-eebe-4a20-905c-cb8293b062db','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.4.1", + "_analyticRulecontentId3": "85aca4d1-5d15-4001-abd9-acb86ca1786a", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '85aca4d1-5d15-4001-abd9-acb86ca1786a')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('85aca4d1-5d15-4001-abd9-acb86ca1786a')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','85aca4d1-5d15-4001-abd9-acb86ca1786a','-', '1.4.1')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "96307710-8bb9-4b45-8363-a90c72ebf86f", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '96307710-8bb9-4b45-8363-a90c72ebf86f')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('96307710-8bb9-4b45-8363-a90c72ebf86f')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','96307710-8bb9-4b45-8363-a90c72ebf86f','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "87cc75df-d7b2-44f1-b064-ee924edfc879", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87cc75df-d7b2-44f1-b064-ee924edfc879')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87cc75df-d7b2-44f1-b064-ee924edfc879')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87cc75df-d7b2-44f1-b064-ee924edfc879','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.5", + "_analyticRulecontentId6": "b1832f60-6c3d-4722-a0a5-3d564ee61a63", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b1832f60-6c3d-4722-a0a5-3d564ee61a63')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b1832f60-6c3d-4722-a0a5-3d564ee61a63')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b1832f60-6c3d-4722-a0a5-3d564ee61a63','-', '1.0.5')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.4.1", + "_analyticRulecontentId7": "ec21493c-2684-4acd-9bc2-696dbad72426", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ec21493c-2684-4acd-9bc2-696dbad72426')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ec21493c-2684-4acd-9bc2-696dbad72426')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ec21493c-2684-4acd-9bc2-696dbad72426','-', '1.4.1')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.4.2", + "_analyticRulecontentId8": "87890d78-3e05-43ec-9ab9-ba32f4e01250", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '87890d78-3e05-43ec-9ab9-ba32f4e01250')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('87890d78-3e05-43ec-9ab9-ba32f4e01250')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','87890d78-3e05-43ec-9ab9-ba32f4e01250','-', '1.4.2')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.4.1", + "_analyticRulecontentId9": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '532f62c1-fba6-4baa-bbb6-4a32a4ef32fa')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('532f62c1-fba6-4baa-bbb6-4a32a4ef32fa')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','532f62c1-fba6-4baa-bbb6-4a32a4ef32fa','-', '1.4.1')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.2.5", + "_analyticRulecontentId10": "cca3b4d9-ac39-4109-8b93-65bb284003e6", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cca3b4d9-ac39-4109-8b93-65bb284003e6')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cca3b4d9-ac39-4109-8b93-65bb284003e6')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cca3b4d9-ac39-4109-8b93-65bb284003e6','-', '1.2.5')))]" + }, + "analyticRuleObject11": { + "analyticRuleVersion11": "1.0.0", + "_analyticRulecontentId11": "11f7c6e3-f066-4b3c-9a81-b487ec0a6873", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '11f7c6e3-f066-4b3c-9a81-b487ec0a6873')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('11f7c6e3-f066-4b3c-9a81-b487ec0a6873')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','11f7c6e3-f066-4b3c-9a81-b487ec0a6873','-', '1.0.0')))]" + }, + "analyticRuleObject12": { + "analyticRuleVersion12": "1.2.5", + "_analyticRulecontentId12": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2','-', '1.2.5')))]" + }, + "analyticRuleObject13": { + "analyticRuleVersion13": "1.2.5", + "_analyticRulecontentId13": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ffcd575b-3d54-482a-a6d8-d0de13b6ac63')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ffcd575b-3d54-482a-a6d8-d0de13b6ac63')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ffcd575b-3d54-482a-a6d8-d0de13b6ac63','-', '1.2.5')))]" + }, + "analyticRuleObject14": { + "analyticRuleVersion14": "1.2.6", + "_analyticRulecontentId14": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc','-', '1.2.6')))]" + }, + "analyticRuleObject15": { + "analyticRuleVersion15": "1.3.5", + "_analyticRulecontentId15": "2fc5d810-c9cc-491a-b564-841427ae0e50", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2fc5d810-c9cc-491a-b564-841427ae0e50')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2fc5d810-c9cc-491a-b564-841427ae0e50')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2fc5d810-c9cc-491a-b564-841427ae0e50','-', '1.3.5')))]" + }, + "analyticRuleObject16": { + "analyticRuleVersion16": "1.2.5", + "_analyticRulecontentId16": "30fa312c-31eb-43d8-b0cc-bcbdfb360822", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30fa312c-31eb-43d8-b0cc-bcbdfb360822')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30fa312c-31eb-43d8-b0cc-bcbdfb360822')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30fa312c-31eb-43d8-b0cc-bcbdfb360822','-', '1.2.5')))]" + }, + "analyticRuleObject17": { + "analyticRuleVersion17": "1.3.4", + "_analyticRulecontentId17": "5d33fc63-b83b-4913-b95e-94d13f0d379f", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5d33fc63-b83b-4913-b95e-94d13f0d379f')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5d33fc63-b83b-4913-b95e-94d13f0d379f')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5d33fc63-b83b-4913-b95e-94d13f0d379f','-', '1.3.4')))]" + }, + "analyticRuleObject18": { + "analyticRuleVersion18": "1.0.0", + "_analyticRulecontentId18": "bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bc0eca2e-db50-44e6-8fa3-b85f91ff5ee7','-', '1.0.0')))]" + }, + "analyticRuleObject19": { + "analyticRuleVersion19": "1.4.4", + "_analyticRulecontentId19": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a7427ed7-04b4-4e3b-b323-08b981b9b4bf')]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a7427ed7-04b4-4e3b-b323-08b981b9b4bf')))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a7427ed7-04b4-4e3b-b323-08b981b9b4bf','-', '1.4.4')))]" + }, + "analyticRuleObject20": { + "analyticRuleVersion20": "1.5.1", + "_analyticRulecontentId20": "f9949656-473f-4503-bf43-a9d9890f7d08", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f9949656-473f-4503-bf43-a9d9890f7d08')]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f9949656-473f-4503-bf43-a9d9890f7d08')))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f9949656-473f-4503-bf43-a9d9890f7d08','-', '1.5.1')))]" + }, + "analyticRuleObject21": { + "analyticRuleVersion21": "1.4.1", + "_analyticRulecontentId21": "f110287e-1358-490d-8147-ed804b328514", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f110287e-1358-490d-8147-ed804b328514')]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f110287e-1358-490d-8147-ed804b328514')))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f110287e-1358-490d-8147-ed804b328514','-', '1.4.1')))]" + }, + "analyticRuleObject22": { + "analyticRuleVersion22": "1.4.1", + "_analyticRulecontentId22": "2441bce9-02e4-407b-8cc7-7d597f38b8b0", + "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2441bce9-02e4-407b-8cc7-7d597f38b8b0')]", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2441bce9-02e4-407b-8cc7-7d597f38b8b0')))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2441bce9-02e4-407b-8cc7-7d597f38b8b0','-', '1.4.1')))]" + }, + "analyticRuleObject23": { + "analyticRuleVersion23": "1.3.1", + "_analyticRulecontentId23": "0b904747-1336-4363-8d84-df2710bfe5e7", + "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0b904747-1336-4363-8d84-df2710bfe5e7')]", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0b904747-1336-4363-8d84-df2710bfe5e7')))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0b904747-1336-4363-8d84-df2710bfe5e7','-', '1.3.1')))]" + }, + "analyticRuleObject24": { + "analyticRuleVersion24": "1.3.3", + "_analyticRulecontentId24": "57c7e832-64eb-411f-8928-4133f01f4a25", + "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57c7e832-64eb-411f-8928-4133f01f4a25')]", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57c7e832-64eb-411f-8928-4133f01f4a25')))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57c7e832-64eb-411f-8928-4133f01f4a25','-', '1.3.3')))]" + }, + "analyticRuleObject25": { + "analyticRuleVersion25": "1.4.1", + "_analyticRulecontentId25": "a4025a76-6490-4e6b-bb69-d02be4b03f07", + "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a4025a76-6490-4e6b-bb69-d02be4b03f07')]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a4025a76-6490-4e6b-bb69-d02be4b03f07')))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a4025a76-6490-4e6b-bb69-d02be4b03f07','-', '1.4.1')))]" + }, + "analyticRuleObject26": { + "analyticRuleVersion26": "1.3.1", + "_analyticRulecontentId26": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85", + "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd0aa8969-1bbe-4da3-9e76-09e5f67c9d85')]", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d0aa8969-1bbe-4da3-9e76-09e5f67c9d85')))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d0aa8969-1bbe-4da3-9e76-09e5f67c9d85','-', '1.3.1')))]" + }, + "analyticRuleObject27": { + "analyticRuleVersion27": "1.2.1", + "_analyticRulecontentId27": "66c81ae2-1f89-4433-be00-2fbbd9ba5ebe", + "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '66c81ae2-1f89-4433-be00-2fbbd9ba5ebe')]", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('66c81ae2-1f89-4433-be00-2fbbd9ba5ebe')))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','66c81ae2-1f89-4433-be00-2fbbd9ba5ebe','-', '1.2.1')))]" + }, + "analyticRuleObject28": { + "analyticRuleVersion28": "1.0.0", + "_analyticRulecontentId28": "b2df4979-d34a-48b3-a7d9-f473a4bf8058", + "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2df4979-d34a-48b3-a7d9-f473a4bf8058')]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2df4979-d34a-48b3-a7d9-f473a4bf8058')))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2df4979-d34a-48b3-a7d9-f473a4bf8058','-', '1.0.0')))]" + }, + "analyticRuleObject29": { + "analyticRuleVersion29": "1.4.1", + "_analyticRulecontentId29": "69b7723c-2889-469f-8b55-a2d355ed9c87", + "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '69b7723c-2889-469f-8b55-a2d355ed9c87')]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('69b7723c-2889-469f-8b55-a2d355ed9c87')))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','69b7723c-2889-469f-8b55-a2d355ed9c87','-', '1.4.1')))]" + }, + "analyticRuleObject30": { + "analyticRuleVersion30": "1.2.4", + "_analyticRulecontentId30": "e2559891-383c-4caf-ae67-55a008b9f89e", + "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e2559891-383c-4caf-ae67-55a008b9f89e')]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e2559891-383c-4caf-ae67-55a008b9f89e')))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e2559891-383c-4caf-ae67-55a008b9f89e','-', '1.2.4')))]" + }, + "analyticRuleObject31": { + "analyticRuleVersion31": "1.4.1", + "_analyticRulecontentId31": "f15370f4-c6fa-42c5-9be4-1d308f40284e", + "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f15370f4-c6fa-42c5-9be4-1d308f40284e')]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f15370f4-c6fa-42c5-9be4-1d308f40284e')))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f15370f4-c6fa-42c5-9be4-1d308f40284e','-', '1.4.1')))]" + }, + "analyticRuleObject32": { + "analyticRuleVersion32": "1.2.6", + "_analyticRulecontentId32": "f2eb15bd-8a88-4b24-9281-e133edfba315", + "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f2eb15bd-8a88-4b24-9281-e133edfba315')]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f2eb15bd-8a88-4b24-9281-e133edfba315')))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f2eb15bd-8a88-4b24-9281-e133edfba315','-', '1.2.6')))]" + }, + "analyticRuleObject33": { + "analyticRuleVersion33": "1.4.1", + "_analyticRulecontentId33": "9713e3c0-1410-468d-b79e-383448434b2d", + "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9713e3c0-1410-468d-b79e-383448434b2d')]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9713e3c0-1410-468d-b79e-383448434b2d')))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9713e3c0-1410-468d-b79e-383448434b2d','-', '1.4.1')))]" + }, + "analyticRuleObject34": { + "analyticRuleVersion34": "1.4.1", + "_analyticRulecontentId34": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f", + "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5e45930c-09b1-4430-b2d1-cc75ada0dc0f')]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5e45930c-09b1-4430-b2d1-cc75ada0dc0f')))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5e45930c-09b1-4430-b2d1-cc75ada0dc0f','-', '1.4.1')))]" + }, + "analyticRuleObject35": { + "analyticRuleVersion35": "1.2.5", + "_analyticRulecontentId35": "712fab52-2a7d-401e-a08c-ff939cc7c25e", + "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '712fab52-2a7d-401e-a08c-ff939cc7c25e')]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('712fab52-2a7d-401e-a08c-ff939cc7c25e')))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','712fab52-2a7d-401e-a08c-ff939cc7c25e','-', '1.2.5')))]" + }, + "analyticRuleObject36": { + "analyticRuleVersion36": "1.0.0", + "_analyticRulecontentId36": "6ddbd892-a9be-47be-bab7-521241695bd6", + "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6ddbd892-a9be-47be-bab7-521241695bd6')]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6ddbd892-a9be-47be-bab7-521241695bd6')))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6ddbd892-a9be-47be-bab7-521241695bd6','-', '1.0.0')))]" + }, + "analyticRuleObject37": { + "analyticRuleVersion37": "1.0.0", + "_analyticRulecontentId37": "a0038239-72f4-4f7b-90ff-37f89f7881e0", + "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a0038239-72f4-4f7b-90ff-37f89f7881e0')]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a0038239-72f4-4f7b-90ff-37f89f7881e0')))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a0038239-72f4-4f7b-90ff-37f89f7881e0','-', '1.0.0')))]" + }, + "analyticRuleObject38": { + "analyticRuleVersion38": "1.2.6", + "_analyticRulecontentId38": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b", + "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')]", + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b')))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b','-', '1.2.6')))]" + }, + "analyticRuleObject39": { + "analyticRuleVersion39": "1.2.4", + "_analyticRulecontentId39": "106813db-679e-4382-a51b-1bfc463befc3", + "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '106813db-679e-4382-a51b-1bfc463befc3')]", + "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('106813db-679e-4382-a51b-1bfc463befc3')))]", + "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','106813db-679e-4382-a51b-1bfc463befc3','-', '1.2.4')))]" + }, + "analyticRuleObject40": { + "analyticRuleVersion40": "1.2.7", + "_analyticRulecontentId40": "f30a47c1-65fb-42b1-a7f4-00941c12550b", + "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f30a47c1-65fb-42b1-a7f4-00941c12550b')]", + "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f30a47c1-65fb-42b1-a7f4-00941c12550b')))]", + "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f30a47c1-65fb-42b1-a7f4-00941c12550b','-', '1.2.7')))]" + }, + "analyticRuleObject41": { + "analyticRuleVersion41": "1.2.5", + "_analyticRulecontentId41": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf", + "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf')]", + "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf')))]", + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf','-', '1.2.5')))]" + }, + "analyticRuleObject42": { + "analyticRuleVersion42": "1.0.0", + "_analyticRulecontentId42": "23391c84-87d8-452f-a84c-47a62f01e115", + "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '23391c84-87d8-452f-a84c-47a62f01e115')]", + "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('23391c84-87d8-452f-a84c-47a62f01e115')))]", + "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','23391c84-87d8-452f-a84c-47a62f01e115','-', '1.0.0')))]" + }, + "analyticRuleObject43": { + "analyticRuleVersion43": "1.0.4", + "_analyticRulecontentId43": "d23ed927-5be3-4902-a9c1-85f841eb4fa1", + "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd23ed927-5be3-4902-a9c1-85f841eb4fa1')]", + "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d23ed927-5be3-4902-a9c1-85f841eb4fa1')))]", + "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d23ed927-5be3-4902-a9c1-85f841eb4fa1','-', '1.0.4')))]" + }, + "analyticRuleObject44": { + "analyticRuleVersion44": "1.1.5", + "_analyticRulecontentId44": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", + "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '999e9f5d-db4a-4b07-a206-29c4e667b7e8')]", + "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('999e9f5d-db4a-4b07-a206-29c4e667b7e8')))]", + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','999e9f5d-db4a-4b07-a206-29c4e667b7e8','-', '1.1.5')))]" + }, + "analyticRuleObject45": { + "analyticRuleVersion45": "1.2.3", + "_analyticRulecontentId45": "67775878-7f8b-4380-ac54-115e1e828901", + "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '67775878-7f8b-4380-ac54-115e1e828901')]", + "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('67775878-7f8b-4380-ac54-115e1e828901')))]", + "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','67775878-7f8b-4380-ac54-115e1e828901','-', '1.2.3')))]" + }, + "analyticRuleObject46": { + "analyticRuleVersion46": "1.2.5", + "_analyticRulecontentId46": "e2399891-383c-4caf-ae67-68a008b9f89e", + "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e2399891-383c-4caf-ae67-68a008b9f89e')]", + "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e2399891-383c-4caf-ae67-68a008b9f89e')))]", + "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e2399891-383c-4caf-ae67-68a008b9f89e','-', '1.2.5')))]" + }, + "analyticRuleObject47": { + "analyticRuleVersion47": "1.0.3", + "_analyticRulecontentId47": "aac495a9-feb1-446d-b08e-a1164a539452", + "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'aac495a9-feb1-446d-b08e-a1164a539452')]", + "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('aac495a9-feb1-446d-b08e-a1164a539452')))]", + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','aac495a9-feb1-446d-b08e-a1164a539452','-', '1.0.3')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { @@ -358,7 +453,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.1", + "description": "Threat Intelligence data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -517,7 +612,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.1", + "description": "Threat Intelligence data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -676,7 +771,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.1", + "description": "Threat Intelligence data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -688,7 +783,7 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "StaticUI", "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId3')]", @@ -702,18 +797,6 @@ "baseQuery": "ThreatIntelligenceIndicator | where SourceSystem != 'Microsoft Sentinel'" } ], - "sampleQueries": [ - { - "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "ThreatIntelligenceIndicator", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" - } - ], "connectivityCriterias": [ { "type": "IsConnectedQuery", @@ -722,40 +805,10 @@ ] } ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.SecurityInsights/threatintelligence/write", - "permissionsDisplayText": "write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. ", - "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: " - }, - { - "title": "Follow These Steps to Connect to your Threat Intelligence: " - }, - { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", - "title": "1. Get AAD Access Token" - }, + "dataTypes": [ { - "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here]( https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [AAD Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.", - "title": "2. Send indicators to Sentinel" + "name": "ThreatIntelligenceIndicator", + "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| summarize Time = max(TimeGenerated)" } ] } @@ -837,7 +890,7 @@ "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", + "kind": "StaticUI", "properties": { "connectorUiConfig": { "title": "Threat Intelligence Upload Indicators API (Preview)", @@ -864,48 +917,6 @@ ] } ], - "sampleQueries": [ - { - "description": "All Threat Intelligence APIs Indicators", - "query": "ThreatIntelligenceIndicator | where SourceSystem !in ('SecurityGraph', 'Azure Sentinel', 'Microsoft Sentinel')| sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.SecurityInsights/threatintelligence/write", - "permissionsDisplayText": "write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "\n>Using an integrated Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, and others. \n\n>Calling the Microsoft Sentinel data plane API directly from another application. ", - "title": "You can connect your threat intelligence data sources to Microsoft Sentinel by either: " - }, - { - "title": "Follow These Steps to Connect to your Threat Intelligence: " - }, - { - "description": "[concat('To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n - Notice: Please request AAD access token with scope value: ', variables('management'), '.default')]", - "title": "1. Get AAD Access Token" - }, - { - "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here]( https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://sentinelus.azure-api.net/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [AAD Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.", - "title": "2. Send indicators to Sentinel" - } - ], "id": "[variables('_uiConfigId3')]" } } @@ -919,7 +930,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.1", + "description": "Threat Intelligence data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1078,7 +1089,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligenceWorkbook Workbook with template version 3.0.1", + "description": "ThreatIntelligence Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1096,7 +1107,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)
\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-ThreatIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| extend SystemAlertId = tostring(AlertIds[0])\\r\\n| join (SecurityAlert \\r\\n| where Entities <> \\\"\\\"\\r\\n| mv-expand parse_json(Entities)\\r\\n| where Entities contains '{Indicator}'\\r\\n| project SystemAlertId, Entities\\r\\n) on SystemAlertId\\r\\n| where Title <> \\\"\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| parse IncidentUrl with * '/#asset/Microsoft_Azure_Security_Insights/Incident' IncidentBlade\\r\\n| extend SeverityRank=iff(Severity == \\\"High\\\", 3, iff(Severity == \\\"Medium\\\", 2, iff(Severity == \\\"Low\\\", 1, iff(Severity == \\\"Informational\\\", 0, 0))))\\r\\n| sort by SeverityRank, IncidentNumber desc\\r\\n| project ['Incident Name']=Title, IncidentNumber, Severity, IncidentUrl, FirstActivityTime, IncidentBlade, Entities\\r\\n| limit 2500\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Incidents\",\"noDataMessage\":\"No incidents observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Incident Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"OpenBlade\",\"linkLabel\":\"Incident >>\",\"bladeOpenContext\":{\"bladeName\":\"CaseBlade\",\"extensionName\":\"Microsoft_Azure_Security_Insights\",\"bladeParameters\":[{\"name\":\"id\",\"source\":\"column\",\"value\":\"IncidentBlade\"}]}}},{\"columnMatch\":\"IncidentBlade\",\"formatter\":5}],\"rowLimit\":2500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"IncidentNumber\",\"sortOrder\":2}]},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-ThreatIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1107,7 +1118,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=ThreatIntelligenceWorkbook; logoFileName=; description=Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=5.0.0; title=Threat Intelligence; templateRelativePath=ThreatIntelligence.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=ThreatIntelligenceWorkbook; logoFileName=Azure_Sentinel.svg; description=Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=5.0.0; title=Threat Intelligence; templateRelativePath=ThreatIntelligence.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -1168,16 +1179,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.1", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ @@ -1207,13 +1218,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "Threat Intelligence Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1238,27 +1249,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "TI Map File Entity to OfficeActivity Event", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.3')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.3')))]", + "version": "1.0.3" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.1", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ @@ -1288,13 +1299,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "Threat Intelligence Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1319,27 +1330,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "TI Map File Entity to Security Event", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.3')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.3')))]", + "version": "1.0.3" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.1", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ @@ -1369,13 +1380,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "Threat Intelligence Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1400,27 +1411,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "contentKind": "HuntingQuery", "displayName": "TI Map File Entity to Syslog Event", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.3')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.3')))]", + "version": "1.0.3" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.1", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ @@ -1450,13 +1461,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "Threat Intelligence Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1481,27 +1492,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "contentKind": "HuntingQuery", "displayName": "TI Map File Entity to VMConnection Event", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.3')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.3')))]", + "version": "1.0.3" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.1", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ @@ -1531,13 +1542,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "Threat Intelligence Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1562,41 +1573,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "contentKind": "HuntingQuery", "displayName": "TI Map File Entity to WireData Event", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.3')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.3')))]", + "version": "1.0.3" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI", - "displayName": "TI map Domain entity to CommonSecurityLog", + "description": "Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI", + "displayName": "TI map Domain entity to PaloAlto CommonSecurityLog", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour\nlet ioc_lookBack = 14d; // Look back 14 days\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\nlet list_tlds =\n ThreatIntelligenceIndicator\n // Filter indicators based on the specified time range and active indicators\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n // Convert domain names to lowercase for consistency\n | extend DomainName = tolower(DomainName)\n // Split domain names into parts and extract the TLD\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts) - 1)]\n // Count the occurrences of each TLD\n | summarize count() by tostring(tld)\n // Create a list of TLDs\n | summarize make_list(tld);\n// Retrieve threat intelligence indicators within the specified time range\nlet Domain_Indicators =\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter indicators that have a non-empty domain name\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Join threat intelligence indicators with common security logs\nDomain_Indicators\n| join kind=innerunique (\n CommonSecurityLog\n // Filter common security logs based on the specified time range\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\\\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim('\"', tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n | extend tld = parts[(array_length(parts) - 1)]\n // Validate parsed domain by checking if the TLD is in the threat feed's TLD list\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.TI_DomainEntity == $right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour\nlet ioc_lookBack = 14d; // Look back 14 days\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\nlet SecurityLog = materialize(\n CommonSecurityLog\n // Filter common security logs based on the specified time range\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\\\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim('\"', tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n);\nlet LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);\n// Retrieve threat intelligence indicators within the specified time range\nlet Domain_Indicators = materialize(\n ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_DomainEntity = tolower(DomainName)\n | where TI_DomainEntity in (LogDomains)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now());\n// Join threat intelligence indicators with common security logs\nDomain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -1607,22 +1618,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -1662,13 +1673,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1693,41 +1704,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", - "displayName": "TI map Domain entity to CommonSecurityLog", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "displayName": "TI map Domain entity to PaloAlto CommonSecurityLog", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in DnsEvents from any Domain IOC from TI", - "displayName": "TI map Domain entity to DnsEvents", + "description": "This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.", + "displayName": "TI Map Domain Entity to DeviceNetworkEvents", "enabled": false, - "query": "// Define the lookback periods for time-based filters\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to domains\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without domain names\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Create a list of TLDs in our threat feed for later validation\nlet maxListSize = 100000; // Define the maximum allowed size for each list\nlet list_tlds = Domain_Indicators\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | project tld\n | summarize make_list(tld, maxListSize);\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\nDomain_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.Name\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = DNS_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceNetworkEvents_ = DeviceNetworkEvents\n | where isnotempty(RemoteUrl)\n | where TimeGenerated >= ago(dt_lookBack)\n | where ActionType !has \"ConnectionFailed\"\n | extend Domain = tostring(parse_url(tolower(RemoteUrl)).Host)\n | where isnotempty(Domain)\n | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated;\nlet DeviceNetworkEventDomains = DeviceNetworkEvents_\n | distinct Domain\n | summarize make_list(Domain);\nThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (DeviceNetworkEventDomains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceNetworkEvents_) on $left.TI_Domain == $right.Domain\n| where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime\n| summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, TI_Domain\n| project DeviceNetworkEvents_TimeGenerated, IndicatorId, TI_Domain, Url = RemoteUrl, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort\n| extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])\n| extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -1738,28 +1749,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "DNS", "dataTypes": [ - "DnsEvents" - ] + "DeviceNetworkEvents" + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -1767,24 +1778,24 @@ ], "entityMappings": [ { - "entityType": "Host", + "entityType": "Account", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "identifier": "Name", + "columnName": "Name" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, { - "entityType": "IP", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "identifier": "FullName", + "columnName": "DeviceName" } ] }, @@ -1796,6 +1807,15 @@ "columnName": "Url" } ] + }, + { + "entityType": "Process", + "fieldMappings": [ + { + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" + } + ] } ] } @@ -1803,13 +1823,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1834,41 +1854,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", - "displayName": "TI map Domain entity to DnsEvents", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "displayName": "TI Map Domain Entity to DeviceNetworkEvents", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This rule identifies Web Sessions for which the target URL hostname is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.", - "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)", + "description": "Identifies a match in DnsEvents from any Domain IOC from TI", + "displayName": "TI map Domain entity to DnsEvents", "enabled": false, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet DOMAIN_TI=ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName);\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \n | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\nDOMAIN_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\n //Extract domain patterns from syslog message\n | extend domain = tostring(parse_url(Url)[\"Host\"])\n | where isnotempty(domain)\n | extend tld = tostring(split(domain, '.')