Merge pull request #8343 from sschuur/Infoblox-3.0.0

Infoblox 3.0.0
Azure · Aug 24, 2023 · 0527617 · 0527617
2 parents aaac293 + 8b69371
commit 0527617
Show file tree

Hide file tree

Showing 38 changed files with 15,346 additions and 1,631 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/InfobloxCDC.json b/.script/tests/KqlvalidationsTests/CustomTables/InfobloxCDC.json
@@ -40,6 +40,62 @@
         {
             "Name": "DestinationDnsDomain",
             "Type": "String"
+        },
+        {
+            "Name": "ThreatLevel",
+            "Type": "String"
+        },
+        {
+            "Name": "ThreatConfidence",
+            "Type": "Int"
+        },
+        {
+            "Name": "InfobloxThreatConfidence",
+            "Type": "Int"
+        },
+        {
+            "Name": "InfobloxB1FeedName",
+            "Type": "String"
+        },
+        {
+            "Name": "ThreatClass",
+            "Type": "String"
+        },
+        {
+            "Name": "ThreatProperty",
+            "Type": "String"
+        },
+        {
+            "Name": "DeviceAction",
+            "Type": "String"
+        },
+        {
+            "Name": "InfobloxB1PolicyName",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceMACAddress",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceUserName",
+            "Type": "String"
+        },
+        {
+            "Name": "InfobloxB1SrcOSVersion",
+            "Type": "String"
+        },
+        {
+            "Name": "InfobloxB1ConnectionType",
+            "Type": "String"
+        },
+        {
+            "Name": "InfobloxB1Network",
+            "Type": "String"
+        },
+        {
+            "Name": "AdditionalExtensionsParsedNested",
+            "Type": "Dynamic"
         }
     ]
-}
+}
diff --git a/Logos/infoblox_logo.svg b/Logos/infoblox_logo.svg
diff --git a/Sample Data/CEF/InfobloxCloudDataConnector-sampledata.csv b/Sample Data/CEF/InfobloxCloudDataConnector-sampledata.csv
diff --git a/Sample Data/Custom/InfobloxSampleTIMatch.csv b/Sample Data/Custom/InfobloxSampleTIMatch.csv
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml
@@ -0,0 +1,66 @@
+id: 8db2b374-0337-49bd-94c9-cfbf8e5d83ad
+name: Infoblox - Data Exfiltration Attack
+description: |
+  'Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: InfobloxCloudDataConnector
+    dataTypes: 
+      - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1498
+  - T1565
+query: |
+  let threshold = 1;
+  InfobloxCDC
+  | where DeviceEventClassID has_cs "RPZ"
+  | where InfobloxB1FeedName == "Threat Insight - Data Exfiltration"
+  | summarize count() by SourceIP
+  | where count_ > threshold
+  | join kind=innerunique (InfobloxCDC
+    | where DeviceEventClassID has_cs "RPZ"
+    | where InfobloxB1FeedName == "Threat Insight - Data Exfiltration"
+    ) on SourceIP
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: DeviceName
+      - identifier: OSVersion
+        columnName: InfobloxB1SrcOSVersion
+      - identifier: FullName
+        columnName: SourceUserName
+  - entityType: Malware
+    fieldMappings:
+      - identifier: Name
+        columnName: InfobloxB1FeedName
+      - identifier: Category
+        columnName: InfobloxB1FeedName
+customDetails:
+  SourceMACAddress: SourceMACAddress
+  InfobloxB1FeedName: InfobloxB1FeedName
+  InfobloxB1Network: InfobloxB1Network
+  InfobloxB1Action: InfobloxB1PolicyAction
+  InfobloxB1PolicyName: InfobloxB1PolicyName
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: true
+    lookbackDuration: 7d
+    matchingMethod: AllEntities
+version: 1.0.0
+kind: Scheduled
diff --git a/...ud Data Connector/Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml b/...ud Data Connector/Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml
diff --git a/...loud Data Connector/Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml b/...loud Data Connector/Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml
diff --git a/... Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml b/... Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
@@ -1,12 +1,12 @@
 id: dc7af829-d716-4774-9d6f-03d9aa7c27a4
 name: Infoblox - High Threat Level Query Not Blocked Detected
 description: |
-  'This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
+  'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
 severity: Medium
 status: Available
 requiredDataConnectors:
   - connectorId: InfobloxCloudDataConnector
-    dataTypes:
+    dataTypes: 
       - CommonSecurityLog (InfobloxCDC)
 queryFrequency: 1h
 queryPeriod: 1h
@@ -26,19 +26,42 @@ query: |
   | summarize count() by SourceIP
   | where count_ > threshold
   | join kind=inner (InfobloxCDC
-      | where DeviceEventClassID has_cs "RPZ"
-      | where ThreatLevel_Score >=80
-      | where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
-      ) on SourceIP
-  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName
+    | where DeviceEventClassID has_cs "RPZ"
+    | where ThreatLevel_Score >=80
+    | where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
+    ) on SourceIP
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SourceIP
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: HostCustomEntity
-version: 1.0.1
+        columnName: DeviceName
+      - identifier: OSVersion
+        columnName: InfobloxB1SrcOSVersion
+      - identifier: FullName
+        columnName: SourceUserName
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DestinationDnsDomain
+  - entityType: Malware
+    fieldMappings:
+      - identifier: Name
+        columnName: ThreatProperty
+      - identifier: Category
+        columnName: ThreatClass
+customDetails:
+  SourceMACAddress: SourceMACAddress
+  InfobloxB1FeedName: InfobloxB1FeedName
+  InfobloxB1Network: InfobloxB1Network
+  InfobloxB1Action: InfobloxB1PolicyAction
+  InfobloxB1PolicyName: InfobloxB1PolicyName
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+incidentConfiguration:
+  createIncident: true
+version: 1.0.0
 kind: Scheduled
diff --git a/...a Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml b/...a Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml
@@ -0,0 +1,51 @@
+id: 3822b794-fa89-4420-aad6-0e1a2307f419
+name: Infoblox - Many High Threat Level Queries From Single Host Detected
+description: |
+  'At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: InfobloxCloudDataConnector
+    dataTypes: 
+      - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1498
+  - T1565
+query: |
+  let threshold = 200;
+  InfobloxCDC
+  | where DeviceEventClassID has_cs "RPZ"
+  | where ThreatLevel_Score >= 80
+  | summarize count() by SourceIP
+  | where count_ > threshold
+  | join kind=inner (InfobloxCDC
+    | where DeviceEventClassID has_cs "RPZ"
+    | where ThreatLevel_Score >= 80
+    ) on SourceIP
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: DeviceName
+      - identifier: OSVersion
+        columnName: InfobloxB1SrcOSVersion
+      - identifier: FullName
+        columnName: SourceUserName
+customDetails:
+  SourceMACAddress: SourceMACAddress
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+incidentConfiguration:
+  createIncident: true
+version: 1.0.0
+kind: Scheduled