[-1])\n | extend Event_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Event_TimeGenerated < ExpirationDateTime\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url \n", + "query": "// Define the lookback periods for time-based filters\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to domains\nlet Domain_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without domain names\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend TI_DomainEntity = DomainName;\n// Create a list of TLDs in our threat feed for later validation\nlet maxListSize = 100000; // Define the maximum allowed size for each list\nlet list_tlds = Domain_Indicators\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | project tld\n | summarize make_list(tld, maxListSize);\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\nDomain_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.Name\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = DNS_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -1879,40 +1899,53 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", "dataTypes": [ - "SquidProxy_CL" - ] + "DnsEvents" + ], + "connectorId": "DNS" }, { - "connectorId": "Zscaler", "dataTypes": [ - "CommonSecurityLog" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ "Impact" ], "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + } + ] + }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "ClientIP" } ] }, @@ -1925,32 +1958,19 @@ } ] } - ], - "customDetails": { - "IoCExpirationTime": "ExpirationDateTime", - "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "EventTime": "Event_TimeGenerated", - "ThreatType": "ThreatType", - "ActivityGroupNames": "ActivityGroupNames" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC", - "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -1975,41 +1995,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", - "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "displayName": "TI map Domain entity to DnsEvents", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI", - "displayName": "TI map Domain entity to PaloAlto", + "description": "Identifies a match in EmailEvents table from any Domain IOC from TI", + "displayName": "TI map Domain entity to EmailEvents", "enabled": false, - "query": "let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\nlet list_tlds = \n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = \n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Join with CommonSecurityLog to find potential malicious activity\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n // | where DeviceAction !~ \"block-url\"\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = coalesce(RequestURL, \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"http://\" and PA_Url !startswith \"https://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), PA_Url)\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url)\n | extend Domain = trim(@\"\"\"\", tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity == $right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n // Select the desired fields for the final result set\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n // Add a new field 'timestamp' for convenience, using the CommonSecurityLog_TimeGenerated as its value\n | extend timestamp = CommonSecurityLog_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has \"Blocked\" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromDomain = tolower(SenderFromDomain) | extend RecipientEmailDomain = tolower(tostring(split(RecipientEmailAddress, '@', 1))));\nlet SenderDomains = EmailEvents_ | distinct SenderFromDomain | summarize make_list(SenderFromDomain);\nlet RecipientDomains = EmailEvents_ | distinct RecipientEmailDomain | summarize make_list(RecipientEmailDomain);\nlet TI = materialize(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (SenderDomains) or TI_Domain in (RecipientDomains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\n(union\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.SenderFromDomain),\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_Domain == $right.RecipientEmailDomain))\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress\n| project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_Domain, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2020,28 +2040,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ - "CommonSecurityLog" - ] + "EmailEvents" + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2049,29 +2069,15 @@ ], "entityMappings": [ { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "DeviceName" - } - ] - }, - { - "entityType": "IP", + "entityType": "Account", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" - } - ] - }, - { - "entityType": "URL", - "fieldMappings": [ + "identifier": "Name", + "columnName": "Name" + }, { - "identifier": "Url", - "columnName": "PA_Url" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] } @@ -2081,13 +2087,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2112,41 +2118,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", - "displayName": "TI map Domain entity to PaloAlto", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "displayName": "TI map Domain entity to EmailEvents", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI", - "displayName": "TI map Domain entity to SecurityAlert", + "description": "Identifies a match in EmailUrlInfo table from any Domain IOC from TI.", + "displayName": "TI map Domain entity to EmailUrlInfo", "enabled": false, - "query": "let dt_lookBack = 1h; // Lookback time for recent data, set to 1 hour\nlet ioc_lookBack = 14d; // Lookback time for threat feed data, set to 14 days\n// Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract domain patterns from message\n | extend domain = todynamic(dynamic_to_json(extract_all(@\"(((xn--)?[a-z0-9\\-]+\\.)+([a-z]+|(xn--[a-z0-9]+)))\", dynamic([1,1]), tolower(Entities))))\n | mv-expand domain\n | extend domain = tostring(domain[0])\n | extend parts = split(domain, '.')\n // Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities)\n | mv-apply EntitiesDynamicArray on\n (summarize\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \"host\"),\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \"ip\")\n )\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n ) on $left.TI_DomainEntity == $right.domain\n | where Alert_TimeGenerated < ExpirationDateTime\n | summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n | project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\n | extend timestamp = Alert_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailUrlInfo_ = materialize(EmailUrlInfo\n| where isnotempty(UrlDomain)\n| where TimeGenerated > ago(dt_lookBack)\n| project-rename Email_Url = Url);\nlet Domains = EmailUrlInfo_\n| distinct UrlDomain\n| summarize make_list(UrlDomain);\nlet Candidates = ThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_Domain = tolower(DomainName)\n| where TI_Domain in (Domains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique EmailUrlInfo_ on $left.TI_Domain == $right.UrlDomain\n| join kind=innerunique (EmailEvents | where TimeGenerated >= ago(dt_lookBack) | project-rename EmailEvents_TimeGenerated = TimeGenerated) on $left.NetworkMessageId == $right.NetworkMessageId\n| where DeliveryLocation !has \"Quarantine\"\n// Customize and uncomment the following line to remove security related mailboxes\n//| where tolower(RecipientEmailAddress) !in (\"secmailbox1@example.com\", \"secmailbox2@example.com\")\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, RecipientEmailAddress;\nlet Candidate_Domains = Candidates | distinct TI_Domain | summarize make_list(TI_Domain);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated > ago(ioc_lookBack)\n| extend Host = tostring(parse_url(Url).Host)\n| where Host in (Candidate_Domains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (Candidates | extend parsed_url = parse_url(Email_Url) | extend BaseUrl = strcat(parsed_url.Scheme, \"://\", parsed_url.Host, parsed_url.Path)) on $left.Url == $right.BaseUrl\n| where DeliveryAction !has \"Blocked\"\n| project EmailEvents_TimeGenerated, RecipientEmailAddress, IndicatorId, TI_Domain, ConfidenceScore, Description, Tags, TrafficLightProtocolLevel, Url = Email_Url, DeliveryAction, DeliveryLocation, EmailDirection, NetworkMessageId, AuthenticationDetails, SenderFromAddress, SenderIPv4, Subject\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2157,34 +2163,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "EmailUrlInfo" + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftCloudAppSecurity", - "dataTypes": [ - "SecurityAlert" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "AzureSecurityCenter", "dataTypes": [ - "SecurityAlert" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2192,20 +2192,15 @@ ], "entityMappings": [ { - "entityType": "Host", + "entityType": "Account", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ + "identifier": "Name", + "columnName": "Name" + }, { - "identifier": "Address", - "columnName": "IP_addr" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -2224,13 +2219,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2255,41 +2250,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", - "displayName": "TI map Domain entity to SecurityAlert", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "displayName": "TI map Domain entity to EmailUrlInfo", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in Syslog table from any Domain IOC from TI", - "displayName": "TI map Domain entity to Syslog", + "description": "This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.", + "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)", "enabled": false, - "query": "let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(DomainName)\n | extend TI_DomainEntity = DomainName;\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n | join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog messages\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n // Split out the top-level domain (TLD)\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.domain\n | where Syslog_TimeGenerated < ExpirationDateTime\n // Retrieve the latest syslog timestamp for each indicator and domain combination\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n // Select the desired columns for the final result set\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\n // Extract the hostname from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0])\n // Extract the DNS domain from the Computer field\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Assign the Syslog_TimeGenerated value to the timestamp field\n | extend timestamp = Syslog_TimeGenerated\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet DOMAIN_TI=ThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now();\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \n | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\nDOMAIN_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\n //Extract domain patterns from syslog message\n | extend domain = tostring(parse_url(Url)[\"Host\"])\n | where isnotempty(domain)\n | extend tld = tostring(split(domain, '.')[-1])\n | extend Event_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Event_TimeGenerated < ExpirationDateTime\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url \n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2300,28 +2295,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ - "Syslog" - ] + "SquidProxy_CL" + ], + "connectorId": "SquidProxy" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "Zscaler" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2329,29 +2330,16 @@ ], "entityMappings": [ { - "entityType": "Host", + "entityType": "IP", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" - }, - { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] }, { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "HostIP" - } - ] - }, - { - "entityType": "URL", + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", @@ -2359,19 +2347,32 @@ } ] } - ] + ], + "customDetails": { + "IndicatorId": "IndicatorId", + "IoCExpirationTime": "ExpirationDateTime", + "IoCDescription": "Description", + "ActivityGroupNames": "ActivityGroupNames", + "ThreatType": "ThreatType", + "EventTime": "Event_TimeGenerated", + "IoCConfidenceScore": "ConfidenceScore" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", + "alertDisplayNameFormat": "A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2396,41 +2397,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", - "displayName": "TI map Domain entity to Syslog", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "displayName": "TI map Domain entity to Web Session Events (ASIM Web Session schema)", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId7')]", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in AzureActivity table from any Email IOC from TI", - "displayName": "TI map Email entity to AzureActivity", + "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI", + "displayName": "TI map Domain entity to PaloAlto", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\nResourceGroup, SubscriptionId\n| extend Name = tostring(split(Caller, '@', 0)[0]), UPNSuffix = tostring(split(Caller, '@', 1)[0])\n| extend timestamp = AzureActivity_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\nlet list_tlds = \n ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\nlet Domain_Indicators = \n ThreatIntelligenceIndicator\n // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend TI_DomainEntity = DomainName;\nDomain_Indicators\n // Join with CommonSecurityLog to find potential malicious activity\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n // Uncomment the line below to only alert on allowed connections\n // | where DeviceAction !~ \"block-url\"\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\n | extend PA_Url = coalesce(RequestURL, \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"http://\" and PA_Url !startswith \"https://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), PA_Url)\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url)\n | extend Domain = trim(@\"\"\"\", tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity == $right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n // Select the desired fields for the final result set\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\n // Add a new field 'timestamp' for convenience, using the CommonSecurityLog_TimeGenerated as its value\n | extend timestamp = CommonSecurityLog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2441,28 +2442,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActivity", "dataTypes": [ - "AzureActivity" - ] + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2470,15 +2471,11 @@ ], "entityMappings": [ { - "entityType": "Account", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "identifier": "HostName", + "columnName": "DeviceName" } ] }, @@ -2487,7 +2484,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "SourceIP" } ] }, @@ -2496,7 +2493,7 @@ "fieldMappings": [ { "identifier": "Url", - "columnName": "Url" + "columnName": "PA_Url" } ] } @@ -2506,13 +2503,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2537,41 +2534,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId7')]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", - "displayName": "TI map Email entity to AzureActivity", - "contentProductId": "[variables('_analyticRulecontentProductId7')]", - "id": "[variables('_analyticRulecontentProductId7')]", - "version": "[variables('analyticRuleVersion7')]" + "displayName": "TI map Domain entity to PaloAlto", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId8')]", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in OfficeActivity table from any Email IOC from TI", - "displayName": "TI map Email entity to OfficeActivity", + "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI", + "displayName": "TI map Domain entity to SecurityAlert", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n| extend timestamp = OfficeActivity_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet SecurityAlerts = SecurityAlert\n| where TimeGenerated > ago(dt_lookBack)\n| extend domain = todynamic(dynamic_to_json(extract_all(@\"(((xn--)?[a-z0-9\\-]+\\.)+([a-z]+|(xn--[a-z0-9]+)))\", dynamic([1]), tolower(Entities))))\n| where isnotempty(domain)\n| mv-expand domain\n| extend domain = tostring(domain)\n| extend EntitiesDynamicArray = parse_json(Entities)\n| mv-apply EntitiesDynamicArray on\n (summarize\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \"host\"),\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \"ip\")\n )\n| extend Alert_TimeGenerated = TimeGenerated\n| extend Alert_Description = Description;\nlet AlertDomains = SecurityAlerts\n| distinct domain\n| summarize make_list(domain);\nlet Domain_Indicators = materialize(ThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_DomainEntity = tolower(DomainName)\n| where TI_DomainEntity in (AlertDomains)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\nDomain_Indicators\n// Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\n| extend timestamp = Alert_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2582,28 +2579,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ - "OfficeActivity" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "SecurityAlert" + ], + "connectorId": "MicrosoftCloudAppSecurity" + }, + { + "dataTypes": [ + "SecurityAlert" + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2611,15 +2614,11 @@ ], "entityMappings": [ { - "entityType": "Account", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "identifier": "HostName", + "columnName": "HostName" } ] }, @@ -2628,7 +2627,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "ClientIP" + "columnName": "IP_addr" } ] }, @@ -2647,13 +2646,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2678,41 +2677,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId8')]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", - "displayName": "TI map Email entity to OfficeActivity", - "contentProductId": "[variables('_analyticRulecontentProductId8')]", - "id": "[variables('_analyticRulecontentProductId8')]", - "version": "[variables('analyticRuleVersion8')]" + "displayName": "TI map Domain entity to SecurityAlert", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId9')]", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI", - "displayName": "TI map Email entity to PaloAlto CommonSecurityLog", + "description": "Identifies a match in Syslog table from any Domain IOC from TI", + "displayName": "TI map Domain entity to Syslog", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated > ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\nlet Domain_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | extend TI_DomainEntity = DomainName;\n// Join the threat intelligence indicators with syslog data on matching domain entities\nDomain_Indicators\n | join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n // Extract domain patterns from syslog messages\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n // Split out the top-level domain (TLD)\n | extend tld = parts[(array_length(parts)-1)]\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) on $left.TI_DomainEntity==$right.domain\n | where Syslog_TimeGenerated < ExpirationDateTime\n // Retrieve the latest syslog timestamp for each indicator and domain combination\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\n // Select the desired columns for the final result set\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\n // Extract the hostname from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0])\n // Extract the DNS domain from the Computer field\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Assign the Syslog_TimeGenerated value to the timestamp field\n | extend timestamp = Syslog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2723,28 +2722,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ - "CommonSecurityLog" - ] + "Syslog" + ], + "connectorId": "Syslog" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2752,11 +2751,15 @@ ], "entityMappings": [ { - "entityType": "Account", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Name", - "columnName": "DestinationUserID" + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -2765,7 +2768,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "SourceIP" + "columnName": "HostIP" } ] }, @@ -2784,13 +2787,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2815,41 +2818,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId9')]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", - "displayName": "TI map Email entity to PaloAlto CommonSecurityLog", - "contentProductId": "[variables('_analyticRulecontentProductId9')]", - "id": "[variables('_analyticRulecontentProductId9')]", - "version": "[variables('analyticRuleVersion9')]" + "displayName": "TI map Domain entity to Syslog", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName10')]", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId10')]", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others", - "displayName": "TI map Email entity to SecurityAlert", + "description": "Identifies a match in AzureActivity table from any Email IOC from TI", + "displayName": "TI map Email entity to AzureActivity", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend Name = tostring(split(EntityEmail, '@', 0)[0]), UPNSuffix = tostring(split(EntityEmail, '@', 1)[0])\n| extend timestamp = Alert_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\nResourceGroup, SubscriptionId\n| extend Name = tostring(split(Caller, '@', 0)[0]), UPNSuffix = tostring(split(Caller, '@', 1)[0])\n| extend timestamp = AzureActivity_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2860,28 +2863,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSecurityCenter", "dataTypes": [ - "SecurityAlert" - ] + "AzureActivity" + ], + "connectorId": "AzureActivity" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -2901,6 +2904,15 @@ } ] }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "CallerIpAddress" + } + ] + }, { "entityType": "URL", "fieldMappings": [ @@ -2916,13 +2928,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -2947,41 +2959,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId10')]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", - "displayName": "TI map Email entity to SecurityAlert", - "contentProductId": "[variables('_analyticRulecontentProductId10')]", - "id": "[variables('_analyticRulecontentProductId10')]", - "version": "[variables('analyticRuleVersion10')]" + "displayName": "TI map Email entity to AzureActivity", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName11')]", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion11')]", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId11')]", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in SecurityEvent table from any Email IOC from TI", - "displayName": "TI map Email entity to SecurityEvent", + "description": "Identifies a match in EmailEvents table from any Email IOC from TI", + "displayName": "TI map Email entity to EmailEvents", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n),\n(WindowsEvent\n| where TimeGenerated >= ago(dt_lookBack)\n| extend TargetUserName = tostring(EventData.TargetUserName)\n| where isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n))\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = SecurityEvent_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailEvents_ = materialize(EmailEvents | where isnotempty(RecipientEmailAddress) and isnotempty(SenderFromAddress) and TimeGenerated >= ago(dt_lookBack) and DeliveryAction !has \"Blocked\" | project-rename EmailEvents_TimeGenerated = TimeGenerated | extend SenderFromAddress = tolower(SenderFromAddress) | extend RecipientEmailAddress = tolower(RecipientEmailAddress));\nlet SenderAddresses = EmailEvents_ | distinct SenderFromAddress | summarize make_list(SenderFromAddress);\nlet RecipientAddresses = EmailEvents_ | distinct RecipientEmailAddress | summarize make_list(RecipientEmailAddress);\nlet TI = materialize(ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| where isnotempty(EmailSenderAddress)\n| extend TI_EmailAddress = tolower(EmailSenderAddress)\n| where TI_EmailAddress in (SenderAddresses) or TI_EmailAddress in (RecipientAddresses)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now());\n(union\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.SenderFromAddress),\n (TI | join kind=innerunique (EmailEvents_) on $left.TI_EmailAddress == $right.RecipientEmailAddress))\n| where EmailEvents_TimeGenerated < ExpirationDateTime\n| summarize EmailEvents_TimeGenerated = arg_max(EmailEvents_TimeGenerated, *) by IndicatorId, TI_EmailAddress\n| project EmailEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, RecipientEmailAddress, SenderFromAddress, Subject, ConfidenceLevel, Url, Type, TI_EmailAddress, TrafficLightProtocolLevel, DeliveryAction, DeliveryLocation, EmailDirection\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n| extend timestamp = EmailEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -2992,40 +3004,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "EmailEvents" + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "WindowsSecurityEvents", - "dataTypes": [ - "SecurityEvents" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ - "WindowsEvent" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3037,38 +3037,11 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "TargetUserName" - } - ] - }, - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "Name" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IpAddress" - } - ] - }, - { - "entityType": "URL", - "fieldMappings": [ - { - "identifier": "Url", - "columnName": "Url" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] } @@ -3078,13 +3051,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 11", - "parentId": "[variables('analyticRuleId11')]", - "contentId": "[variables('_analyticRulecontentId11')]", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion11')]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -3109,41 +3082,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId11')]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", - "displayName": "TI map Email entity to SecurityEvent", - "contentProductId": "[variables('_analyticRulecontentProductId11')]", - "id": "[variables('_analyticRulecontentProductId11')]", - "version": "[variables('analyticRuleVersion11')]" + "displayName": "TI map Email entity to EmailEvents", + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName12')]", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion12')]", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId12')]", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in SigninLogs table from any Email IOC from TI", - "displayName": "TI map Email entity to SigninLogs", + "description": "Identifies a match in OfficeActivity table from any Email IOC from TI", + "displayName": "TI map Email entity to OfficeActivity", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName matches regex emailregex\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming timestamp column so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n| extend timestamp = SigninLogs_TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet OfficeEvents = materialize(\n OfficeActivity\n | where isnotempty(UserId)\n | where TimeGenerated >= ago(dt_lookBack)\n | where UserId matches regex emailregex\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\nlet OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);\nThreatIntelligenceIndicator\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| where tolower(EmailSenderAddress) in (OfficeActivityUPNs)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n| extend timestamp = OfficeActivity_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3154,34 +3127,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "OfficeActivity" + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3206,7 +3173,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPAddress" + "columnName": "ClientIP" } ] }, @@ -3225,13 +3192,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 12", - "parentId": "[variables('analyticRuleId12')]", - "contentId": "[variables('_analyticRulecontentId12')]", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion12')]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -3256,41 +3223,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId12')]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", - "displayName": "TI map Email entity to SigninLogs", - "contentProductId": "[variables('_analyticRulecontentProductId12')]", - "id": "[variables('_analyticRulecontentProductId12')]", - "version": "[variables('analyticRuleVersion12')]" + "displayName": "TI map Email entity to OfficeActivity", + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName13')]", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion13')]", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId13')]", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI", - "displayName": "TI map File Hash to CommonSecurityLog Event", + "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI", + "displayName": "TI map Email entity to PaloAlto CommonSecurityLog", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\n| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\n| extend Name = tostring(split(SourceUserName, '@', 0)[0]), UPNSuffix = tostring(split(SourceUserName, '@', 1)[0])\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3301,28 +3268,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3334,24 +3301,7 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - } - ] - }, - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "HostName" - }, - { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DestinationUserID" } ] }, @@ -3372,19 +3322,6 @@ "columnName": "Url" } ] - }, - { - "entityType": "FileHash", - "fieldMappings": [ - { - "identifier": "Value", - "columnName": "FileHashValue" - }, - { - "identifier": "Algorithm", - "columnName": "FileHashType" - } - ] } ] } @@ -3392,13 +3329,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", "properties": { "description": "Threat Intelligence Analytics Rule 13", - "parentId": "[variables('analyticRuleId13')]", - "contentId": "[variables('_analyticRulecontentId13')]", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion13')]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -3423,41 +3360,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId13')]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", - "displayName": "TI map File Hash to CommonSecurityLog Event", - "contentProductId": "[variables('_analyticRulecontentProductId13')]", - "id": "[variables('_analyticRulecontentProductId13')]", - "version": "[variables('analyticRuleVersion13')]" + "displayName": "TI map Email entity to PaloAlto CommonSecurityLog", + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName14')]", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion14')]", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId14')]", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in Security Event data from any File Hash IOC from TI", - "displayName": "TI map File Hash to Security Event", + "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others", + "displayName": "TI map Email entity to SecurityAlert", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue)\n| extend FileHashValue = toupper(FileHashValue)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique ( union isfuzzy=true\n (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\n ),\n (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(EventData.FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\n )\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\n| extend NTDomain = tostring(split(Account, '\\\\', 0)[0]), Name = tostring(split(Account, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')) \n| extend timestamp = SecurityEvent_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend Name = tostring(split(EntityEmail, '@', 0)[0]), UPNSuffix = tostring(split(EntityEmail, '@', 1)[0])\n| extend timestamp = Alert_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3468,40 +3405,172 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", - "dataTypes": [ - "SecurityEvent" - ] - }, - { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ - "SecurityEvents" - ] + "SecurityAlert" + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ - "WindowsEvent" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 14", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to SecurityAlert", + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in SecurityEvent table from any Email IOC from TI", + "displayName": "TI map Email entity to SecurityEvent", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n),\n(WindowsEvent\n| where TimeGenerated >= ago(dt_lookBack)\n| extend TargetUserName = tostring(EventData.TargetUserName)\n| where isnotempty(TargetUserName)\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\n| extend TargetUserName = tolower(TargetUserName)\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\n| extend SecurityEvent_TimeGenerated = TimeGenerated\n))\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n| extend timestamp = SecurityEvent_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "SecurityEvent" + ], + "connectorId": "SecurityEvents" + }, + { + "dataTypes": [ + "SecurityEvents" + ], + "connectorId": "WindowsSecurityEvents" + }, + { + "dataTypes": [ + "WindowsEvent" + ], + "connectorId": "WindowsForwardedEvents" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3513,11 +3582,7 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "TargetUserName" } ] }, @@ -3534,6 +3599,15 @@ } ] }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IpAddress" + } + ] + }, { "entityType": "URL", "fieldMappings": [ @@ -3542,17 +3616,1212 @@ "columnName": "Url" } ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 15", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to SecurityEvent", + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in SigninLogs table from any Email IOC from TI", + "displayName": "TI map Email entity to SigninLogs", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet Signins = materialize(union isfuzzy=true\n( SigninLogs | where TimeGenerated >= ago(dt_lookBack)),\n( AADNonInteractiveUserSignInLogs | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))\n| where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend SigninLogs_TimeGenerated = TimeGenerated);\nlet SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);\nThreatIntelligenceIndicator\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| where TimeGenerated >= ago(ioc_lookBack)\n| where EmailSenderAddress in (SigninUPNs)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n| extend timestamp = SigninLogs_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" }, { - "entityType": "FileHash", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "identifier": "Name", + "columnName": "Name" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 16", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentKind": "AnalyticsRule", + "displayName": "TI map Email entity to SigninLogs", + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI", + "displayName": "TI map File Hash to CommonSecurityLog Event", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now();\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\n| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\n| extend Name = tostring(split(SourceUserName, '@', 0)[0]), UPNSuffix = tostring(split(SourceUserName, '@', 1)[0])\n| extend timestamp = CommonSecurityLog_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIP" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "FileHash", + "fieldMappings": [ + { + "identifier": "Value", + "columnName": "FileHashValue" + }, + { + "identifier": "Algorithm", + "columnName": "FileHashType" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 17", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentKind": "AnalyticsRule", + "displayName": "TI map File Hash to CommonSecurityLog Event", + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DeviceFileEvents Event data from any FileHash IOC from TI", + "displayName": "TI map File Hash to DeviceFileEvents Event", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceFileEvents_ = (union\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));\nlet Hashes = DeviceFileEvents_ | distinct FileHashValue;\nThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated > ago(ioc_lookBack)\n| where FileHashValue in (Hashes)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue\n| where TimeGenerated < ExpirationDateTime\n| summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, DeviceId\n| project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, ThreatType, FileHashValue, FileHashType, ExpirationDateTime, ConfidenceScore, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup\n| extend timestamp = TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "DeviceFileEvents" + ], + "connectorId": "MicrosoftThreatProtection" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "RequestAccountName" + }, + { + "identifier": "Sid", + "columnName": "RequestAccountSid" + }, + { + "identifier": "NTDomain", + "columnName": "RequestAccountDomain" + } + ] + }, + { + "entityType": "FileHash", + "fieldMappings": [ + { + "identifier": "Value", + "columnName": "FileHashValue" + }, + { + "identifier": "Algorithm", + "columnName": "FileHashType" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "DeviceName" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 18", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentKind": "AnalyticsRule", + "displayName": "TI map File Hash to DeviceFileEvents Event", + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Security Event data from any File Hash IOC from TI", + "displayName": "TI map File Hash to Security Event", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where isnotempty(FileHashValue)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend FileHashValue = toupper(FileHashValue)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique ( union isfuzzy=true\n (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\n ),\n (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(EventData.FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\n )\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\n| extend NTDomain = tostring(split(Account, '\\\\', 0)[0]), Name = tostring(split(Account, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')) \n| extend timestamp = SecurityEvent_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SecurityEvent" + ], + "connectorId": "SecurityEvents" + }, + { + "dataTypes": [ + "SecurityEvents" + ], + "connectorId": "WindowsSecurityEvents" + }, + { + "dataTypes": [ + "WindowsEvent" + ], + "connectorId": "WindowsForwardedEvents" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "FileHash", + "fieldMappings": [ + { + "identifier": "Value", + "columnName": "FileHashValue" + }, + { + "identifier": "Algorithm", + "columnName": "FileHashType" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 19", + "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentKind": "AnalyticsRule", + "displayName": "TI map File Hash to Security Event", + "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI", + "displayName": "TI map IP entity to AppServiceHTTPLogs", + "enabled": false, + "query": "let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. \n | where ConfidenceScore > 50\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Determine AlertPriority based on ConfidenceScore\n | extend AlertPriority = case(ConfidenceScore > 82, \"High\",\n ConfidenceScore > 74, \"Medium\",\n \"Low\")\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.CIp\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AppService_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n // Select the desired output fields\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\n // Extract hostname and DNS domain from the CsHost field\n | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AppService_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "CsUsername" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "CIp" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "AzureResource", + "fieldMappings": [ + { + "identifier": "ResourceId", + "columnName": "_ResourceId" + } + ] + } + ], + "alertDetailsOverride": { + "alertSeverityColumnName": "AlertPriority" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 20", + "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to AppServiceHTTPLogs", + "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI", + "displayName": "TI map IP entity to AWSCloudTrail", + "enabled": false, + "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AWSCloudTrail\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.SourceIpAddress\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n // Select the desired output fields\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AWSCloudTrail_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "AWSCloudTrail" + ], + "connectorId": "AWS" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "ObjectGuid", + "columnName": "UserIdentityUserName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIpAddress" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 21", + "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "contentKind": "AnalyticsRule", + "displayName": "TI map IP entity to AWSCloudTrail", + "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.", + "displayName": "TI Map IP Entity to AzureActivity", + "enabled": false, + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureActivity_TimeGenerated\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \"\")\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \"\")\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \"\")\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "AzureActivity" + ], + "connectorId": "AzureActivity" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "AadUserId", + "columnName": "AadUserId" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "CallerIpAddress" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "AzureResource", + "fieldMappings": [ + { + "identifier": "ResourceId", + "columnName": "ResourceId" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", + "properties": { + "description": "Threat Intelligence Analytics Rule 22", + "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "source": { + "kind": "Solution", + "name": "Threat Intelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "contentKind": "AnalyticsRule", + "displayName": "TI Map IP Entity to AzureActivity", + "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI", + "displayName": "TI map IP entity to AzureFirewall", + "enabled": false, + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Firewall_Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureFirewall_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n // Select the desired output fields\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AzureFirewall_TimeGenerated\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "AzureDiagnostics" + ], + "connectorId": "AzureFirewall" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "TI_ipEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" } ] } @@ -3562,13 +4831,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 14", - "parentId": "[variables('analyticRuleId14')]", - "contentId": "[variables('_analyticRulecontentId14')]", + "description": "Threat Intelligence Analytics Rule 23", + "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion14')]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -3593,41 +4862,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId14')]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", "contentKind": "AnalyticsRule", - "displayName": "TI map File Hash to Security Event", - "contentProductId": "[variables('_analyticRulecontentProductId14')]", - "id": "[variables('_analyticRulecontentProductId14')]", - "version": "[variables('analyticRuleVersion14')]" + "displayName": "TI map IP entity to AzureFirewall", + "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName15')]", + "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion15')]", + "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId15')]", + "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI", - "displayName": "TI map IP entity to AppServiceHTTPLogs", + "description": "Identifies a match in Azure Key Vault logs from any IP IOC from TI", + "displayName": "TI map IP entity to Azure Key Vault logs", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.CIp\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AppService_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n // Select the desired output fields\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\n // Extract hostname and DNS domain from the CsHost field\n | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AppService_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\n // Rename the timestamp field\n | extend timestamp = KeyVaultEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3638,65 +4907,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "KeyVaultData" + ], + "connectorId": "AzureKeyVault" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ "Impact" ], "entityMappings": [ - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "HostName" - }, - { - "identifier": "DnsDomain", - "columnName": "DnsDomain" - } - ] - }, - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "CsUsername" - } - ] - }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "CIp" - } - ] - }, - { - "entityType": "URL", - "fieldMappings": [ - { - "identifier": "Url", - "columnName": "Url" + "columnName": "ClientIP" } ] }, @@ -3705,7 +4949,7 @@ "fieldMappings": [ { "identifier": "ResourceId", - "columnName": "_ResourceId" + "columnName": "ResourceId" } ] } @@ -3715,13 +4959,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 15", - "parentId": "[variables('analyticRuleId15')]", - "contentId": "[variables('_analyticRulecontentId15')]", + "description": "Threat Intelligence Analytics Rule 24", + "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion15')]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -3746,41 +4990,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId15')]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to AppServiceHTTPLogs", - "contentProductId": "[variables('_analyticRulecontentProductId15')]", - "id": "[variables('_analyticRulecontentProductId15')]", - "version": "[variables('analyticRuleVersion15')]" + "displayName": "TI map IP entity to Azure Key Vault logs", + "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName16')]", + "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion16')]", + "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId16')]", + "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI", - "displayName": "TI map IP entity to AWSCloudTrail", + "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed", + "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AWSCloudTrail\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\n )\n on $left.TI_ipEntity == $right.SourceIpAddress\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n // Select the desired output fields\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AWSCloudTrail_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n )\n on $left.TI_ipEntity == $right.PIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \"A\")\n | where FlowStatus_s == \"A\"\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n // Select the desired output fields\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3791,28 +5035,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "AWS", - "dataTypes": [ - "AWSCloudTrail" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -3820,11 +5058,15 @@ ], "entityMappings": [ { - "entityType": "Account", + "entityType": "Host", "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "UserIdentityUserName" + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ] }, @@ -3833,7 +5075,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "SourceIpAddress" + "columnName": "TI_ipEntity" } ] }, @@ -3852,13 +5094,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 16", - "parentId": "[variables('analyticRuleId16')]", - "contentId": "[variables('_analyticRulecontentId16')]", + "description": "Threat Intelligence Analytics Rule 25", + "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion16')]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -3883,41 +5125,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId16')]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to AWSCloudTrail", - "contentProductId": "[variables('_analyticRulecontentProductId16')]", - "id": "[variables('_analyticRulecontentProductId16')]", - "version": "[variables('analyticRuleVersion16')]" + "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", + "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName17')]", + "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion17')]", + "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId17')]", + "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.", - "displayName": "TI Map IP Entity to AzureActivity", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.", + "displayName": "TI Map IP Entity to Azure SQL Security Audit Events", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\nIP_Indicators\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = AzureActivity_TimeGenerated\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \"\")\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \"\")\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \"\")\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\")\n | extend Action = column_ifexists(\"action_name_s\", \"Not Available\")\n | extend Application = column_ifexists(\"application_name_s\", \"Not Available\")\n | extend HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -3928,75 +5170,40 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureActivity", "dataTypes": [ - "AzureActivity" - ] + "AzureDiagnostics" + ], + "connectorId": "AzureSql" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ "Impact" ], "entityMappings": [ - { - "entityType": "Account", - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" - }, - { - "identifier": "AadUserId", - "columnName": "AadUserId" - } - ] - }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "CallerIpAddress" - } - ] - }, - { - "entityType": "URL", - "fieldMappings": [ - { - "identifier": "Url", - "columnName": "Url" - } - ] - }, - { - "entityType": "AzureResource", - "fieldMappings": [ - { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ClientIP" } ] } @@ -4006,13 +5213,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 17", - "parentId": "[variables('analyticRuleId17')]", - "contentId": "[variables('_analyticRulecontentId17')]", + "description": "Threat Intelligence Analytics Rule 26", + "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion17')]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4037,41 +5244,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId17')]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to AzureActivity", - "contentProductId": "[variables('_analyticRulecontentProductId17')]", - "id": "[variables('_analyticRulecontentProductId17')]", - "version": "[variables('analyticRuleVersion17')]" + "displayName": "TI Map IP Entity to Azure SQL Security Audit Events", + "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName18')]", + "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion18')]", + "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId18')]", + "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI", - "displayName": "TI map IP entity to AzureFirewall", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.", + "displayName": "TI Map IP Entity to CommonSecurityLog", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // Filter out indicators without relevant IP address fields\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n // Select the IP entity based on availability of different IP fields\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Firewall_Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureFirewall_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n // Select the desired output fields\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = AzureFirewall_TimeGenerated\n", + "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\n // Select the desired output fields\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4082,28 +5289,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureFirewall", "dataTypes": [ - "AzureDiagnostics" - ] + "CommonSecurityLog" + ], + "connectorId": "CEF" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4115,16 +5322,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "TI_ipEntity" - } - ] - }, - { - "entityType": "URL", - "fieldMappings": [ - { - "identifier": "Url", - "columnName": "Url" + "columnName": "CS_ipEntity" } ] } @@ -4134,13 +5332,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 18", - "parentId": "[variables('analyticRuleId18')]", - "contentId": "[variables('_analyticRulecontentId18')]", + "description": "Threat Intelligence Analytics Rule 27", + "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion18')]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4165,41 +5363,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId18')]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to AzureFirewall", - "contentProductId": "[variables('_analyticRulecontentProductId18')]", - "id": "[variables('_analyticRulecontentProductId18')]", - "version": "[variables('analyticRuleVersion18')]" + "displayName": "TI Map IP Entity to CommonSecurityLog", + "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName19')]", + "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion19')]", + "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId19')]", + "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in Azure Key Vault logs from any IP IOC from TI", - "displayName": "TI map IP entity to Azure Key Vault logs", + "description": "Identifies a match in DeviceNetworkEvents Event data from any IP Indicator from TI.", + "displayName": "TI Map IP Entity to DeviceNetworkEvents", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where LatestIndicatorTime >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\n // Rename the timestamp field\n | extend timestamp = KeyVaultEvents_TimeGenerated\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceNetworkEvents_ = DeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where TimeGenerated > ago(dt_lookBack)\n| where ActionType !has \"ConnectionFailed\"\n| extend isPrivate = ipv4_is_private(RemoteIP)\n| where isPrivate != true;\nlet IPs = DeviceNetworkEvents_ | distinct RemoteIP | summarize make_list(RemoteIP);\nThreatIntelligenceIndicator\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\n| where TI_ipEntity in (IPs)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceNetworkEvents_) on $left.TI_ipEntity == $right.RemoteIP\n| summarize TimeGenerated = arg_max(TimeGenerated, *) by IndicatorId, TI_ipEntity, DeviceName\n// DeviceName, TI_ipEntity, RemoteUrl, InitiatingProcessAccountUpn\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4210,49 +5408,71 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "DeviceNetworkEvents" + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "AzureKeyVault", "dataTypes": [ - "KeyVaultData" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ "Impact" ], "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ] + }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "ClientIP" + "columnName": "TI_ipEntity" } ] }, { - "entityType": "AzureResource", + "entityType": "URL", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "identifier": "Url", + "columnName": "RemoteUrl" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "DeviceName" } ] } @@ -4262,13 +5482,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 19", - "parentId": "[variables('analyticRuleId19')]", - "contentId": "[variables('_analyticRulecontentId19')]", + "description": "Threat Intelligence Analytics Rule 28", + "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion19')]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4293,41 +5513,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId19')]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to Azure Key Vault logs", - "contentProductId": "[variables('_analyticRulecontentProductId19')]", - "id": "[variables('_analyticRulecontentProductId19')]", - "version": "[variables('analyticRuleVersion19')]" + "displayName": "TI Map IP Entity to DeviceNetworkEvents", + "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName20')]", + "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion20')]", + "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId20')]", + "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed", - "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.", + "displayName": "TI Map IP Entity to DnsEvents", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n )\n on $left.TI_ipEntity == $right.PIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \"A\")\n | where FlowStatus_s == \"A\"\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n // Select the desired output fields\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Extract hostname and DNS domain from the Computer field\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n // Rename the timestamp field\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and DNS events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n | extend DNS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SingleIP\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4338,22 +5558,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "DNS" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4378,7 +5604,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "ClientIP" } ] }, @@ -4397,13 +5623,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 20", - "parentId": "[variables('analyticRuleId20')]", - "contentId": "[variables('_analyticRulecontentId20')]", + "description": "Threat Intelligence Analytics Rule 29", + "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion20')]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4428,41 +5654,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId20')]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)", - "contentProductId": "[variables('_analyticRulecontentProductId20')]", - "id": "[variables('_analyticRulecontentProductId20')]", - "version": "[variables('analyticRuleVersion20')]" + "displayName": "TI Map IP Entity to DnsEvents", + "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName21')]", + "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion21')]", + "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId21')]", + "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.", - "displayName": "TI Map IP Entity to Azure SQL Security Audit Events", + "description": "This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.", + "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\")\n | extend Action = column_ifexists(\"action_name_s\", \"Not Available\")\n | extend Application = column_ifexists(\"application_name_s\", \"Not Available\")\n | extend HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n )\n on $left.TI_ipEntity == $right.ClientIP\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n // Select the desired output fields\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n // Rename the timestamp field\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n // Taking the first non-empty value based on potential IOC match availability\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \"NO_IP\")\n // Picking up only IOC's that contain the entities we want\n | where TI_ipEntity != \"NO_IP\"\n // Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet IP_TI_list = toscalar(IP_TI\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\n | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\nIP_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind = innerunique (\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\n | where isnotempty(SrcIpAddr)\n // renaming time column so it is clear the log this came from\n | extend imNWS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SrcIpAddr\n| where imNWS_TimeGenerated < ExpirationDateTime\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4473,28 +5699,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "SquidProxy_CL" + ], + "connectorId": "SquidProxy" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "Zscaler" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "AzureSql", "dataTypes": [ - "AzureDiagnostics" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4506,23 +5738,36 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "ClientIP" + "columnName": "DstIpAddr" } ] } - ] + ], + "customDetails": { + "IndicatorId": "IndicatorId", + "IoCExpirationTime": "ExpirationDateTime", + "IoCDescription": "Description", + "ActivityGroupNames": "ActivityGroupNames", + "ThreatType": "ThreatType", + "EventTime": "imNWS_TimeGenerated", + "IoCConfidenceScore": "ConfidenceScore" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", + "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 21", - "parentId": "[variables('analyticRuleId21')]", - "contentId": "[variables('_analyticRulecontentId21')]", + "description": "Threat Intelligence Analytics Rule 30", + "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion21')]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4547,41 +5792,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId21')]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to Azure SQL Security Audit Events", - "contentProductId": "[variables('_analyticRulecontentProductId21')]", - "id": "[variables('_analyticRulecontentProductId21')]", - "version": "[variables('analyticRuleVersion21')]" + "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)", + "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName22')]", + "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion22')]", + "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId22')]", + "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.", - "displayName": "TI Map IP Entity to CommonSecurityLog", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.", + "displayName": "TI map IP entity to OfficeActivity", "enabled": false, - "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\n // Select the desired output fields\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\nlet OfficeActivity_ = materialize(OfficeActivity\n | where isnotempty(ClientIP)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]%]+)(%\\d+)?\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\nlet ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = materialize(ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)\n | where TI_ipEntity in (ActivityIPs)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\nIP_Indicators\n// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n| join kind=innerunique (OfficeActivity_)\n on $left.TI_ipEntity == $right.IPAddress\n// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n// Select the desired output fields\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4592,40 +5837,62 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "CEF", "dataTypes": [ - "CommonSecurityLog" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "OfficeActivity" + ], + "connectorId": "Office365" } ], "tactics": [ "Impact" ], "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + } + ] + }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "CS_ipEntity" + "columnName": "TI_ipEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" } ] } @@ -4635,13 +5902,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 22", - "parentId": "[variables('analyticRuleId22')]", - "contentId": "[variables('_analyticRulecontentId22')]", + "description": "Threat Intelligence Analytics Rule 31", + "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion22')]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4666,41 +5933,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId22')]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to CommonSecurityLog", - "contentProductId": "[variables('_analyticRulecontentProductId22')]", - "id": "[variables('_analyticRulecontentProductId22')]", - "version": "[variables('analyticRuleVersion22')]" + "displayName": "TI map IP entity to OfficeActivity", + "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName23')]", + "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion23')]", + "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId23')]", + "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.", - "displayName": "TI Map IP Entity to DnsEvents", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.", + "displayName": "TI Map IP Entity to SigninLogs", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and DNS events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n | extend DNS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SingleIP\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet Signins = materialize(union isfuzzy=true\n (SigninLogs\n | where TimeGenerated >= ago(dt_lookBack)),\n (AADNonInteractiveUserSignInLogs\n | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));\nlet SigninIPs = Signins | summarize make_list(IPAddress);\nlet TI = materialize(ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\n | where TI_ipEntity in (SigninIPs)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\");\nTI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress\n| project-rename SigninLogs_TimeGenerated = TimeGenerated\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4711,28 +5978,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ - "DnsEvents" - ] + "SigninLogs" + ], + "connectorId": "AzureActiveDirectory" + }, + { + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -4740,15 +6013,15 @@ ], "entityMappings": [ { - "entityType": "Host", + "entityType": "Account", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "identifier": "Name", + "columnName": "Name" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -4757,7 +6030,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "ClientIP" + "columnName": "IPAddress" } ] }, @@ -4776,13 +6049,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 23", - "parentId": "[variables('analyticRuleId23')]", - "contentId": "[variables('_analyticRulecontentId23')]", + "description": "Threat Intelligence Analytics Rule 32", + "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion23')]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4807,41 +6080,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId23')]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to DnsEvents", - "contentProductId": "[variables('_analyticRulecontentProductId23')]", - "id": "[variables('_analyticRulecontentProductId23')]", - "version": "[variables('analyticRuleVersion23')]" + "displayName": "TI Map IP Entity to SigninLogs", + "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName24')]", + "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion24')]", + "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId24')]", + "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This rule identifies Web Sessions for which the source IP address is a known IoC.

This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.", - "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.", + "displayName": "TI Map IP Entity to VMConnection", "enabled": false, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n // Taking the first non-empty value based on potential IOC match availability\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \"NO_IP\")\n // Picking up only IOC's that contain the entities we want\n | where TI_ipEntity != \"NO_IP\"\n // Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\nlet IP_TI_list = toscalar(IP_TI\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\n | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\nIP_TI\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind = innerunique (\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\n | where isnotempty(SrcIpAddr)\n // renaming time column so it is clear the log this came from\n | extend imNWS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SrcIpAddr\n| where imNWS_TimeGenerated < ExpirationDateTime\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and VMConnection events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n | extend VMConnection_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIp\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\n | where VMConnection_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n // Select the desired output fields\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4852,75 +6125,78 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SquidProxy", - "dataTypes": [ - "SquidProxy_CL" - ] - }, - { - "connectorId": "Zscaler", "dataTypes": [ - "CommonSecurityLog" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "VMConnection" + ], + "connectorId": "AzureMonitor(VMInsights)" } ], "tactics": [ "Impact" ], "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + } + ] + }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "DstIpAddr" + "columnName": "RemoteIp" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" } ] } - ], - "customDetails": { - "IoCExpirationTime": "ExpirationDateTime", - "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "EventTime": "imNWS_TimeGenerated", - "ThreatType": "ThreatType", - "ActivityGroupNames": "ActivityGroupNames" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "The IP {{SrcIpAddr}} of the web request matches an IP IoC", - "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator." - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 24", - "parentId": "[variables('analyticRuleId24')]", - "contentId": "[variables('_analyticRulecontentId24')]", + "description": "Threat Intelligence Analytics Rule 33", + "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion24')]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -4945,41 +6221,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId24')]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to Web Session Events (ASIM Web Session schema)", - "contentProductId": "[variables('_analyticRulecontentProductId24')]", - "id": "[variables('_analyticRulecontentProductId24')]", - "version": "[variables('analyticRuleVersion24')]" + "displayName": "TI Map IP Entity to VMConnection", + "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName25')]", + "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion25')]", + "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId25')]", + "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.", - "displayName": "TI map IP entity to OfficeActivity", + "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.", + "displayName": "TI Map IP Entity to W3CIISLog", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and OfficeActivity events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIP)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]%]+)(%\\d+)?\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.IPAddress\n // Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\n | where OfficeActivity_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\n | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n // Select the desired output fields\n | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\n// Perform a join between IP indicators and W3CIISLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n | where ipv4_is_private(cIP) == false and cIP !startswith \"fe80\" and cIP !startswith \"::\" and cIP !startswith \"127.\"\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.cIP\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\n | where W3CIISLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n // Select the desired output fields\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -4990,28 +6266,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "Office365", "dataTypes": [ - "OfficeActivity" - ] + "W3CIISLog" + ], + "connectorId": "AzureMonitor(IIS)" } ], "tactics": [ @@ -5023,11 +6299,16 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "Name" - }, + "columnName": "csUserName" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "identifier": "HostName", + "columnName": "Computer" } ] }, @@ -5036,7 +6317,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "cIP" } ] }, @@ -5055,13 +6336,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 25", - "parentId": "[variables('analyticRuleId25')]", - "contentId": "[variables('_analyticRulecontentId25')]", + "description": "Threat Intelligence Analytics Rule 34", + "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion25')]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5086,41 +6367,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId25')]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", "contentKind": "AnalyticsRule", - "displayName": "TI map IP entity to OfficeActivity", - "contentProductId": "[variables('_analyticRulecontentProductId25')]", - "id": "[variables('_analyticRulecontentProductId25')]", - "version": "[variables('analyticRuleVersion25')]" + "displayName": "TI Map IP Entity to W3CIISLog", + "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName26')]", + "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion26')]", + "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId26')]", + "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.", - "displayName": "TI Map IP Entity to SigninLogs", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.", + "displayName": "TI Map URL Entity to AuditLogs", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming time column so it is clear the log this came from\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.TI_ipEntity == $right.IPAddress\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet AuditEvents = materialize(AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated);\nlet AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| where tolower(Url) in (AuditUrls)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (AuditEvents) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5131,34 +6412,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "AuditLogs" + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5169,21 +6444,17 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, - { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "identifier": "FullName", + "columnName": "AccountCustomEntity" } ] }, { - "entityType": "IP", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "identifier": "FullName", + "columnName": "HostCustomEntity" } ] }, @@ -5192,7 +6463,7 @@ "fieldMappings": [ { "identifier": "Url", - "columnName": "Url" + "columnName": "URLCustomEntity" } ] } @@ -5202,13 +6473,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 26", - "parentId": "[variables('analyticRuleId26')]", - "contentId": "[variables('_analyticRulecontentId26')]", + "description": "Threat Intelligence Analytics Rule 35", + "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion26')]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5233,41 +6504,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId26')]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to SigninLogs", - "contentProductId": "[variables('_analyticRulecontentProductId26')]", - "id": "[variables('_analyticRulecontentProductId26')]", - "version": "[variables('analyticRuleVersion26')]" + "displayName": "TI Map URL Entity to AuditLogs", + "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName27')]", + "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion27')]", + "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId27')]", + "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.", - "displayName": "TI Map IP Entity to VMConnection", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents.", + "displayName": "TI Map URL Entity to AuditLogs", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and VMConnection events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n | extend VMConnection_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.RemoteIp\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\n | where VMConnection_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n // Select the desired output fields\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DeviceNetworkEvents_ = DeviceNetworkEvents\n | where isnotempty(RemoteUrl)\n | where TimeGenerated >= ago(dt_lookBack)\n | where ActionType !has \"ConnectionFailed\"\n | extend RemoteUrl = tolower(RemoteUrl)\n | project-rename DeviceNetworkEvents_TimeGenerated = TimeGenerated;\nlet DeviceNetworkEventUrls = DeviceNetworkEvents_\n | distinct Url = RemoteUrl\n | summarize make_list(Url);\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend Url = tolower(Url)\n| where Url in (DeviceNetworkEventUrls)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\"\n| join kind=innerunique (DeviceNetworkEvents_) on $left.Url == $right.RemoteUrl\n| where DeviceNetworkEvents_TimeGenerated < ExpirationDateTime\n| summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId, Url\n| project DeviceNetworkEvents_TimeGenerated, IndicatorId, Url, ConfidenceScore, Description, ThreatType, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort\n| extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0])\n| extend timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5278,28 +6549,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "DeviceNetworkEvents" + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ - "VMConnection" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5307,24 +6578,24 @@ ], "entityMappings": [ { - "entityType": "Host", + "entityType": "Account", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "identifier": "Name", + "columnName": "Name" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, { - "entityType": "IP", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Address", - "columnName": "RemoteIp" + "identifier": "FullName", + "columnName": "DeviceName" } ] }, @@ -5336,6 +6607,15 @@ "columnName": "Url" } ] + }, + { + "entityType": "Process", + "fieldMappings": [ + { + "identifier": "CommandLine", + "columnName": "InitiatingProcessCommandLine" + } + ] } ] } @@ -5343,13 +6623,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 27", - "parentId": "[variables('analyticRuleId27')]", - "contentId": "[variables('_analyticRulecontentId27')]", + "description": "Threat Intelligence Analytics Rule 36", + "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion27')]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5374,41 +6654,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId27')]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to VMConnection", - "contentProductId": "[variables('_analyticRulecontentProductId27')]", - "id": "[variables('_analyticRulecontentProductId27')]", - "version": "[variables('analyticRuleVersion27')]" + "displayName": "TI Map URL Entity to AuditLogs", + "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName28')]", + "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion28')]", + "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId28')]", + "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.", - "displayName": "TI Map IP Entity to W3CIISLog", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in EmailUrlInfo.", + "displayName": "TI Map URL Entity to EmailUrlInfo", "enabled": false, - "query": "let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and W3CIISLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n | where ipv4_is_private(cIP) == false and cIP !startswith \"fe80\" and cIP !startswith \"::\" and cIP !startswith \"127.\"\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.cIP\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\n | where W3CIISLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n // Select the desired output fields\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet EmailUrlInfo_ = materialize(EmailUrlInfo\n | where isnotempty(Url)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend Url = tolower(Url)\n | extend EmailUrlInfo_TimeGenerated = TimeGenerated);\nlet EmailUrls = EmailUrlInfo_ | distinct Url | summarize make_list(Url);\nlet EmailUrlDomains = EmailUrlInfo_ | distinct UrlDomain | summarize make_list(UrlDomain);\nlet EmailEvents_ = materialize(EmailEvents\n | where TimeGenerated >= ago(dt_lookBack));\nlet TI = materialize(ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | where (isnotempty(Url) or isnotempty(DomainName)) \n | where tolower(Url) in (EmailUrls) or tolower(DomainName) in (EmailUrlDomains)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now());\n(union\n (TI | join kind=innerunique (EmailUrlInfo_) on Url),\n (TI | join kind=innerunique (EmailUrlInfo_) on $left.DomainName == $right.UrlDomain))\n| where EmailUrlInfo_TimeGenerated < ExpirationDateTime\n| summarize EmailUrlInfo_TimeGenerated = arg_max(EmailUrlInfo_TimeGenerated, *) by IndicatorId, Url\n| project EmailUrlInfo_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, UrlDomain, UrlLocation, NetworkMessageId\n| extend timestamp = EmailUrlInfo_TimeGenerated\n| join kind=inner (EmailEvents_) on NetworkMessageId\n| where DeliveryAction !has \"Blocked\"\n| extend Name = tostring(split(RecipientEmailAddress, '@', 0)[0]), UPNSuffix = tostring(split(RecipientEmailAddress, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5419,28 +6699,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ - "ThreatIntelligenceIndicator" - ] + "EmailUrlInfo" + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "AzureMonitor(IIS)", "dataTypes": [ - "W3CIISLog" - ] + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5452,25 +6732,11 @@ "fieldMappings": [ { "identifier": "Name", - "columnName": "csUserName" - } - ] - }, - { - "entityType": "Host", - "fieldMappings": [ - { - "identifier": "HostName", - "columnName": "Computer" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ + "columnName": "Name" + }, { - "identifier": "Address", - "columnName": "cIP" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -5489,13 +6755,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 28", - "parentId": "[variables('analyticRuleId28')]", - "contentId": "[variables('_analyticRulecontentId28')]", + "description": "Threat Intelligence Analytics Rule 37", + "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion28')]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5520,41 +6786,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId28')]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", "contentKind": "AnalyticsRule", - "displayName": "TI Map IP Entity to W3CIISLog", - "contentProductId": "[variables('_analyticRulecontentProductId28')]", - "id": "[variables('_analyticRulecontentProductId28')]", - "version": "[variables('analyticRuleVersion28')]" + "displayName": "TI Map URL Entity to EmailUrlInfo", + "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName29')]", + "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion29')]", + "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId29')]", + "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.", - "displayName": "TI Map URL Entity to AuditLogs", + "description": "This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.", + "displayName": "TI Map URL Entity to OfficeActivity Data [Deprecated]", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n", + "query": "let dt_lookBack = 1h;\n// let ioc_lookBack = 14d;\n// ThreatIntelligenceIndicator\n// // Picking up only IOC's that contain the entities we want\n// | where isnotempty(Url)\n// | where TimeGenerated >= ago(ioc_lookBack)\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n// | where Active == true and ExpirationDateTime > now()\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n// | join kind=innerunique (\n// OfficeActivity\n// | where TimeGenerated >= ago(dt_lookBack)\n// //Extract the Url from a number of potential fields\n// | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n// | where isnotempty(Url)\n// // Ensure we get a clean URL\n// | extend Url = tostring(split(Url, ';')[0])\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\n// // Project a single user identity that we can use for entity mapping\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\n// ) on Url\n// | where OfficeActivity_TimeGenerated < ExpirationDateTime\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\n// UserType, OfficeWorkload, Parameters, Url, User\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\ndatatable() []\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5565,28 +6831,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" - ] + "OfficeActivity" + ], + "connectorId": "Office365" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" } ], "tactics": [ @@ -5597,17 +6863,12 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" - } - ] - }, - { - "entityType": "Host", - "fieldMappings": [ + "identifier": "Name", + "columnName": "Name" + }, { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -5616,7 +6877,7 @@ "fieldMappings": [ { "identifier": "Url", - "columnName": "URLCustomEntity" + "columnName": "Url" } ] } @@ -5626,13 +6887,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 29", - "parentId": "[variables('analyticRuleId29')]", - "contentId": "[variables('_analyticRulecontentId29')]", + "description": "Threat Intelligence Analytics Rule 38", + "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion29')]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5657,41 +6918,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId29')]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", "contentKind": "AnalyticsRule", - "displayName": "TI Map URL Entity to AuditLogs", - "contentProductId": "[variables('_analyticRulecontentProductId29')]", - "id": "[variables('_analyticRulecontentProductId29')]", - "version": "[variables('analyticRuleVersion29')]" + "displayName": "TI Map URL Entity to OfficeActivity Data [Deprecated]", + "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName30')]", + "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion30')]", + "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId30')]", + "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.", - "displayName": "TI Map URL Entity to OfficeActivity Data", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.", + "displayName": "TI Map URL Entity to PaloAlto Data", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, ';')[0])\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n // Project a single user identity that we can use for entity mapping\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\n) on Url\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\nUserType, OfficeWorkload, Parameters, Url, User\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5702,22 +6963,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Office365", "dataTypes": [ - "OfficeActivity" - ] + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5725,15 +6992,20 @@ ], "entityMappings": [ { - "entityType": "Account", + "entityType": "Host", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" - }, + "identifier": "HostName", + "columnName": "DeviceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "identifier": "Address", + "columnName": "SourceIP" } ] }, @@ -5742,7 +7014,7 @@ "fieldMappings": [ { "identifier": "Url", - "columnName": "Url" + "columnName": "PA_Url" } ] } @@ -5752,13 +7024,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 30", - "parentId": "[variables('analyticRuleId30')]", - "contentId": "[variables('_analyticRulecontentId30')]", + "description": "Threat Intelligence Analytics Rule 39", + "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion30')]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5783,41 +7055,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId30')]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", "contentKind": "AnalyticsRule", - "displayName": "TI Map URL Entity to OfficeActivity Data", - "contentProductId": "[variables('_analyticRulecontentProductId30')]", - "id": "[variables('_analyticRulecontentProductId30')]", - "version": "[variables('analyticRuleVersion30')]" + "displayName": "TI Map URL Entity to PaloAlto Data", + "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName31')]", + "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion31')]", + "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId31')]", + "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.", - "displayName": "TI Map URL Entity to PaloAlto Data", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.", + "displayName": "TI Map URL Entity to SecurityAlert Data", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = column_ifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet URLRegex = \"((https?|ftp|ldap|wss?|file):\\\\/\\\\/(([\\\\:\\\\%\\\\w\\\\_\\\\-]+(\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\-]+\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{0,3})[.,:\\\\w@?^=%&\\\\/~+#-]*[\\\\w@?^=%&\\\\/~+#-])\";\nlet SecurityEvents = materialize(SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract URL from JSON data\n | mv-expand parse_json(Entities)\n | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)\n | extend Url = coalesce(Entities.Url, Entities.Urls)\n | mv-expand Url\n | extend Url = tolower(Url)\n // Extract hostname from JSON data for entity mapping\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n | extend Alert_TimeGenerated = TimeGenerated);\nlet EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));\nThreatIntelligenceIndicator\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend Url = tolower(Url)\n| where tolower(Url) in (EventUrls)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where Description !contains_cs \"State: inactive;\" and Description !contains_cs \"State: falsepos;\" \n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (SecurityEvents) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5828,28 +7100,34 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoNetworks", "dataTypes": [ - "CommonSecurityLog" - ] + "SecurityAlert" + ], + "connectorId": "MicrosoftCloudAppSecurity" + }, + { + "dataTypes": [ + "SecurityAlert" + ], + "connectorId": "AzureSecurityCenter" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -5861,16 +7139,7 @@ "fieldMappings": [ { "identifier": "HostName", - "columnName": "DeviceName" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "Compromised_Host" } ] }, @@ -5879,7 +7148,7 @@ "fieldMappings": [ { "identifier": "Url", - "columnName": "PA_Url" + "columnName": "Url" } ] } @@ -5889,13 +7158,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 31", - "parentId": "[variables('analyticRuleId31')]", - "contentId": "[variables('_analyticRulecontentId31')]", + "description": "Threat Intelligence Analytics Rule 40", + "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion31')]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -5920,41 +7189,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId31')]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", "contentKind": "AnalyticsRule", - "displayName": "TI Map URL Entity to PaloAlto Data", - "contentProductId": "[variables('_analyticRulecontentProductId31')]", - "id": "[variables('_analyticRulecontentProductId31')]", - "version": "[variables('analyticRuleVersion31')]" + "displayName": "TI Map URL Entity to SecurityAlert Data", + "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName32')]", + "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion32')]", + "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId32')]", + "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.", - "displayName": "TI Map URL Entity to SecurityAlert Data", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.", + "displayName": "TI Map URL Entity to Syslog Data", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet URLRegex = \"((https?|ftp|ldap|wss?|file):\\\\/\\\\/(([\\\\:\\\\%\\\\w\\\\_\\\\-]+(\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\-]+\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{0,3})[.,:\\\\w@?^=%&\\\\/~+#-]*[\\\\w@?^=%&\\\\/~+#-])\";\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\nSecurityAlert\n| where TimeGenerated >= ago(dt_lookBack)\n| extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n| where MSTI == false\n// Extract URL from JSON data\n| extend Url = todynamic(dynamic_to_json(extract_all(URLRegex, dynamic([1]), Entities))) \n| mv-expand Url\n| extend Url = tostring(Url[0])\n// We only want alerts that actually contain URL data\n| where isnotempty(Url)\n// Extract hostname from JSON data for entity mapping\n| extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n| extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -5965,34 +7234,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftCloudAppSecurity", - "dataTypes": [ - "SecurityAlert" - ] - }, - { - "connectorId": "AzureSecurityCenter", "dataTypes": [ - "SecurityAlert" - ] + "Syslog" + ], + "connectorId": "Syslog" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6004,7 +7267,16 @@ "fieldMappings": [ { "identifier": "HostName", - "columnName": "Compromised_Host" + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "HostIP" } ] }, @@ -6023,13 +7295,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 32", - "parentId": "[variables('analyticRuleId32')]", - "contentId": "[variables('_analyticRulecontentId32')]", + "description": "Threat Intelligence Analytics Rule 41", + "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion32')]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -6054,41 +7326,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId32')]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", "contentKind": "AnalyticsRule", - "displayName": "TI Map URL Entity to SecurityAlert Data", - "contentProductId": "[variables('_analyticRulecontentProductId32')]", - "id": "[variables('_analyticRulecontentProductId32')]", - "version": "[variables('analyticRuleVersion32')]" + "displayName": "TI Map URL Entity to Syslog Data", + "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName33')]", + "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion33')]", + "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId33')]", + "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.", - "displayName": "TI Map URL Entity to Syslog Data", + "description": "This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in UrlClickEvents.", + "displayName": "TI Map URL Entity to UrlClickEvents", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet UrlClickEvents_ = materialize(UrlClickEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | extend UrlClickEvents_TimeGenerated = TimeGenerated);\nlet ChainReportID = UrlClickEvents_\n | mv-expand todynamic(UrlChain)\n | extend UrlChain = tolower(UrlChain)\n | project ReportId, Url, UrlChain;\n// Url is not always in UrlChain, so we need to check both\nlet ClickedUrls = \n (union isfuzzy=false (ChainReportID), (ChainReportID | project Url = UrlChain))\n | distinct Url\n | summarize make_list(Url);\nlet TI = materialize(ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | where isnotempty(Url) and tolower(Url) in (ClickedUrls)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | project-rename TI_Url = Url, TI_Type = Type\n );\n(union isfuzzy=false (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.UrlChain),\n (TI | join kind=innerunique (ChainReportID) on $left.TI_Url == $right.Url))\n| project-away UrlChain\n| join kind=innerunique (UrlClickEvents_) on ReportId\n| where UrlClickEvents_TimeGenerated < ExpirationDateTime\n| summarize UrlClickEvents_TimeGenerated = arg_max(UrlClickEvents_TimeGenerated, *) by IndicatorId\n| project UrlClickEvents_TimeGenerated, AccountUpn, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, NetworkMessageId\n| extend timestamp = UrlClickEvents_TimeGenerated\n| extend timestamp = UrlClickEvents_TimeGenerated, Name = tostring(split(AccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(AccountUpn, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -6099,28 +7371,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Syslog", "dataTypes": [ - "Syslog" - ] + "UrlClickEvents" + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6128,20 +7400,15 @@ ], "entityMappings": [ { - "entityType": "Host", + "entityType": "Account", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ + "identifier": "Name", + "columnName": "Name" + }, { - "identifier": "Address", - "columnName": "HostIP" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ] }, @@ -6160,13 +7427,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 33", - "parentId": "[variables('analyticRuleId33')]", - "contentId": "[variables('_analyticRulecontentId33')]", + "description": "Threat Intelligence Analytics Rule 42", + "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion33')]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -6191,33 +7458,33 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId33')]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", "contentKind": "AnalyticsRule", - "displayName": "TI Map URL Entity to Syslog Data", - "contentProductId": "[variables('_analyticRulecontentProductId33')]", - "id": "[variables('_analyticRulecontentProductId33')]", - "version": "[variables('analyticRuleVersion33')]" + "displayName": "TI Map URL Entity to UrlClickEvents", + "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName34')]", + "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion34')]", + "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId34')]", + "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6225,7 +7492,7 @@ "description": "This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.", "displayName": "TI Map IP Entity to Duo Security", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0])\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where TimeGenerated >= ago(ioc_lookBack)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0])\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -6236,28 +7503,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "CiscoDuoSecurity", "dataTypes": [ "CiscoDuo" - ] + ], + "connectorId": "CiscoDuoSecurity" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -6292,13 +7559,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 34", - "parentId": "[variables('analyticRuleId34')]", - "contentId": "[variables('_analyticRulecontentId34')]", + "description": "Threat Intelligence Analytics Rule 43", + "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion34')]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -6323,33 +7590,33 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId34')]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", "contentKind": "AnalyticsRule", "displayName": "TI Map IP Entity to Duo Security", - "contentProductId": "[variables('_analyticRulecontentProductId34')]", - "id": "[variables('_analyticRulecontentProductId34')]", - "version": "[variables('analyticRuleVersion34')]" + "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName35')]", + "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion35')]", + "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId35')]", + "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6357,7 +7624,7 @@ "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'", "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)", "enabled": false, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where Active == true\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -6368,70 +7635,70 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "InfobloxNIOS", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "InfobloxNIOS" }, { - "connectorId": "GCPDNSDataConnector", "dataTypes": [ "GCP_DNS_CL" - ] + ], + "connectorId": "GCPDNSDataConnector" }, { - "connectorId": "NXLogDnsLogs", "dataTypes": [ "NXLog_DNS_Server_CL" - ] + ], + "connectorId": "NXLogDnsLogs" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "CiscoUmbrellaDataConnector", "dataTypes": [ "Cisco_Umbrella_dns_CL" - ] + ], + "connectorId": "CiscoUmbrellaDataConnector" }, { - "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ] + ], + "connectorId": "Corelight" } ], "tactics": [ @@ -6467,30 +7734,30 @@ } ], "customDetails": { - "DnsQuery": "DnsQuery", "IndicatorId": "IndicatorId", + "ConfidenceScore": "ConfidenceScore", + "QueryType": "DnsQueryType", "Description": "Description", - "ThreatType": "ThreatType", "ActivityGroupNames": "ActivityGroupNames", + "ThreatType": "ThreatType", + "DnsQuery": "DnsQuery", "DNSRequestTime": "DNS_TimeGenerated", - "QueryType": "DnsQueryType", + "ExpirationDateTime": "ExpirationDateTime", "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", - "LatestIndicatorTime": "LatestIndicatorTime", - "ExpirationDateTime": "ExpirationDateTime" + "LatestIndicatorTime": "LatestIndicatorTime" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 35", - "parentId": "[variables('analyticRuleId35')]", - "contentId": "[variables('_analyticRulecontentId35')]", + "description": "Threat Intelligence Analytics Rule 44", + "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion35')]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -6515,41 +7782,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId35')]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", "contentKind": "AnalyticsRule", "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)", - "contentProductId": "[variables('_analyticRulecontentProductId35')]", - "id": "[variables('_analyticRulecontentProductId35')]", - "version": "[variables('analyticRuleVersion35')]" + "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName36')]", + "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion36')]", + "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId36')]", + "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This rule identifies DNS requests for which response IP address is a known IoC.

\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.", + "description": "This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.", "displayName": "TI map IP entity to DNS Events (ASIM DNS schema)", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = \nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n| where IoC != \"NO_IP\"\n;\nIP_TI\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n(\n_Im_Dns(starttime=ago(dt_lookBack))\n| where isnotempty(DnsResponseName)\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\n| extend addresses = extract_all (@'(\\d+\\.\\d+\\.\\d+\\.\\d+)', DnsResponseName)\n| mv-expand IoC = addresses to typeof(string)\n)\non IoC\n| where imDns_mintime < ExpirationDateTime\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = \nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n| where IoC != \"NO_IP\"\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now();\nIP_TI\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n(\n_Im_Dns(starttime=ago(dt_lookBack))\n| where isnotempty(DnsResponseName)\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\n| extend addresses = extract_all (@'(\\d+\\.\\d+\\.\\d+\\.\\d+)', DnsResponseName)\n| mv-expand IoC = addresses to typeof(string)\n)\non IoC\n| where imDns_mintime < ExpirationDateTime\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -6560,70 +7827,70 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "DNS", "dataTypes": [ "DnsEvents" - ] + ], + "connectorId": "DNS" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "InfobloxNIOS", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "InfobloxNIOS" }, { - "connectorId": "GCPDNSDataConnector", "dataTypes": [ "GCP_DNS_CL" - ] + ], + "connectorId": "GCPDNSDataConnector" }, { - "connectorId": "NXLogDnsLogs", "dataTypes": [ "NXLog_DNS_Server_CL" - ] + ], + "connectorId": "NXLogDnsLogs" }, { - "connectorId": "CiscoUmbrellaDataConnector", "dataTypes": [ "Cisco_Umbrella_dns_CL" - ] + ], + "connectorId": "CiscoUmbrellaDataConnector" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ] + ], + "connectorId": "Corelight" } ], "tactics": [ @@ -6659,33 +7926,33 @@ } ], "customDetails": { - "DnsQuery": "DnsQuery", "IndicatorId": "IndicatorId", + "ConfidenceScore": "ConfidenceScore", "Description": "Description", - "ThreatType": "ThreatType", "ActivityGroupNames": "ActivityGroupNames", + "ThreatType": "ThreatType", + "DnsQuery": "DnsQuery", "DNSRequestTime": "imDns_mintime", + "ExpirationDateTime": "ExpirationDateTime", "SourceIPAddress": "SrcIpAddr", - "ConfidenceScore": "ConfidenceScore", - "LatestIndicatorTime": "LatestIndicatorTime", - "ExpirationDateTime": "ExpirationDateTime" + "LatestIndicatorTime": "LatestIndicatorTime" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC", - "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator." + "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", + "alertDisplayNameFormat": "The response {{IoC}} to DNS query matched an IoC" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 36", - "parentId": "[variables('analyticRuleId36')]", - "contentId": "[variables('_analyticRulecontentId36')]", + "description": "Threat Intelligence Analytics Rule 45", + "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion36')]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -6710,41 +7977,41 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId36')]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", "contentKind": "AnalyticsRule", "displayName": "TI map IP entity to DNS Events (ASIM DNS schema)", - "contentProductId": "[variables('_analyticRulecontentProductId36')]", - "id": "[variables('_analyticRulecontentProductId36')]", - "version": "[variables('analyticRuleVersion36')]" + "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName37')]", + "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion37')]", + "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId37')]", + "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC.

\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema", + "description": "This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema", "displayName": "TI map IP entity to Network Session Events (ASIM Network Session schema)", "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = materialize (\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n | where TI_ipEntity != \"NO_IP\"\n);\nIP_TI\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique \n(\n _Im_NetworkSession (starttime=ago(dt_lookBack))\n | where isnotempty(SrcIpAddr)\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\n | project-rename SrcMatch = Active\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\n | project-rename DstMatch = Active\n | where SrcMatch or DstMatch\n | extend \n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\n IoCDirection = iff(SrcMatch, \"Source\", \"Destination\")\n)on $left.TI_ipEntity == $right.IoCIP\n| where imNWS_mintime < ExpirationDateTime\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\n", + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = materialize (\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n | where TI_ipEntity != \"NO_IP\"\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n);\nIP_TI\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique \n(\n _Im_NetworkSession (starttime=ago(dt_lookBack))\n | where isnotempty(SrcIpAddr)\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\n | project-rename SrcMatch = Active\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\n | project-rename DstMatch = Active\n | where SrcMatch or DstMatch\n | extend \n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\n IoCDirection = iff(SrcMatch, \"Source\", \"Destination\")\n)on $left.TI_ipEntity == $right.IoCIP\n| where imNWS_mintime < ExpirationDateTime\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -6755,107 +8022,113 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AWSS3", "dataTypes": [ "AWSVPCFlow" - ] + ], + "connectorId": "AWSS3" }, { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "MicrosoftSysmonForLinux", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "MicrosoftSysmonForLinux" }, { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" }, { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureFirewall" }, { - "connectorId": "AzureNSG", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureNSG" }, { - "connectorId": "CiscoASA", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CiscoASA" }, { - "connectorId": "Corelight", "dataTypes": [ "Corelight_CL" - ] + ], + "connectorId": "Corelight" }, { - "connectorId": "AIVectraStream", "dataTypes": [ "VectraStream" - ] + ], + "connectorId": "AIVectraStream" }, { - "connectorId": "CheckPoint", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CheckPoint" }, { - "connectorId": "Fortinet", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Fortinet" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" }, { - "connectorId": "CiscoMeraki", "dataTypes": [ "Syslog", "CiscoMerakiNativePoller" - ] + ], + "connectorId": "CiscoMeraki" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" } ], "tactics": [ @@ -6874,31 +8147,31 @@ ], "customDetails": { "IndicatorId": "IndicatorId", - "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", + "IoCIPDirection": "IoCDirection", "IoCExpirationTime": "ExpirationDateTime", - "EventEndTime": "imNWS_maxtime", + "IoCDescription": "Description", "ActivityGroupNames": "ActivityGroupNames", "ThreatType": "ThreatType", - "IoCIPDirection": "IoCDirection", - "EventStartTime": "imNWS_mintime" + "EventStartTime": "imNWS_mintime", + "IoCConfidenceScore": "ConfidenceScore", + "EventEndTime": "imNWS_maxtime" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", - "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator." + "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.", + "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 37", - "parentId": "[variables('analyticRuleId37')]", - "contentId": "[variables('_analyticRulecontentId37')]", + "description": "Threat Intelligence Analytics Rule 46", + "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion37')]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -6923,33 +8196,33 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId37')]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", "contentKind": "AnalyticsRule", "displayName": "TI map IP entity to Network Session Events (ASIM Network Session schema)", - "contentProductId": "[variables('_analyticRulecontentProductId37')]", - "id": "[variables('_analyticRulecontentProductId37')]", - "version": "[variables('analyticRuleVersion37')]" + "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName38')]", + "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion38')]", + "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId38')]", + "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -6957,9 +8230,9 @@ "description": "Identifies a match in GitHub_CL table from any IP IOC from TI", "displayName": "TI map IP entity to GitHub_CL", "enabled": false, - "query": "ThreatIntelligenceIndicator\n| where Action == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n GitHubAudit\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n", + "query": "let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\nThreatIntelligenceIndicator\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| where Action == true\n| where TimeGenerated >= ago(ioc_lookBack)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| join (\n GitHubAudit\n | where TimeGenerated >= ago(dt_lookBack)\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n", "queryFrequency": "PT1H", - "queryPeriod": "P1D", + "queryPeriod": "P14D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6968,22 +8241,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligence" }, { - "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "ThreatIntelligenceTaxii" }, { - "connectorId": "MicrosoftDefenderThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" - ] + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" } ], "tactics": [ @@ -7014,13 +8287,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", "properties": { - "description": "Threat Intelligence Analytics Rule 38", - "parentId": "[variables('analyticRuleId38')]", - "contentId": "[variables('_analyticRulecontentId38')]", + "description": "Threat Intelligence Analytics Rule 47", + "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion38')]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", "source": { "kind": "Solution", "name": "Threat Intelligence", @@ -7045,12 +8318,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId38')]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", "contentKind": "AnalyticsRule", "displayName": "TI map IP entity to GitHub_CL", - "contentProductId": "[variables('_analyticRulecontentProductId38')]", - "id": "[variables('_analyticRulecontentProductId38')]", - "version": "[variables('analyticRuleVersion38')]" + "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" } }, { @@ -7058,12 +8331,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 4, Workbooks: 1, Analytic Rules: 38, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.

\n

Data Connectors: 4, Workbooks: 1, Analytic Rules: 47, Hunting Queries: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7115,218 +8388,263 @@ }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId11')]", - "version": "[variables('analyticRuleVersion11')]" + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId12')]", - "version": "[variables('analyticRuleVersion12')]" + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId13')]", - "version": "[variables('analyticRuleVersion13')]" + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId14')]", - "version": "[variables('analyticRuleVersion14')]" + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId15')]", - "version": "[variables('analyticRuleVersion15')]" + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId16')]", - "version": "[variables('analyticRuleVersion16')]" + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId17')]", - "version": "[variables('analyticRuleVersion17')]" + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId18')]", - "version": "[variables('analyticRuleVersion18')]" + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId19')]", - "version": "[variables('analyticRuleVersion19')]" + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId20')]", - "version": "[variables('analyticRuleVersion20')]" + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId21')]", - "version": "[variables('analyticRuleVersion21')]" + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId22')]", - "version": "[variables('analyticRuleVersion22')]" + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId23')]", - "version": "[variables('analyticRuleVersion23')]" + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId24')]", - "version": "[variables('analyticRuleVersion24')]" + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId25')]", - "version": "[variables('analyticRuleVersion25')]" + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId26')]", - "version": "[variables('analyticRuleVersion26')]" + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId27')]", - "version": "[variables('analyticRuleVersion27')]" + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId28')]", - "version": "[variables('analyticRuleVersion28')]" + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId29')]", - "version": "[variables('analyticRuleVersion29')]" + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId30')]", - "version": "[variables('analyticRuleVersion30')]" + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId31')]", - "version": "[variables('analyticRuleVersion31')]" + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId32')]", - "version": "[variables('analyticRuleVersion32')]" + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId33')]", - "version": "[variables('analyticRuleVersion33')]" + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId34')]", - "version": "[variables('analyticRuleVersion34')]" + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId35')]", - "version": "[variables('analyticRuleVersion35')]" + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId36')]", - "version": "[variables('analyticRuleVersion36')]" + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId37')]", - "version": "[variables('analyticRuleVersion37')]" + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId38')]", - "version": "[variables('analyticRuleVersion38')]" + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" } ] }, diff --git a/Solutions/Threat Intelligence/ReleaseNotes.md b/Solutions/Threat Intelligence/ReleaseNotes.md index 1f5d9220ca..ebeba0c112 100644 --- a/Solutions/Threat Intelligence/ReleaseNotes.md +++ b/Solutions/Threat Intelligence/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.1 | 22-08-2023 | Removed (Preview) from Name field in **Analytic Rules** | +| 3.0.2 | 23-10-2023 | Updated KQL of analytic rules to improve performance in large datasets | +| 3.0.1 | 22-08-2023 | Removed (Preview) from Name field in **Analytical Rules** | | 3.0.0 | 14-08-2023 | Modified **Analytical Rule** (TI map Domain entity to SecurityAlert). Updated dynamic([1]) to dynamic([1,1]) so as to make result array of array consistent. | | | | Updated **Hunting Queries** to have descriptions that meet the 255 characters limit. | diff --git a/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json b/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json index 4c067fefee..de23a683ac 100644 --- a/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json +++ b/Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json @@ -125,7 +125,7 @@ { "type": 1, "content": { - "json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)
\n" + "json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\n" }, "conditionalVisibility": { "parameterName": "Help", diff --git a/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml b/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml index 986f04264a..66f70838cf 100644 --- a/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml +++ b/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml @@ -43,18 +43,25 @@ query: | | project-away TargetAccount1, TargetSid1 | extend Reason = @"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours" | order by Time_Event4722 asc - | extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722 | project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid + | extend HostName = tostring(split(Computer_4722, ".")[0]), DomainIndex = toint(indexof(Computer_4722, '.')) + | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer_4722, DomainIndex + 1), Computer_4722) + | extend AccountName = tostring(split(TargetAccount, "\\")[1]), AccountNTDomain = tostring(split(TargetAccount, "\\")[0]) + | project-away DomainIndex entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity + - identifier: Name + columnName: AccountName + - identifier: NTDomain + columnName: AccountNTDomain - identifier: Sid columnName: TargetSid - entityType: Host fieldMappings: - - identifier: FullName - columnName: HostCustomEntity -version: 1.0.1 + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: HostNameDomain +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1 b/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1 index 5f9d14f6fb..1e5b388c6e 100644 --- a/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1 +++ b/Tools/Create-Azure-Sentinel-Solution/pipeline/createSolutionV4.ps1 @@ -261,6 +261,7 @@ try Write-Host "Package Generated Successfully!!" # check if mainTemplate and createUiDefinition json files are valid or not + $solutionFolderBasePath = ($pipelineBasePath + "/" + "Solutions/" + $pipelineSolutionName).Replace("//", "/") CheckJsonIsValid($solutionFolderBasePath) } } diff --git a/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsBlack2.png b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsBlack2.png new file mode 100644 index 0000000000..4ccaef8d58 Binary files /dev/null and b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsBlack2.png differ diff --git a/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsWhite2.png b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsWhite2.png new file mode 100644 index 0000000000..0faa722fd0 Binary files /dev/null and b/Workbooks/Images/Preview/UserEntityBehaviorAnalyticsWhite2.png differ diff --git a/Workbooks/UserEntityBehaviorAnalytics.json b/Workbooks/UserEntityBehaviorAnalytics.json index 54e46f63ee..a60d21ca73 100644 --- a/Workbooks/UserEntityBehaviorAnalytics.json +++ b/Workbooks/UserEntityBehaviorAnalytics.json @@ -1,761 +1,3109 @@ { - "styleSettings": {}, - "fromTemplateId": "sentinel-UserAndEntityBehaviorAnalytics", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json", - "version": "Notebook/1.0", - "items": [ - { - "type": 1, - "content": { - "json": "# User and Entity Behavior Analytics\n---\n\nWelcome to the User and Entity Behavior Analytics workbook. The workbook provides a guided investigation\nfor entities based on open incidents, alerts and anomalies identified by the UEBA engine. " + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "# User and Entity Behavior Analytics\n---\n\nWelcome to the User and Entity Behavior Analytics workbook. The workbook provides a guided investigation\nfor entities based on open incidents, alerts and anomalies identified by the UEBA engine." + }, + "name": "Title Text" }, - "name": "text - 2" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "36cdaf52-4303-405d-ac9c-de2037db99c3", - "version": "KqlParameterItem/1.0", - "name": "TimeRange", - "label": "Time Range", - "type": 4, - "value": { - "durationMs": 2419200000 - }, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "36cdaf52-4303-405d-ac9c-de2037db99c3", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2592000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } }, - "timeContext": { - "durationMs": 86400000 + { + "id": "c4470c37-5a8a-4ecd-8ece-5e98db8e8a92", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "Show Help", + "type": 10, + "description": "This will show some help information to help you understand the page you are on", + "isRequired": true, + "value": "Yes", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]" } - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| summarize IncidentCount=count() \r\n| project \"Open Incidents\", IncidentCount", - "size": 4, - "timeContext": { - "durationMs": 2419200000 + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1" - }, - "leftContent": { - "columnMatch": "IncidentCount", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - "showBorder": false, - "size": "auto" - } + "name": "TimeRangeParameterDefinition" }, - "customWidth": "10", - "name": "query - 16" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}) on $left.AlertId == $right.SystemAlertId\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| summarize AlertCount=count()\r\n| project \"Alert Count\",AlertCount;\r\nTotalAlertsCount\r\n", - "size": 4, - "timeContext": { - "durationMs": 2419200000 + { + "type": 1, + "content": { + "json": "See below how many incidents and alerts were created during the time range selected in the time range picker above. Likewise, you will see the number of Anomalies that were triggered. To learn more about Anomalies, please click [here](https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules).", + "style": "info" }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "AlertCount", - "formatter": 12, - "formatOptions": { - "palette": "auto" - } - }, - "showBorder": false, - "size": "auto" - } - }, - "customWidth": "10", - "name": "query - 18" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n| join (\r\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nlet AnomalousRoleAssignment = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\r\nBehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n| where ActionType == \"ResourceAccess\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n| where ActionType == \"RemoteInteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n| where ActionType == \"InteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n| extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n| join (\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query}\r\n | where OperationName == \"Reset user password\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n| join (\r\nSigninLogs\r\n | where TimeGenerated {TimeRange:query}\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\n SigninLogs \r\n | where TimeGenerated {TimeRange:query}\r\n | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( \r\n BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Add user\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n| join(\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query} \r\n | where OperationName == \"Add user\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\nAnomalyTable\r\n| summarize AnomaliesCount=count()\r\n| project \"Anomalies Count\", AnomaliesCount", - "size": 4, - "timeContext": { - "durationMs": 2419200000 + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "AnomaliesCount", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - }, - "showBorder": false, - "size": "auto" - } + "name": "General info help message" }, - "customWidth": "10", - "name": "query - 17", - "styleSettings": { - "margin": "12" - } - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n| join (\r\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nlet AnomalousRoleAssignment = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\r\nBehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n| where ActionType == \"ResourceAccess\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n| where ActionType == \"RemoteInteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n| where ActionType == \"InteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n| extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n| join (\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query}\r\n | where OperationName == \"Reset user password\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n| join (\r\nSigninLogs\r\n | where TimeGenerated {TimeRange:query}\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\n SigninLogs \r\n | where TimeGenerated {TimeRange:query}\r\n | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( \r\n BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Add user\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n| join(\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query} \r\n | where OperationName == \"Add user\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\n\r\n\r\nlet TotalAnomaliesCount = AnomalyTable\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Anomalies Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}\r\n) on $left.AlertId == $right.SystemAlertId\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Alerts Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalIncidentsCount=SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d \r\n| extend series = \"Incidents Trend\"\r\n| project series, count_, TimeGenerated;\r\nTotalIncidentsCount | union TotalAlertsCount, TotalAnomaliesCount\r\n\r\n\r\n", - "size": 1, - "timeContext": { - "durationMs": 2419200000 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "linechart", - "chartSettings": { - "seriesLabelSettings": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "General Info", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "General Incident Summary", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| summarize IncidentCount=count() \r\n| project \"New or active incidents\", IncidentCount", + "size": 4, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1" + }, + "leftContent": { + "columnMatch": "IncidentCount", + "formatter": 12, + "formatOptions": { + "min": 0, + "palette": "redDark" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "12", + "name": "GeneralInfo - Open Incidents", + "styleSettings": { + "maxWidth": "12" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}) on $left.AlertId == $right.SystemAlertId\r\n| where Status != \"Resolved\" or Status != \"Dismissed\" \r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| summarize AlertCount=count()\r\n| project \"New or active alerts\",AlertCount;\r\nTotalAlertsCount\r\n", + "size": 4, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "AlertCount", + "formatter": 12, + "formatOptions": { + "palette": "redDark" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "12", + "name": "GeneralInfo - Alert Count", + "styleSettings": { + "maxWidth": "12" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize AnomalyCount=count()\r\n| project \"Anomaly Count\", AnomalyCount", + "size": 4, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "AnomalyCount", + "formatter": 12, + "formatOptions": { + "palette": "redDark" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "12", + "name": "GeneralInfo - Alert Count", + "styleSettings": { + "maxWidth": "12" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TotalAnomaliesCount = Anomalies\r\n| summarize by TenantId, TimeGenerated\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Anomalies Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalAlertsCount = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind= innerunique ( \r\nSecurityAlert | where TimeGenerated {TimeRange:query}\r\n) on $left.AlertId == $right.SystemAlertId\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d\r\n| extend series = \"Alerts Trend\"\r\n| project series, count_, TimeGenerated ;\r\nlet TotalIncidentsCount=SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d \r\n| extend series = \"Incidents Trend\"\r\n| project series, count_, TimeGenerated;\r\nTotalIncidentsCount | union TotalAlertsCount, TotalAnomaliesCount\r\n\r\n\r\n", + "size": 1, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Incidents Trend", + "label": "Incidents", + "color": "red" + }, + { + "seriesName": "Alerts Trend", + "label": "Alerts", + "color": "orange" + }, + { + "seriesName": "Anomalies Trend", + "label": "Anomalies", + "color": "blueDark" + } + ] + } + }, + "customWidth": "60", + "name": "GeneralInfo - TimeSeries", + "styleSettings": { + "maxWidth": "60" + } + } + ] + }, + "customWidth": "100", + "name": "General Incident Summary", + "styleSettings": { + "maxWidth": "100" + } + }, { - "seriesName": "Incidents Trend", - "label": "Incidents Counts", - "color": "blue" + "type": 1, + "content": { + "json": "Below you will find the total number of anomalies, plus how many of those have an account or an IP entity. Note that we are also counting anomalies that involve known hosts, but as are currently not mapped as entities. The query for \"Anomalies with hosts\" counts the hosts that were parsed out of the following entity enrichments: \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\". See more about these [here](https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#device-used-to-connect).\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "Anomalies help" }, { - "seriesName": "Alerts Trend", - "label": "Alerts Counts", - "color": "redBright" + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Anomaly Summary", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| count", + "size": 4, + "title": "Total anomalies", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "20", + "name": "AnomalyInfo - Anomalies" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| count", + "size": 4, + "title": "Anomalies with account entity", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "20", + "name": "AnomalyInfo - Account Anomaly" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| count", + "size": 4, + "title": "Anomalies with IP entity", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "20", + "name": "AnomalyInfo - IP Anomaly" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Currently there is no mapping with hosts\r\n//We know that in the following anomalies there is a host present: \"FirstTimeUserConnectedFromDevice\", \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"FirstTimeDeviceObservedInTenant\", \"DeviceUncommonlyUsedInTenant\"\r\n//We only look for \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\" though since the other two only state PII instead of the host itself\r\nlet Name = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]) ;\r\nAnomalies\r\n| where TimeGenerated {TimeRange:query}\r\n| mv-expand AnomalyReasons\r\n| where tostring(AnomalyReasons.Name) in (Name)\r\n| count", + "size": 4, + "title": "Anomalies with a host", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "20", + "name": "AnomalyInfo - Host Anomaly" + } + ] + }, + "name": "Anomaly Summary" } ] - } - }, - "customWidth": "70", - "name": "query - 19" - }, - { - "type": 1, - "content": { - "json": "## Top users to investigate - by Incidents, alerts & anomalies\r\n---\r\n" - }, - "name": "text - 3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let AnomalousSigninActivity = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Sign-in\"\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\n| join (\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Successful Logon\",\n Tactic = \"Persistence\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\nlet AnomalousRoleAssignment = AuditLogs\n| where TimeGenerated {TimeRange:query}\n| where OperationName == \"Add member to role\"\n| mv-expand TargetResources\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\n| where isnotempty(RoleId) and RoleId in (critical,high)\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\n| where isnotempty(RoleName)\n| extend TargetId = tostring(TargetResources.id)\n| extend Target = tostring(TargetResources.userPrincipalName)\n| join kind=inner ( BehaviorAnalytics\n | where TimeGenerated {TimeRange:query}\n | where ActionType == \"Add member to role\"\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\n) on $left._ItemId == $right.SourceRecordId\n| extend AnomalyName = \"Anomalous Role Assignemt\",\n Tactic = \"Persistence\",\n Technique = \"Account Manipulation\",\n SubTechnique = \"\",\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\nBehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActivityType == \"LogOn\");\nlet AnomalousResourceAccess = LogOns\n| where ActionType == \"ResourceAccess\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| extend AnomalyName = \"Anomalous Resource Access\",\n Tactic = \"Lateral Movement\",\n Technique = \"\",\n SubTechnique = \"\",\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousRDPActivity = LogOns\n| where ActionType == \"RemoteInteractiveLogon\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| extend AnomalyName = \"Anomalous RDP Activity\",\n Tactic = \"Lateral Movement\",\n Technique = \"\",\n SubTechnique = \"\",\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousLogintoDevices = LogOns\n| where ActionType == \"InteractiveLogon\"\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\n| extend AnomalyName = \"Anomalous Login To Devices\",\n Tactic = \"Privilege Escalation\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousPasswordReset = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Reset user password\"\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\n| join (\nAuditLogs\n | where TimeGenerated {TimeRange:query}\n | where OperationName == \"Reset user password\"\n) on $left.SourceRecordId == $right._ItemId\n| mv-expand TargetResources\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Password Reset\",\n Tactic = \"Impact\",\n Technique = \"Account Access Removal\",\n SubTechnique = \"\",\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\n| sort by TimeGenerated desc;\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Sign-in\"\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\n| join (\nSigninLogs\n | where TimeGenerated {TimeRange:query}\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Successful Logon\",\n Tactic = \"Initial Access\",\n Technique = \"Valid Accounts\",\n SubTechnique = \"\",\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousFailedLogon = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActivityType == \"LogOn\"\n| where UsersInsights.BlastRadius == \"High\"\n| join (\n SigninLogs \n | where TimeGenerated {TimeRange:query}\n | where Status.errorCode == 50126\n) on $left.SourceRecordId == $right._ItemId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Failed Logon\",\n Tactic = \"Credential Access\",\n Technique = \"Brute Force\",\n SubTechnique = \"Password Guessing\",\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \nlet AnomalousAADAccountManipulation = AuditLogs\n| where TimeGenerated {TimeRange:query}\n| where OperationName == \"Update user\"\n| mv-expand AdditionalDetails\n| where AdditionalDetails.key == \"UserPrincipalName\"\n| mv-expand TargetResources\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\n| where isnotempty(RoleId) and RoleId in (critical,high)\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\n| where isnotempty(RoleName)\n| extend TargetId = tostring(TargetResources.id)\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| join kind=inner ( \n BehaviorAnalytics\n | where TimeGenerated {TimeRange:query}\n | where ActionType == \"Update user\"\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\n) on $left._ItemId == $right.SourceRecordId\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \n| extend AnomalyName = \"Anomalous Account Manipulation\",\n Tactic = \"Persistence\",\n Technique = \"Account Manipulation\",\n SubTechnique = \"\",\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\n| where TimeGenerated {TimeRange:query}\n| where ActionType == \"Add user\"\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\n| join(\nAuditLogs\n | where TimeGenerated {TimeRange:query} \n | where OperationName == \"Add user\"\n) on $left.SourceRecordId == $right._ItemId\n| mv-expand TargetResources\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\n| extend AnomalyName = \"Anomalous Account Creation\",\n Tactic = \"Persistence\",\n Technique = \"Create Account\",\n SubTechnique = \"Cloud Account\",\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\n| sort by TimeGenerated desc;\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\nlet TopUsersByAnomalies = AnomalyTable\n| summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\n| project Name=tolower(UserName),UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\n| sort by AnomalyCount desc;\nlet TopUsersByIncidents = SecurityIncident\n| where TimeGenerated {TimeRange:query} \n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\n| where Status == \"New\" or Status == \"Active\"\n| mv-expand AlertIds\n| extend AlertId = tostring(AlertIds)\n| join kind= innerunique ( \nSecurityAlert | where TimeGenerated {TimeRange:query} \n) on $left.AlertId == $right.SystemAlertId\n| summarize hint.strategy = shuffle arg_max(TimeGenerated,*), NumberOfUpdates = count() by SystemAlertId\n| mv-expand todynamic(Entities)\n| where Entities[\"Type\"] =~ \"account\"\n| extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]) , Host = tostring(Entities[\"Host\"])\n| extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\n| union TopUsersByAnomalies\n| extend \n AadPivot = iff(isempty(AadUserId),iff(isempty(Sid),Name,Sid),AadUserId),\n SidPivot = iff(isempty(Sid),iff(isempty(AadUserId),Name,AadUserId),Sid),\n UPNExists = iff(isempty(UPN), false,true),\n NameExists = iff(isempty(Name), false,true),\n SidExists = iff(isempty(Sid), false,true),\n AADExists = iff(isempty(AadUserId), false,true)\n| summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber,4),AlertCount=dcountif(AlertId,isnotempty(AlertId),4),AnomalyCount=sum(AnomalyCount),any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true),NameAnchor=anyif(Name, NameExists == true),AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true) , any(SidPivot) by AadPivot\n| summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount),AlertCount=sum(AlertCount),AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false),NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false),AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title,any_Severity,any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\n| summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount),AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false),AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity,any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\n| project [\"UserName\"]=NameAnchor,IncidentCount, AlertCount,AnomalyCount, [\"AadUserId\"]=AadAnchor,[\"OnPremSid\"]=SidAnchor , [\"UserPrincipalName\"]=UPNAnchor;\nTopUsersByIncidents\n| sort by IncidentCount, AlertCount, AnomalyCount desc\n", - "size": 1, - "showAnalytics": true, - "timeContext": { - "durationMs": 2419200000 }, - "timeContextFromParameter": "TimeRange", - "exportedParameters": [ - { - "fieldName": "UserPrincipalName", - "parameterName": "SelectedUser", - "parameterType": 1 - }, - { - "fieldName": "UserName", - "parameterName": "UserName", - "parameterType": 1, - "defaultValue": "None" - }, - { - "fieldName": "AadUserId", - "parameterName": "UserObjectId", - "parameterType": 1 - }, - { - "fieldName": "OnPremSid", - "parameterName": "UserSid", - "parameterType": 1 - }, - { - "fieldName": "AnomalyCount", - "parameterName": "AnomalyCount", - "parameterType": 1, - "defaultValue": "0" - } - ], - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "IncidentCount", - "formatter": 8, - "formatOptions": { - "palette": "redDark" + "name": "General Info" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "Below you will find incidents that have entities involved in anomalies created up to 3 days prior to the incident creation.
Expand each entity to find the anomalies. When you click on the anomalies, you will visualize them on the right-hand side.
Finally, click on each of the anomalies to see anomaly reasons and device insights. Note that device insights are empty when there is no relevant information to show.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "Help text for incidents with entities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TopUsersByAnomalies = Anomalies\r\n | mv-expand Entities\r\n | where tostring(Entities) contains '\"Type\":\"account\"'\r\n | project\r\n TimeGenerated,\r\n AnomalyID = Id,\r\n AadUserId=tostring(Entities.AadUserId),\r\n DisplayName=tostring(Entities.DisplayName),\r\n OriginalName=tostring(Entities.Name),\r\n AnomalyUPNSuffix=tostring(Entities.AnomalyUPNSuffix),\r\n OriginalUPNSuffix=tostring(Entities.UPNSuffix)\r\n | extend\r\n Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName),\r\n UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n | project-away OriginalName; \r\nlet TopIPsByAnomalies= Anomalies\r\n | mv-expand Entities\r\n | where tostring(Entities) contains '\"Type\":\"ip\"'\r\n | project TimeGenerated, IPentity=tostring(Entities.Address), AnomalyID = Id;\r\nlet DeviceAnomalyName = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]);\r\nlet TopHostsByAnomalies =Anomalies\r\n | mv-expand AnomalyReasons\r\n | where tostring(AnomalyReasons.Name) in (DeviceAnomalyName)\r\n | extend DeviceRegex = tostring(extract(\"with ([A-Z0-9-]+) device\", 1, Description))\r\n | extend DeviceName = tolower(DeviceRegex)\r\n | project-rename AnomalyID = Id;\r\nlet IncidentsWithEntities = SecurityIncident\r\n | summarize TimeGenerated=max(TimeGenerated), AlertIds=make_set(AlertIds) by IncidentNumber, IncidentUrl, Title\r\n | mv-expand AlertIds\r\n | project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated, IncidentUrl, Title \r\n | join kind = inner ( \r\n SecurityAlert\r\n | distinct SystemAlertId, Entities\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n or Entities[\"Type\"] =~ \"ip\"\r\n or Entities[\"Type\"] =~ \"host\"\r\n | project\r\n SystemAlertId,\r\n IPentity = tostring(tolower(Entities.Address)),\r\n DeviceName = tostring(tolower(Entities.HostName)),\r\n OriginalName = tostring(tolower(Entities.Name)),\r\n OriginalUPNSuffix = tostring(Entities.UPNSuffix),\r\n AadUserId = tostring(Entities.AadUserId)\r\n | extend\r\n Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName),\r\n UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n | project-away OriginalName, OriginalUPNSuffix\r\n )\r\n on $left.AlertId == $right.SystemAlertId\r\n | distinct\r\n TimeGenerated,\r\n IncidentNumber,\r\n IPentity,\r\n Name,\r\n AadUserId,\r\n DeviceName,\r\n UPNSuffix,\r\n IncidentUrl,\r\n Title\r\n;\r\nlet TopUserIncidents = IncidentsWithEntities\r\n | join kind= inner (TopUsersByAnomalies) on $left.Name == $right.Name\r\n | where datetime_diff('day', TimeGenerated, TimeGenerated1) < 3 and datetime_diff('day', TimeGenerated, TimeGenerated1) > 0\r\n | summarize listOfAnomalyID = makelist(AnomalyID)\r\n by\r\n AadUserId= coalesce(Name, Name1),\r\n DisplayName,\r\n Name= coalesce(Name, Name1),\r\n AnomalyUPNSuffix,\r\n UPNSuffix = coalesce(UPNSuffix, UPNSuffix1),\r\n TimeGenerated,\r\n IncidentNumber,\r\n Title,\r\n IncidentUrl;\r\nlet TopIPIncidents = IncidentsWithEntities\r\n | join kind= inner (TopIPsByAnomalies) on $left.IPentity == $right.IPentity\r\n | where datetime_diff('day', TimeGenerated, TimeGenerated1) < 3 and datetime_diff('day', TimeGenerated, TimeGenerated1) > 0\r\n | summarize listOfAnomalyID = makelist(AnomalyID)\r\n by\r\n IPentity = coalesce(IPentity, IPentity1),\r\n TimeGenerated,\r\n IncidentNumber,\r\n Title,\r\n IncidentUrl;\r\nlet TopHostsIncidents = IncidentsWithEntities\r\n | join kind= inner (TopHostsByAnomalies) on $left.DeviceName == $right.DeviceName\r\n | where datetime_diff('day', TimeGenerated, TimeGenerated1) < 3 and datetime_diff('day', TimeGenerated, TimeGenerated1) > 0\r\n | summarize listOfAnomalyID = makelist(AnomalyID)\r\n by\r\n DeviceName = coalesce(DeviceName, DeviceName1),\r\n TimeGenerated,\r\n IncidentNumber,\r\n Title,\r\n IncidentUrl;\r\nTopUserIncidents\r\n| union TopIPIncidents, TopHostsIncidents\r\n| extend Entity1 = coalesce(Name, AadUserId, IPentity, DeviceName)\r\n| project\r\n TimeGenerated,\r\n IncidentNumber1 = strcat('📝', IncidentNumber),\r\n Title,\r\n IncidentUrl,\r\n IPentity,\r\n DeviceName,\r\n AadUserId,\r\n Name, \r\n UPNSuffix,\r\n DisplayName,\r\n Entity = strcat('Entity 🔎', Entity1),\r\n listOfAnomalyID\r\n| sort by TimeGenerated desc", + "size": 0, + "title": "Incidents with entities present in anomalies created in the 3 preceding days", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "listOfAnomalyID", + "exportParameterName": "listOfAnomalyID", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 5 + }, + { + "columnMatch": "IncidentNumber", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "IPentity", + "formatter": 5, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "DeviceName", + "formatter": 5 + }, + { + "columnMatch": "AadUserId", + "formatter": 5 + }, + { + "columnMatch": "Name", + "formatter": 5, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "UPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "DisplayName", + "formatter": 5 + }, + { + "columnMatch": "Entity", + "formatter": 5 + }, + { + "columnMatch": "listOfAnomalyID", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Entity1", + "formatter": 1 + }, + { + "columnMatch": "AnomalyCount", + "formatter": 5, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + ], + "rowLimit": 500, + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "IncidentNumber1", + "Entity" + ], + "expandTopLevel": true, + "finalBy": "TimeGenerated" + }, + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time Generated" + }, + { + "columnId": "IncidentNumber1", + "label": "Incident number" + }, + { + "columnId": "Title", + "label": "Incident name" + }, + { + "columnId": "IncidentUrl", + "label": "Link to incident" + }, + { + "columnId": "IPentity", + "label": "IPentity" + }, + { + "columnId": "DeviceName", + "label": "DeviceName" + }, + { + "columnId": "AadUserId", + "label": "AadUserId" + }, + { + "columnId": "Name", + "label": "Name" + }, + { + "columnId": "UPNSuffix", + "label": "UPNSuffix" + }, + { + "columnId": "DisplayName", + "label": "DisplayName" + }, + { + "columnId": "Entity", + "label": "Matching entity" + }, + { + "columnId": "listOfAnomalyID", + "label": "List of Anomaly IDs" + } + ] + }, + "sortBy": [] + }, + "customWidth": "40", + "name": "Incidents with entities present in anomalies", + "styleSettings": { + "maxWidth": "40" } - } - ], - "filter": true, - "sortBy": [ + }, { - "itemKey": "AnomalyCount", - "sortOrder": 2 + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| where '{listOfAnomalyID}' contains Id\r\n| project Description, AnomalyTemplateName, RuleStatus, RuleName, Score, AnomalyReasons, DeviceInsights", + "size": 1, + "title": "Anomalies of selected incident", + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ + { + "fieldName": "AnomalyReasons", + "parameterName": "AnomalyReasonsP", + "parameterType": 1 + }, + { + "fieldName": "DeviceInsights", + "parameterName": "DeviceInsightsP", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true, + "customColumnWidthSetting": "90%" + } + }, + { + "columnMatch": "AnomalyTemplateName", + "formatter": 5, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "RuleStatus", + "formatter": 5 + }, + { + "columnMatch": "RuleName", + "formatter": 5 + }, + { + "columnMatch": "Score", + "formatter": 5 + }, + { + "columnMatch": "AnomalyReasons", + "formatter": 5 + }, + { + "columnMatch": "DeviceInsights", + "formatter": 5 + } + ] + }, + "sortBy": [] + }, + "customWidth": "100", + "name": "Anomalies of selected incident", + "styleSettings": { + "maxWidth": "60" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasonsP}\",\"transformers\":null}", + "size": 4, + "title": "Anomaly Reasons", + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Value", + "formatter": 1 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "IsAnomalous", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "Yes" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "No" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "TypicalObservations", + "formatter": 5 + }, + { + "columnMatch": "Anomalous?", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + ], + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "name": "User Anomalies - AnomalyReasons" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}", + "size": 4, + "title": "DeviceInsights", + "noDataMessage": "None available", + "queryType": 8 + }, + "customWidth": "50", + "name": "DeviceInsights" + } + ] + }, + "customWidth": "60", + "name": "InsideGroupForSelectedEntity", + "styleSettings": { + "maxWidth": "60" + } } ] }, - "sortBy": [ - { - "itemKey": "AnomalyCount", - "sortOrder": 2 - } - ] - }, - "name": "query - 2" - }, - { - "type": 1, - "content": { - "json": "Select a user to view Incidents & Alerts & Anomalies breakdown", - "style": "upsell" - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isEqualTo", - "value": "None" + "name": "Incidents with anomalies" }, - "name": "text - 6" - }, - { - "type": 1, - "content": { - "json": "## Incidents Breakdown: [{SelectedUser}]()\r\n---\r\n" - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isNotEqualTo", - "value": "None" + { + "type": 1, + "content": { + "json": "#### Use the tabs below to see users, IPs and hosts involved in incidents, alerts and anomalies. By selecting one user, IP or host from the list, you will visualize incidents and anomaly details from each one.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "Tabs help" }, - "name": "text - 4" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb", - "version": "KqlParameterItem/1.0", - "name": "Severity", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "3242e20b-3930-4c10-9c08-864eee8921b9", + "cellValue": "rankingTab", + "linkTarget": "parameter", + "linkLabel": "Users", + "subTarget": "Users", + "style": "link" }, - "jsonData": "[\"Low\",\"Medium\",\"High\"]", - "timeContext": { - "durationMs": 86400000 - } - }, - { - "id": "994e7321-0462-4367-aae3-a69c6d61bf26", - "version": "KqlParameterItem/1.0", - "name": "Status", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" + { + "id": "07d94953-ab1a-4d94-a1ac-a49c56370cc7", + "cellValue": "rankingTab", + "linkTarget": "parameter", + "linkLabel": "IPs", + "subTarget": "IPs", + "style": "link" }, - "jsonData": "[\"New\",\"Active\"]", - "timeContext": { - "durationMs": 86400000 + { + "id": "910b02fc-54d3-462a-a27b-dc5bdf2c3302", + "cellValue": "rankingTab", + "linkTarget": "parameter", + "linkLabel": "Hosts", + "subTarget": "Hosts", + "style": "link" } - }, - { - "id": "774bfc35-07c1-4680-b305-a65606439a53", - "version": "KqlParameterItem/1.0", - "name": "Owner", - "type": 2, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "query": "SecurityIncident\r\n| summarize arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| where isnotempty(Owner.assignedTo) \r\n| distinct tostring(Owner.assignedTo)\r\n", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" - }, - "timeContext": { - "durationMs": 5184000000 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isNotEqualTo", - "value": "None" - }, - "name": "parameters - 14" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let GetUserAlert = SecurityAlert\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize arg_max(TimeGenerated,*) by SystemAlertId\r\n| where Entities contains \"account\"\r\n| extend SelectedAccountUPN = tolower(tostring('{SelectedUser}')),\r\n SelectedName = tolower(tostring('{UserName}')),\r\n SelectAAD = tolower(tostring('{UserObjectId}')),\r\n SelectSID = tolower(tostring('{UserSid}'))\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"account\"\r\n| extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]) , Host = tostring(Entities[\"Host\"])\r\n| extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| where (Name == SelectedName and SelectedName != \"\" ) or (UPN == SelectedAccountUPN and SelectedAccountUPN != \"\") or (AadUserId == SelectAAD and SelectAAD != \"\") or (Sid == SelectSID and SelectSID != \"\")\r\n| serialize Id = tostring(row_number())\r\n| project TimeGenerated, Title=DisplayName, Sid,Severity=AlertSeverity, Description, ProviderName, ProductName, SystemAlertId, Id;\r\nlet MapAlertsToIncidents = SecurityIncident\r\n| where TimeGenerated {TimeRange:query}\r\n| summarize arg_max(LastModifiedTime, *) by IncidentNumber\r\n| where Status == \"New\" or Status == \"Active\"\r\n| serialize Id = tostring(IncidentNumber)\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds)\r\n| join kind=innerunique (GetUserAlert) on $left.AlertId == $right.SystemAlertId\r\n| project TimeGenerated=TimeGenerated1, Title=Title1, Severity=Severity1,Description=Description1, ProviderName, ProductName, SystemAlertId,Id=Id1,ParentId=Id, IncidentNumber;\r\nlet IncidentAlertsCount = MapAlertsToIncidents\r\n| summarize AlertCount=count() by IncidentNumber\r\n| join kind=innerunique (SecurityIncident \r\n| where TimeGenerated {TimeRange:query}\r\n| summarize arg_max(LastModifiedTime, *) by IncidentNumber\r\n) on $left.IncidentNumber == $right.IncidentNumber\r\n| extend SecOpsOwner = Owner.assignedTo\r\n| project TimeGenerated, Title,Severity,Description,AlertCount,Status,Owner=SecOpsOwner,BookmarkIds,Comments,Labels,IncidentUrl,Id=tostring(IncidentNumber),ParentId=\"root\";\r\nlet IncidentsAndAlertsForUser = MapAlertsToIncidents \r\n| union IncidentAlertsCount;\r\nIncidentsAndAlertsForUser\r\n| where (Severity == {Severity:value} or {Severity:value} == 'All') and (Status == {Status:value} or {Status:value} == 'All') and (Owner == {Owner:value} or {Owner:value} == 'All')\r\n| sort by AlertCount desc\r\n| project TimeGenerated, Title, AlertCount, Description, Severity, Status, Owner, BookmarkIds, Comments, Labels, IncidentUrl, Id, ParentId\r\n\r\n\r\n\r\n", - "size": 1, - "showAnalytics": true, - "noDataMessage": "No incidents associated with this user", - "noDataMessageStyle": 3, - "timeContext": { - "durationMs": 2419200000 + ] }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "AlertCount", - "formatter": 8, - "formatOptions": { - "palette": "grayBlue" - } + "name": "RankingTabParameterDefinition" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top users to investigate - by Incidents, alerts & anomalies" + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Users" + }, + "name": "UserGroupTopIncidents - Title Text" }, { - "columnMatch": "Severity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ + "type": 1, + "content": { + "json": "Click on a user from the list below to view incidents and anomalies where the user is present", + "style": "info" + }, + "conditionalVisibilities": [ + { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Users" + }, + { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + } + ], + "name": "UserGroupTopIncidents - Intro Text " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TopUsersByAnomalies = Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| project AadUserId=tostring(Entities.AadUserId), DisplayName=tostring(Entities.DisplayName), OriginalName=tostring(Entities.Name), AnomalyUPNSuffix=tostring(Entities.AnomalyUPNSuffix), OriginalUPNSuffix=tostring(Entities.UPNSuffix)\r\n| extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n| summarize hint.strategy = shuffle AnomalyCount=count() by AadUserId, DisplayName, Name, AnomalyUPNSuffix, UPNSuffix;\r\nlet TopUsers = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"account\"\r\n| project SystemAlertId, OriginalName = tostring(tolower(Entities.Name)), OriginalUPNSuffix = tostring(Entities.UPNSuffix), AadUserId = tostring(Entities.AadUserId)\r\n | extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n | project-away OriginalName, OriginalUPNSuffix\r\n) on $left.AlertId == $right.SystemAlertId\r\n| union TopUsersByAnomalies\r\n| summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber), AlertCount=dcount(AlertId), AnomalyCount=sum(AnomalyCount), AadUserId = make_set_if(AadUserId, AadUserId != \"\") by Name, UPNSuffix;\r\nTopUsers\r\n| sort by IncidentCount, AlertCount, AnomalyCount desc", + "size": 0, + "title": "Top users by incidents, alerts and anomalies", + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ { - "operator": "==", - "thresholdValue": "Low", - "representation": "yellow", - "text": "{0}{1}" + "fieldName": "Name", + "parameterName": "UserName", + "parameterType": 1 }, { - "operator": "==", - "thresholdValue": "Medium", - "representation": "orange", - "text": "{0}{1}" + "fieldName": "AadUserId", + "parameterName": "UserObjectId", + "parameterType": 1 }, { - "operator": "==", - "thresholdValue": "High", - "representation": "redBright", - "text": "{0}{1}" + "fieldName": "UPNSuffix", + "parameterName": "UserUPN", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "min": 1, + "palette": "redDark" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "redDark" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "palette": "redDark" + } + }, + { + "columnMatch": "AadUserId", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + } + } + ], + "rowLimit": 1000, + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_heatmap_AnomalyCount_4", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_AnomalyCount_4", + "sortOrder": 2 + } + ] + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Users" + }, + "name": "UserGroupTopIncidents - Overview Query" + }, + { + "type": 1, + "content": { + "json": "Select a user to view Incidents & Alerts & Anomalies breakdown", + "style": "upsell" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Select user text" + }, + { + "type": 1, + "content": { + "json": "## Incidents Breakdown: {UserName}\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Selected User Text Incident" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb", + "version": "KqlParameterItem/1.0", + "name": "Severity", + "type": 2, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"Low\",\"Medium\",\"High\", \"All\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "All" }, { - "operator": "Default", - "thresholdValue": null, - "representation": "blue", - "text": "{0}{1}" + "id": "994e7321-0462-4367-aae3-a69c6d61bf26", + "version": "KqlParameterItem/1.0", + "name": "Status", + "type": 2, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"New\",\"Active\", \"All\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "All" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Parameter Incident Selection" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let IncidentUser = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds), SecOpsOwner=tostring(Owner.assignedTo)\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"account\"\r\n| project SystemAlertId, OriginalName = tostring(tolower(Entities.Name)), OriginalUPNSuffix = tostring(Entities.UPNSuffix), AadUserId = tostring(Entities.AadUserId)\r\n| extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n| project-away OriginalName, OriginalUPNSuffix\r\n) on $left.AlertId == $right.SystemAlertId\r\n| where (Name == '{UserName}' and Name != \"\" and UPNSuffix == '{UserUPN}') or (AadUserId == '{UserObjectId}')\r\n| where (Severity == '{Severity:value}' or '{Severity:value}' == \"All\") and (Status == '{Status:value}' or '{Status:value}' == \"All\");\r\nIncidentUser\r\n| summarize AlertCount=count(SystemAlertId) by TimeGenerated, Title, Description, Severity, Status, SecOpsOwner, IncidentUrl, IncidentNumber", + "size": 0, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Informational", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "New", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Active", + "representation": "pending", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Closed", + "representation": "stopped", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Owner", + "formatter": 5 + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkIsContextBlade": false + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "min": 1, + "palette": "orangeDark" + } + }, + { + "columnMatch": "Comments", + "formatter": 7, + "formatOptions": { + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Labels", + "formatter": 7, + "formatOptions": { + "linkIsContextBlade": true + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 1 } ] - } + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - User Incident Close Up" }, { - "columnMatch": "Id", - "formatter": 5 + "type": 1, + "content": { + "json": "## Anomalies Breakdown: {UserName}\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Selected User Text Anomaly" }, { - "columnMatch": "Comments", - "formatter": 7, - "formatOptions": { - "linkTarget": "CellDetails", - "linkIsContextBlade": true - } + "type": 1, + "content": { + "json": "Select an anomaly to view all the related details below", + "style": "info" + }, + "conditionalVisibilities": [ + { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Users" + } + ], + "name": "Anomalies help" }, { - "columnMatch": "Labels", - "formatter": 7, - "formatOptions": { - "linkTarget": "CellDetails", - "linkIsContextBlade": true - } + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"account\"'\r\n| extend AadUserId=tostring(Entities.AadUserId), DisplayName=tostring(Entities.DisplayName), OriginalName=tostring(Entities.Name), AnomalyUPNSuffix=tostring(Entities.AnomalyUPNSuffix), OriginalUPNSuffix=tostring(Entities.UPNSuffix)\r\n| extend Name = iff(OriginalName contains '@', extract('(.*)@', 1, OriginalName), OriginalName), UPNSuffix = iff(OriginalUPNSuffix != \"\", OriginalUPNSuffix, extract('(.*)@(.*)', 2, OriginalName))\r\n| where (Name == '{UserName}' and Name != \"\" and UPNSuffix == '{UserUPN}') or (AadUserId == '{UserObjectId}')\r\n| project TimeGenerated, AnomalyRule=AnomalyTemplateName, Description, Score, RuleStatus, Tactics, Techniques, Entities, AnomalyReasons, AnomalyDetails, ExtendedProperties, ActivityInsights, DeviceInsights, UserInsights, ExtendedLinks\r\n", + "size": 1, + "noDataMessage": "No anomalies associated with this user", + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ + { + "fieldName": "AnomalyReasons", + "parameterName": "AnomalyReasons", + "parameterType": 1 + }, + { + "fieldName": "AnomalyDetails", + "parameterName": "AnomalyDetails", + "parameterType": 1 + }, + { + "fieldName": "ActivityInsights", + "parameterName": "ActivityInsights", + "parameterType": 1 + }, + { + "fieldName": "ExtendedProperties", + "parameterName": "ExtendedProperties", + "parameterType": 1 + }, + { + "fieldName": "DeviceInsights", + "parameterName": "DeviceInsights", + "parameterType": 1 + }, + { + "fieldName": "UserInsights", + "parameterName": "UserInsights", + "parameterType": 1 + }, + { + "fieldName": "ExtendedLinks", + "parameterName": "ExtendedLinks", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Score", + "formatter": 8, + "formatOptions": { + "min": 0, + "max": 1, + "palette": "purpleDark" + } + }, + { + "columnMatch": "RuleStatus", + "formatter": 1, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "Techniques", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "AnomalyDetails", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly." + } + }, + { + "columnMatch": "AnomalyReasons", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "The detailed explanation of the generated anomaly as JSON." + } + }, + { + "columnMatch": "ExtendedProperties", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "JSON object with additional data on the anomaly as key-value pairs." + } + }, + { + "columnMatch": "ActivityInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the activites corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "DeviceInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the devices corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "UserInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the users corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "ExtendedLinks", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "List of links pointing to the data that generated the anomaly." + } + }, + { + "columnMatch": "TenantId", + "formatter": 5 + }, + { + "columnMatch": "Id", + "formatter": 5 + }, + { + "columnMatch": "WorkspaceId", + "formatter": 5 + }, + { + "columnMatch": "VendorName", + "formatter": 5 + }, + { + "columnMatch": "AnomalyTemplateId", + "formatter": 5 + }, + { + "columnMatch": "AnomalyTemplateVersion", + "formatter": 5 + }, + { + "columnMatch": "RuleId", + "formatter": 5 + }, + { + "columnMatch": "RuleName", + "formatter": 5 + }, + { + "columnMatch": "RuleConfigVersion", + "formatter": 5 + }, + { + "columnMatch": "StartTime", + "formatter": 5 + }, + { + "columnMatch": "EndTime", + "formatter": 5 + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 5 + }, + { + "columnMatch": "SourceIpAddress", + "formatter": 5 + }, + { + "columnMatch": "SourceLocation", + "formatter": 5 + }, + { + "columnMatch": "SourceDevice", + "formatter": 5 + }, + { + "columnMatch": "DestinationIpAddress", + "formatter": 5 + }, + { + "columnMatch": "DestinationLocation", + "formatter": 5 + }, + { + "columnMatch": "DestinationDevice", + "formatter": 5 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "DisplayName", + "formatter": 1 + }, + { + "columnMatch": "OriginalName", + "formatter": 5 + }, + { + "columnMatch": "AnomalyUPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "OriginalUPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "Name", + "formatter": 5 + }, + { + "columnMatch": "UPNSuffix", + "formatter": 5 + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - User Anomaly Close Up " }, { - "columnMatch": "IncidentUrl", - "formatter": 7, - "formatOptions": { - "linkTarget": "Url" - } + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasons}\",\"transformers\":null}", + "size": 4, + "title": "User Anomalies - AnomalyReasons", + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Value", + "formatter": 1 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "IsAnomalous", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "Yes" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "No" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "TypicalObservations", + "formatter": 5 + }, + { + "columnMatch": "Anomalous?", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + ], + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Users" + }, + "name": "User Anomalies - AnomalyReasons" }, { - "columnMatch": "ParentId", - "formatter": 5 + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}", + "size": 4, + "title": "User anomalies - DeviceInsights", + "noDataMessage": "None available", + "queryType": 8 + }, + "customWidth": "50", + "name": "User anomalies - DeviceInsights" } - ], - "rowLimit": 500, - "filter": true, - "hierarchySettings": { - "idColumn": "Id", - "parentColumn": "ParentId", - "treeType": 0, - "expanderColumn": "Title" - } + ] }, - "sortBy": [] - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isNotEqualTo", - "value": "None" - }, - "name": "query - 6 - Copy" - }, - { - "type": 1, - "content": { - "json": "## Anomalies Breakdown: [{SelectedUser}]()\r\n---\r\n" - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isNotEqualTo", - "value": "None" + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Users" + }, + "name": "UserGroupTopIncidents" }, - "name": "text - 4 - Copy" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "98f0e009-27e3-451d-a105-5c40bc269c52", - "version": "KqlParameterItem/1.0", - "name": "AnomalyName", - "label": " Anoamly Name", - "type": 2, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" - }, - "jsonData": "[\"Anomalous Account Creation\",\r\n\"Anomalous Account Manipulation\",\r\n\"Anomalous Failed Logon\",\r\n\"Anomalous Geo Location Logon\",\r\n\"Anomalous Login to Devices\",\r\n\"Anomalous Password Reset\",\r\n\"Anomalous RDP Activity\",\r\n\"Anomalous Resource Access\",\r\n\"Anomalous Role Assignment\",\r\n\"Anomalous Sign-in Activity\"\r\n]", - "timeContext": { - "durationMs": 1209600000 - }, - "timeContextFromParameter": "TimeRange" - }, - { - "id": "d3c089ab-a356-40e6-af42-d33759981503", - "version": "KqlParameterItem/1.0", - "name": "Tactic", - "type": 2, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top hosts to investigate - by Incidents, alerts & anomalies\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + }, + "name": "UserGroupTopIncidents - Title Text" + }, + { + "type": 1, + "content": { + "json": "Clicking on an entity should load anomalies and incidents where the entity is present", + "style": "info" + }, + "conditionalVisibilities": [ + { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + }, + { + "parameterName": "help", + "comparison": "isEqualTo", + "value": "yes" + } ], - "selectAllValue": "All" - }, - "jsonData": "[\"Initial Access\",\"Execution\",\"Persistence\",\"Privilege Escalation\",\"Defense Evasion\",\"Credential Access\",\"Discovery\",\"Lateral Movement\",\"Collection\", \"Command and Control\", \"Exfiltration\",\"Impact\"]\r\n\r\n\r\n", - "timeContext": { - "durationMs": 1209600000 - }, - "timeContextFromParameter": "TimeRange" - }, - { - "id": "f84c4293-3f2b-44aa-9b0e-402d449e8b6c", - "version": "KqlParameterItem/1.0", - "name": "AnomalyScore", - "label": "Anomaly Score", - "type": 2, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" + "name": "UserGroupTopIncidents - Intro Text" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Currently there is no mapping for hosts\r\n//We know that in the following anomalies there is a host present: \"FirstTimeUserConnectedFromDevice\", \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"FirstTimeDeviceObservedInTenant\", \"DeviceUncommonlyUsedInTenant\"\r\n//We only look for \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\" though since the other two only state PII instead of the host itself\r\nlet Name = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]) ;\r\nlet TopHostsByAnomalies =\r\nAnomalies\r\n| mv-expand AnomalyReasons\r\n| where tostring(AnomalyReasons.Name) in (Name)\r\n| extend DeviceRegex = tostring(extract(\"with ([A-Z0-9-]+) device\", 1, Description))\r\n| extend DeviceName = tolower(DeviceRegex)\r\n| summarize hint.strategy = shuffle AnomalyCount=count() by DeviceName;\r\nlet TopHostsIncidents = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"host\"\r\n| project SystemAlertId, DeviceName = tostring(tolower(Entities.HostName))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| union TopHostsByAnomalies\r\n| summarize IncidentCount=dcount(IncidentNumber), AlertCount=dcount(AlertId), AnomalyCount=sum(AnomalyCount) by DeviceName;\r\nTopHostsIncidents\r\n| where isnotempty(DeviceName)\r\n| sort by IncidentCount, AlertCount, AnomalyCount, DeviceName desc", + "size": 0, + "title": "Top hosts by incidents, alerts and anomalies", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "DeviceName", + "exportParameterName": "Host", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "min": 1, + "palette": "redDark" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "redDark" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "palette": "redDark" + } + }, + { + "columnMatch": "AadUserId", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + } + } + ], + "filter": true, + "sortBy": [ + { + "itemKey": "$gen_heatmap_AnomalyCount_3", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_AnomalyCount_3", + "sortOrder": 2 + } + ] + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + }, + "name": "HostsGroupTopIncidents - Overview Query" + }, + { + "type": 1, + "content": { + "json": "Select a host to view Incidents & Alerts & Anomalies breakdown", + "style": "upsell" + }, + "conditionalVisibility": { + "parameterName": "Host", + "comparison": "isEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Select user text" + }, + { + "type": 1, + "content": { + "json": "## Incidents Breakdown: {UserName}\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Selected User Text Incident" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb", + "version": "KqlParameterItem/1.0", + "name": "Severity", + "type": 2, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"Low\",\"Medium\",\"High\", \"All\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "All" + }, + { + "id": "994e7321-0462-4367-aae3-a69c6d61bf26", + "version": "KqlParameterItem/1.0", + "name": "Status", + "type": 2, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"New\",\"Active\", \"All\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "All" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Parameter Incident Selection" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let IncidentswithHosts = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds), SecOpsOwner=tostring(Owner.assignedTo)\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"host\"\r\n| project SystemAlertId, HostEntity = tostring(tolower(Entities.HostName))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| where (HostEntity == '{Host}' and HostEntity != \"\")\r\n| where (Severity == '{Severity:value}' or '{Severity:value}' == \"All\") and (Status == '{Status:value}' or '{Status:value}' == \"All\");\r\nIncidentswithHosts\r\n| summarize AlertCount=count(SystemAlertId) by TimeGenerated, Title, Description, Severity, Status, SecOpsOwner, IncidentUrl, IncidentNumber", + "size": 0, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Informational", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "New", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Active", + "representation": "pending", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Closed", + "representation": "stopped", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Owner", + "formatter": 5 + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkIsContextBlade": false + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "min": 1, + "palette": "orangeDark" + } + }, + { + "columnMatch": "Comments", + "formatter": 7, + "formatOptions": { + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Labels", + "formatter": 7, + "formatOptions": { + "linkIsContextBlade": true + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_heatmap_AlertCount_8", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_AlertCount_8", + "sortOrder": 2 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Host", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "HostTopIncidents - Host Incident Close Up" + }, + { + "type": 1, + "content": { + "json": "## Anomalies Breakdown: {UserName}\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Selected User Text Anomaly" + }, + { + "type": 1, + "content": { + "json": "Currently, hosts are not mapped as entities in anomalies. In this workbook, they are being extracted from the Anomaly description.", + "style": "warning" + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + }, + "name": "Host anomalies warning" + }, + { + "type": 1, + "content": { + "json": "Hover over each field on the anomalies below to see what it means", + "style": "info" + }, + "conditionalVisibilities": [ + { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + } ], - "selectAllValue": "All" - }, - "jsonData": "[\"0\",\"1\",\"2\",\"3\",\"4\",\"5\",\"6\",\"7\",\"8\",\"9\",\"10\"]", - "timeContext": { - "durationMs": 7776000000 - }, - "timeContextFromParameter": "TimeRange" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isNotEqualTo", - "value": "None" - }, - "name": "parameters - 15" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let AnomalousSigninActivity = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\r\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\r\nor ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\r\n| join (\r\nSigninLogs | where TimeGenerated {TimeRange:query} | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \"none\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','c4e39bd9-1100-46d3-8c65-fb160da0071f','158c047a-c907-4556-b7ef-446551a6b5f7','62e90394-69f5-4237-9190-012177145e10','d29b2b05-8046-44ba-8758-1e26182fcf32','729827e3-9c14-49f7-bb1b-9608f156bbb8','966707d0-3269-4727-9be2-8c3a10f19b9d','194ae4cb-b126-40b2-bd5b-6091b380977d','fe930be7-5e62-47db-91af-98c3a49a38b1']);\r\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c','7495fdc4-34c4-4d15-a289-98788ce399fd','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','7698a772-787b-4ac8-901f-60d6b08affd2','b1be1c3e-b65d-4f19-8427-f6fa0d97feb9','9f06204d-73c1-4d4c-880a-6edb90606fd8','29232cdf-9323-42fd-ade2-1d097af3e4de','be2f45a1-457d-42af-a067-6ec1fa63bc45','7be44c8a-adaf-4e2a-84d6-ab2649e08a13','e8611ab8-c189-46e8-94e1-60213ab1f814']);\r\nlet AnomalousRoleAssignment = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Add member to role\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Add member to role\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend AnomalyName = \"Anomalous Role Assignemt\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority;let LogOns=materialize(\r\nBehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\");\r\nlet AnomalousResourceAccess = LogOns\r\n| where ActionType == \"ResourceAccess\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous Resource Access\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousRDPActivity = LogOns\r\n| where ActionType == \"RemoteInteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| extend AnomalyName = \"Anomalous RDP Activity\",\r\n Tactic = \"Lateral Movement\",\r\n Technique = \"\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousLogintoDevices = LogOns\r\n| where ActionType == \"InteractiveLogon\"\r\n| where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\r\n| where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\r\n| extend AnomalyName = \"Anomalous Login To Devices\",\r\n Tactic = \"Privilege Escalation\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousPasswordReset = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Reset user password\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == \"True\"\r\n| join (\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query}\r\n | where OperationName == \"Reset user password\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Password Reset\",\r\n Tactic = \"Impact\",\r\n Technique = \"Account Access Removal\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Sign-in\"\r\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\r\n| join (\r\nSigninLogs\r\n | where TimeGenerated {TimeRange:query}\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Successful Logon\",\r\n Tactic = \"Initial Access\",\r\n Technique = \"Valid Accounts\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousFailedLogon = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActivityType == \"LogOn\"\r\n| where UsersInsights.BlastRadius == \"High\"\r\n| join (\r\n SigninLogs \r\n | where TimeGenerated {TimeRange:query}\r\n | where Status.errorCode == 50126\r\n) on $left.SourceRecordId == $right._ItemId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Failed Logon\",\r\n Tactic = \"Credential Access\",\r\n Technique = \"Brute Force\",\r\n SubTechnique = \"Password Guessing\",\r\n Description = \"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType,[\"Evidence\"]=ActivityInsights, ResourceDisplayName,AppDisplayName ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; \r\nlet AnomalousAADAccountManipulation = AuditLogs\r\n| where TimeGenerated {TimeRange:query}\r\n| where OperationName == \"Update user\"\r\n| mv-expand AdditionalDetails\r\n| where AdditionalDetails.key == \"UserPrincipalName\"\r\n| mv-expand TargetResources\r\n| extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\r\n| where isnotempty(RoleId) and RoleId in (critical,high)\r\n| extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\r\n| where isnotempty(RoleName)\r\n| extend TargetId = tostring(TargetResources.id)\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| join kind=inner ( \r\n BehaviorAnalytics\r\n | where TimeGenerated {TimeRange:query}\r\n | where ActionType == \"Update user\"\r\n | where UsersInsights.BlasrRadius == \"High\" or ActivityInsights.FirstTimeUserPerformedAction == true\r\n) on $left._ItemId == $right.SourceRecordId\r\n| extend UserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName) \r\n| extend AnomalyName = \"Anomalous Account Manipulation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Account Manipulation\",\r\n SubTechnique = \"\",\r\n Description = \"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\"\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,RoleName,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\r\n| where TimeGenerated {TimeRange:query}\r\n| where ActionType == \"Add user\"\r\n| where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\r\n| join(\r\nAuditLogs\r\n | where TimeGenerated {TimeRange:query} \r\n | where OperationName == \"Add user\"\r\n) on $left.SourceRecordId == $right._ItemId\r\n| mv-expand TargetResources\r\n| extend Target = iff(tostring(TargetResources.userPrincipalName) contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(TargetResources.userPrincipalName, \"#\")[0])),TargetResources.userPrincipalName),tostring(TargetResources.userPrincipalName)\r\n| extend DisplayName = tostring(UsersInsights.AccountDisplayName),\r\nUserPrincipalName = iff(UserPrincipalName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserPrincipalName),\r\nUserName = iff(UserName contains \"#EXT#\",replace(\"_\",\"@\",tostring(split(UserPrincipalName, \"#\")[0])),UserName)\r\n| extend AnomalyName = \"Anomalous Account Creation\",\r\n Tactic = \"Persistence\",\r\n Technique = \"Create Account\",\r\n SubTechnique = \"Cloud Account\",\r\n Description = \"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\"\t\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\"TargetUser\"]=Target,[\"Evidence\"]=ActivityInsights ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights,[\"Anomaly Score\"]=InvestigationPriority\r\n| sort by TimeGenerated desc;\r\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\r\n\r\n\r\nlet GetUserAnomalies = AnomalyTable\r\n| extend SelectedAccountUPN = tolower(tostring('{SelectedUser}')),\r\n SelectedName = tolower(tostring('{UserName}')),\r\n SelectAAD = tolower(tostring('{UserObjectId}')),\r\n SelectSID = tolower(tostring('{UserSid}'))\r\n| where (tolower(UserName) == tolower(SelectedName) and SelectedName != \"\" ) or (tolower(UserPrincipalName) == tolower(SelectedAccountUPN) and SelectedAccountUPN != \"\") or (UsersInsights.AccountObjectId == SelectAAD and SelectAAD != \"\") or (UsersInsights.OnPremSid == SelectSID and SelectSID != \"\")\r\n| project TimeGenerated, AnomalyName,Tactic,Technique,SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, TargetUser,Evidence ,SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\"Anomaly Score\"], AccountObjectId=UsersInsights.AccountObjectId;\r\nGetUserAnomalies\r\n| where \"{AnomalyName:label}\" == 'All' or AnomalyName in ({AnomalyName})\r\n| where \"{Tactic:label}\" == 'All' or Tactic in ({Tactic})\r\n| where \"{AnomalyScore:label}\" == 'All' or [\"Anomaly Score\"] in ({AnomalyScore})\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", - "size": 1, - "showAnalytics": true, - "noDataMessage": "No anomalies associated with this user", - "noDataMessageStyle": 3, - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "exportFieldName": "Tactic", - "exportParameterName": "TacticM", - "exportDefaultValue": "None", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Description", - "formatter": 7, - "formatOptions": { - "linkTarget": "CellDetails", - "linkIsContextBlade": true - } + "name": "Host anomalies help" }, { - "columnMatch": "Id", - "formatter": 5 + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Currently there is no mapping for hosts\r\n//We know that in the following anomalies there is a host present: \"FirstTimeUserConnectedFromDevice\", \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"FirstTimeDeviceObservedInTenant\", \"DeviceUncommonlyUsedInTenant\"\r\n//We only look for \"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\" though since the other two only state PII instead of the host itself\r\nlet Name = dynamic([\"DeviceUncommonlyUsedByUser\", \"DeviceUncommonlyUsedAmongPeers\", \"DeviceUncommonlyUsedInTenant\"]) ;\r\nAnomalies\r\n| mv-expand AnomalyReasons\r\n| where tostring(AnomalyReasons.Name) in (Name)\r\n| extend DeviceName = tostring(extract(\"with ([A-Z0-9-]+) device\", 1, Description))\r\n| project TimeGenerated, Anomaly=Description, Score, RuleStatus, Tactics, Techniques, Entities, AnomalyDetails, AnomalyReasons, ExtendedProperties, ActivityInsights, DeviceInsights, UserInsights, ExtendedLinks\r\n", + "size": 1, + "noDataMessage": "No anomalies associated with this host", + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ + { + "fieldName": "AnomalyReasons", + "parameterName": "AnomalyReasons", + "parameterType": 1 + }, + { + "fieldName": "DeviceInsights", + "parameterName": "DeviceInsights", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Score", + "formatter": 8, + "formatOptions": { + "min": 0, + "max": 1, + "palette": "purpleDark" + } + }, + { + "columnMatch": "Techniques", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "AnomalyDetails", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly." + } + }, + { + "columnMatch": "AnomalyReasons", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "The detailed explanation of the generated anomaly as JSON." + } + }, + { + "columnMatch": "ExtendedProperties", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "JSON object with additional data on the anomaly as key-value pairs." + } + }, + { + "columnMatch": "ExtendedLinks", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "List of links pointing to the data that generated the anomaly." + } + }, + { + "columnMatch": "ActivityInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the activites corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "DeviceInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the devices corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "UserInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the users corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "TenantId", + "formatter": 5 + }, + { + "columnMatch": "Id", + "formatter": 5 + }, + { + "columnMatch": "WorkspaceId", + "formatter": 5 + }, + { + "columnMatch": "VendorName", + "formatter": 5 + }, + { + "columnMatch": "AnomalyTemplateId", + "formatter": 5 + }, + { + "columnMatch": "AnomalyTemplateVersion", + "formatter": 5 + }, + { + "columnMatch": "RuleId", + "formatter": 5 + }, + { + "columnMatch": "RuleName", + "formatter": 5 + }, + { + "columnMatch": "RuleConfigVersion", + "formatter": 5 + }, + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "StartTime", + "formatter": 5 + }, + { + "columnMatch": "EndTime", + "formatter": 5 + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 5 + }, + { + "columnMatch": "SourceIpAddress", + "formatter": 5 + }, + { + "columnMatch": "SourceLocation", + "formatter": 5 + }, + { + "columnMatch": "SourceDevice", + "formatter": 5 + }, + { + "columnMatch": "DestinationIpAddress", + "formatter": 5 + }, + { + "columnMatch": "DestinationLocation", + "formatter": 5 + }, + { + "columnMatch": "DestinationDevice", + "formatter": 5 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "DisplayName", + "formatter": 5 + }, + { + "columnMatch": "OriginalName", + "formatter": 5 + }, + { + "columnMatch": "AnomalyUPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "OriginalUPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "Name", + "formatter": 5 + }, + { + "columnMatch": "UPNSuffix", + "formatter": 5 + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - User Anomaly Close Up " }, { - "columnMatch": "IncidentUrl", - "formatter": 7, - "formatOptions": { - "linkTarget": "Url" - } + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasons}\",\"transformers\":null}", + "size": 4, + "title": "Host Anomalies - AnomalyReasons", + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Value", + "formatter": 1 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "IsAnomalous", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "Yes" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "No" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "TypicalObservations", + "formatter": 5 + }, + { + "columnMatch": "Anomalous?", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + ], + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + }, + "name": "Host Anomalies - AnomalyReasons" }, { - "columnMatch": "ParentId", - "formatter": 5 + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}", + "size": 4, + "title": "Host anomalies - DeviceInsights", + "noDataMessage": "None available", + "queryType": 8 + }, + "customWidth": "50", + "name": "Host anomalies - DeviceInsights" } - ], - "filter": true + ] }, - "sortBy": [] - }, - "conditionalVisibility": { - "parameterName": "UserName", - "comparison": "isNotEqualTo", - "value": "None" - }, - "customWidth": "70", - "name": "query - 6 - Copy - Copy" - }, - { - "type": 1, - "content": { - "json": "### Lateral Movement\r\n\r\nThe adversary is trying to move through your environment.\r\n\r\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0008/)" - }, - "conditionalVisibility": { - "parameterName": "TacticM", - "comparison": "isEqualTo", - "value": "Lateral Movement" - }, - "customWidth": "30", - "name": "text - 13 - Copy" - }, - { - "type": 1, - "content": { - "json": "### Mitre Tactic Information\r\nClick on one of the anomalies to presents an overview of ATT&CK\r\n" - }, - "conditionalVisibility": { - "parameterName": "TacticM", - "comparison": "isEqualTo", - "value": "None" - }, - "customWidth": "30", - "name": "text - 13 - Copy - Copy" - }, - { - "type": 1, - "content": { - "json": "### Initial Access\r\n\r\nThe adversary is trying to get into your network.\r\n\r\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0001/)" - }, - "conditionalVisibility": { - "parameterName": "TacticM", - "comparison": "isEqualTo", - "value": "Initial Access" - }, - "customWidth": "30", - "name": "text - 13" - }, - { - "type": 1, - "content": { - "json": "### Persistence\r\n\r\nThe adversary is trying to maintain their foothold.\r\n\r\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0003/)" - }, - "conditionalVisibility": { - "parameterName": "TacticM", - "comparison": "isEqualTo", - "value": "Persistence" - }, - "customWidth": "30", - "name": "text - 13 - Copy" - }, - { - "type": 1, - "content": { - "json": "### Discovery\r\n\r\nThe adversary is trying to figure out your environment.\r\n\r\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0007/)" - }, - "conditionalVisibility": { - "parameterName": "TacticM", - "comparison": "isEqualTo", - "value": "Discovery" - }, - "customWidth": "30", - "name": "text - 13 - Copy - Copy - Copy - Copy" - }, - { - "type": 1, - "content": { - "json": "### Collection\r\n\r\nThe adversary is trying to gather data of interest to their goal.\r\n\r\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.\r\n\r\n[Learn More Here](https://attack.mitre.org/tactics/TA0009/)" - }, - "conditionalVisibility": { - "parameterName": "TacticM", - "comparison": "isEqualTo", - "value": "Collection" + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "Hosts" + }, + "name": "HostsGroupTopIncidents" }, - "customWidth": "30", - "name": "text - 13 - Copy - Copy" - } - ], - "fromTemplateId": "sentinel-UserAndEntityBehaviorAnalytics", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top IPs to investigate - by Incidents, alerts & anomalies\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "IPs" + }, + "name": "IPGroupTopIncidents - Title Text" + }, + { + "type": 1, + "content": { + "json": "Clicking on an entity should load anomalies and incidents where the entity is present", + "style": "info" + }, + "conditionalVisibilities": [ + { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "IPs" + }, + { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + } + ], + "name": "IPGroupTopIncidents - Intro Text" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TopIPsByAnomalies= Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| project IPentity=tostring(Entities.Address)\r\n| summarize hint.strategy = shuffle AnomalyCount=count() by IPentity;\r\nlet TopIPs = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| project IncidentNumber, AlertId = tostring(AlertIds), TimeGenerated\r\n| join kind = innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"ip\"\r\n| project SystemAlertId, IPentity = tostring(tolower(Entities.Address))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| union TopIPsByAnomalies\r\n| summarize IncidentCount=dcount(IncidentNumber), AlertCount=dcount(AlertId), AnomalyCount=sum(AnomalyCount) by IPentity;\r\nTopIPs\r\n| sort by IncidentCount, AlertCount, AnomalyCount, IPentity desc", + "size": 0, + "title": "Top IPs by incidents, alerts and anomalies", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "IPentity", + "exportParameterName": "IP", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IncidentCount", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "redDark" + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "redDark" + } + }, + { + "columnMatch": "AnomalyCount", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "redDark" + } + }, + { + "columnMatch": "AadUserId", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + } + } + ], + "rowLimit": 1000, + "filter": true + }, + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "IPs" + }, + "name": "IPGroupTopIncidents - Overview Query" + }, + { + "type": 1, + "content": { + "json": "Select an IP to view Incidents & Alerts & Anomalies breakdown", + "style": "upsell" + }, + "conditionalVisibility": { + "parameterName": "IP", + "comparison": "isEqualTo", + "value": "None" + }, + "name": "IPGroupTopIncidents - Select IP text" + }, + { + "type": 1, + "content": { + "json": "## Incidents Breakdown: {UserName}\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Selected User Text Incident" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f3097a1b-3aad-4a82-8a8a-19e2725b4ecb", + "version": "KqlParameterItem/1.0", + "name": "Severity", + "type": 2, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"Low\",\"Medium\",\"High\", \"All\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "All" + }, + { + "id": "994e7321-0462-4367-aae3-a69c6d61bf26", + "version": "KqlParameterItem/1.0", + "name": "Status", + "type": 2, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"New\",\"Active\", \"All\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "All" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Parameter Incident Selection" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let IncidentIP = SecurityIncident\r\n| summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\r\n| mv-expand AlertIds\r\n| extend AlertId = tostring(AlertIds), SecOpsOwner=tostring(Owner.assignedTo)\r\n| join kind= innerunique ( \r\nSecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities[\"Type\"] =~ \"ip\"\r\n| project SystemAlertId, IPEntity = tostring(tolower(Entities.Address))\r\n) on $left.AlertId == $right.SystemAlertId\r\n| where (IPEntity == '{IP}' and IPEntity != \"\")\r\n| where (Severity == '{Severity:value}' or '{Severity:value}' == \"All\") and (Status == '{Status:value}' or '{Status:value}' == \"All\");\r\nIncidentIP\r\n| summarize AlertCount=count(SystemAlertId) by TimeGenerated, Title, Description, Severity, Status, SecOpsOwner, IncidentUrl, IncidentNumber", + "size": 0, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Informational", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "New", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Active", + "representation": "pending", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Closed", + "representation": "stopped", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Owner", + "formatter": 5 + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkIsContextBlade": false + } + }, + { + "columnMatch": "AlertCount", + "formatter": 8, + "formatOptions": { + "min": 1, + "palette": "orangeDark" + } + }, + { + "columnMatch": "Comments", + "formatter": 7, + "formatOptions": { + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Labels", + "formatter": 7, + "formatOptions": { + "linkIsContextBlade": true + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_heatmap_AlertCount_8", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_AlertCount_8", + "sortOrder": 2 + } + ] + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - User Incident Close Up" + }, + { + "type": 1, + "content": { + "json": "## Anomalies Breakdown: {UserName}\r\n---\r\n" + }, + "conditionalVisibility": { + "parameterName": "UserName", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - Selected User Text Anomaly" + }, + { + "type": 1, + "content": { + "json": "Hover over each field on the anomalies below to see what it means", + "style": "info" + }, + "conditionalVisibilities": [ + { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "IPs" + } + ], + "name": "IP anomalies help" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Anomalies\r\n| mv-expand Entities\r\n| where tostring(Entities) contains '\"Type\":\"ip\"'\r\n| extend IPentity=tostring(Entities.Address)\r\n| where (IPentity == '{IP}' and IPentity != \"\" )\r\n| project TimeGenerated, AnomalyRule=AnomalyTemplateName, Description, Score, RuleStatus, Tactics, Techniques, Entities, AnomalyDetails, AnomalyReasons, ExtendedProperties, ActivityInsights, DeviceInsights, UserInsights, ExtendedLinks\r\n", + "size": 1, + "noDataMessage": "No anomalies associated with this IP", + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ + { + "fieldName": "AnomalyReasons", + "parameterName": "AnomalyReasons", + "parameterType": 1 + }, + { + "fieldName": "DeviceInsights", + "parameterName": "DeviceInsights", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Score", + "formatter": 8, + "formatOptions": { + "min": 0, + "max": 1, + "palette": "purpleDark" + } + }, + { + "columnMatch": "Techniques", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "AnomalyDetails", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly." + } + }, + { + "columnMatch": "AnomalyReasons", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "The detailed explanation of the generated anomaly as JSON." + } + }, + { + "columnMatch": "ExtendedProperties", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "JSON object with additional data on the anomaly as key-value pairs." + } + }, + { + "columnMatch": "ExtendedLinks", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "List of links pointing to the data that generated the anomaly." + } + }, + { + "columnMatch": "ActivityInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the activites corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "DeviceInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the devices corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "UserInsights", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + }, + "emptyValCustomText": "None available" + }, + "tooltipFormat": { + "tooltip": "Insights about the users corresponding to the generated anomaly as JSON." + } + }, + { + "columnMatch": "TenantId", + "formatter": 5 + }, + { + "columnMatch": "Id", + "formatter": 5 + }, + { + "columnMatch": "WorkspaceId", + "formatter": 5 + }, + { + "columnMatch": "VendorName", + "formatter": 5 + }, + { + "columnMatch": "AnomalyTemplateId", + "formatter": 5 + }, + { + "columnMatch": "AnomalyTemplateVersion", + "formatter": 5 + }, + { + "columnMatch": "RuleId", + "formatter": 5 + }, + { + "columnMatch": "RuleName", + "formatter": 5 + }, + { + "columnMatch": "RuleConfigVersion", + "formatter": 5 + }, + { + "columnMatch": "Description", + "formatter": 7, + "formatOptions": { + "linkTarget": "CellDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "StartTime", + "formatter": 5 + }, + { + "columnMatch": "EndTime", + "formatter": 5 + }, + { + "columnMatch": "UserPrincipalName", + "formatter": 5 + }, + { + "columnMatch": "SourceIpAddress", + "formatter": 5 + }, + { + "columnMatch": "SourceLocation", + "formatter": 5 + }, + { + "columnMatch": "SourceDevice", + "formatter": 5 + }, + { + "columnMatch": "DestinationIpAddress", + "formatter": 5 + }, + { + "columnMatch": "DestinationLocation", + "formatter": 5 + }, + { + "columnMatch": "DestinationDevice", + "formatter": 5 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "DisplayName", + "formatter": 5 + }, + { + "columnMatch": "OriginalName", + "formatter": 5 + }, + { + "columnMatch": "AnomalyUPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "OriginalUPNSuffix", + "formatter": 5 + }, + { + "columnMatch": "Name", + "formatter": 5 + }, + { + "columnMatch": "UPNSuffix", + "formatter": 5 + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "IP", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "UserGroupTopIncidents - User Anomaly Close Up " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{AnomalyReasons}\",\"transformers\":null}", + "size": 4, + "title": "IP Anomalies - AnomalyReasons", + "queryType": 8, + "gridSettings": { + "formatters": [ + { + "columnMatch": "Value", + "formatter": 1 + }, + { + "columnMatch": "Type", + "formatter": 5 + }, + { + "columnMatch": "IsAnomalous", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "Yes" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "No" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "TypicalObservations", + "formatter": 5 + }, + { + "columnMatch": "Anomalous?", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "True", + "representation": "3", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + } + ], + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Name", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "IPs" + }, + "name": "User Anomalies - AnomalyReasons" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{DeviceInsights}\",\"transformers\":null}", + "size": 4, + "title": "User anomalies - DeviceInsights", + "noDataMessage": "None available", + "queryType": 8 + }, + "customWidth": "50", + "name": "IP anomalies - DeviceInsights" + } + ] + }, + "conditionalVisibility": { + "parameterName": "rankingTab", + "comparison": "isEqualTo", + "value": "IPs" + }, + "name": "UserGroupTopIncidentsIP " + } + ], + "fromTemplateId": "https://sentinelus.hosting.portal.azure.net/sentinelus/Content/1.0.02484.3403-231021-003920/Scenarios/Ecosystem/Content/Workbooks/CustomWorkbook.json", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" + } diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index b3554ad9ce..27737909a3 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -1810,14 +1810,14 @@ "logoFileName": "Azure_Sentinel.svg", "description": "Identify compromised users and insider threats using User and Entity Behavior Analytics. Gain insights into anomalous user behavior from baselines learned from behavior patterns", "dataTypesDependencies": [ - "BehaviorAnalytics" + "Anomalies" ], "dataConnectorsDependencies": [], "previewImagesFileNames": [ - "UserEntityBehaviorAnalyticsBlack1.png", - "UserEntityBehaviorAnalyticsWhite1.png" + "UserEntityBehaviorAnalyticsBlack2.png", + "UserEntityBehaviorAnalyticsWhite2.png" ], - "version": "1.2.0", + "version": "2.0", "title": "User And Entity Behavior Analytics", "templateRelativePath": "UserEntityBehaviorAnalytics.json", "subtitle": "", @@ -2283,7 +2283,7 @@ ], "version": "1.0.0", "title": "Forcepoint Cloud Security Gateway Workbook", - "templateRelativePath": "ForcepointCloudSecuirtyGatewayworkbook.json", + "templateRelativePath": "ForcepointCloudSecuirtyGateway.json", "subtitle": "", "provider": "Forcepoint" },