From 0aefed6a61a6e26bbf0c2d0c181e26eb686915f7 Mon Sep 17 00:00:00 2001 From: v-dvedak Date: Thu, 31 Aug 2023 16:06:03 +0530 Subject: [PATCH] Remove the text parser files --- .../Parsers/AIShield.txt | 27 - .../Alsid For AD/Parsers/afad_parser.kql.txt | 124 ---- .../Parsers/CiscoSDWANNetflow.txt | 241 ------- .../Parsers/CiscoSyslogFW6LogSummary.txt | 45 -- .../Cisco SD-WAN/Parsers/CiscoSyslogUTD.txt | 49 -- .../Parsers/MapNetflowUsername.txt | 16 - Solutions/Cloudflare/Parsers/Cloudflare.txt | 216 ------ Solutions/Corelight/Parsers/Corelight.txt | 645 ------------------ Solutions/CyberArkEPM/Parsers/CyberArkEPM.txt | 92 --- .../Parsers/LookoutCSActivities.txt | 23 - .../Parsers/LookoutCSAnomalies.txt | 31 - .../Parsers/LookoutCSViolations.txt | 34 - Solutions/Lookout/Parsers/LookoutEvents.txt | 84 --- Solutions/Morphisec/Parsers/Morphisec | 23 - .../Parsers/NXLog_parsed_AIX_Audit_view.txt | 33 - .../Parsers/ASimDnsMicrosoftNXLog.txt | 236 ------- .../Parsers/OnapsisLookup.txt | 128 ---- .../Parsers/dsp_parser.txt | 53 -- .../TenableIO/Parsers/TenableIOAssets.txt | 125 ---- .../Parsers/TenableIOVulnerabilities.txt | 215 ------ .../Parsers/TrendMicroDeepSecurity | 34 - .../Parsers/VectraStream_function.kql | 462 ------------- Solutions/Vectra XDR/Parsers/VectraAudits.txt | 46 -- .../Vectra XDR/Parsers/VectraDetections.txt | 61 -- .../Parsers/VectraEntityScoring.txt | 57 -- Solutions/Vectra XDR/Parsers/VectraHealth.txt | 44 -- .../Vectra XDR/Parsers/VectraLockdown.txt | 34 - Solutions/iboss/Parsers/ibossUrlEvent.txt | 37 - 28 files changed, 3215 deletions(-) delete mode 100644 Solutions/AIShield AI Security Monitoring/Parsers/AIShield.txt delete mode 100644 Solutions/Alsid For AD/Parsers/afad_parser.kql.txt delete mode 100644 Solutions/Cisco SD-WAN/Parsers/CiscoSDWANNetflow.txt delete mode 100644 Solutions/Cisco SD-WAN/Parsers/CiscoSyslogFW6LogSummary.txt delete mode 100644 Solutions/Cisco SD-WAN/Parsers/CiscoSyslogUTD.txt delete mode 100644 Solutions/Cisco SD-WAN/Parsers/MapNetflowUsername.txt delete mode 100644 Solutions/Cloudflare/Parsers/Cloudflare.txt delete mode 100644 Solutions/Corelight/Parsers/Corelight.txt delete mode 100644 Solutions/CyberArkEPM/Parsers/CyberArkEPM.txt delete mode 100644 Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSActivities.txt delete mode 100644 Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSAnomalies.txt delete mode 100644 Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSViolations.txt delete mode 100644 Solutions/Lookout/Parsers/LookoutEvents.txt delete mode 100644 Solutions/Morphisec/Parsers/Morphisec delete mode 100644 Solutions/NXLogAixAudit/Parsers/NXLog_parsed_AIX_Audit_view.txt delete mode 100644 Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.txt delete mode 100644 Solutions/Onapsis Platform/Parsers/OnapsisLookup.txt delete mode 100644 Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.txt delete mode 100644 Solutions/TenableIO/Parsers/TenableIOAssets.txt delete mode 100644 Solutions/TenableIO/Parsers/TenableIOVulnerabilities.txt delete mode 100644 Solutions/Trend Micro Deep Security/Parsers/TrendMicroDeepSecurity delete mode 100644 Solutions/Vectra AI Stream/Parsers/VectraStream_function.kql delete mode 100644 Solutions/Vectra XDR/Parsers/VectraAudits.txt delete mode 100644 Solutions/Vectra XDR/Parsers/VectraDetections.txt delete mode 100644 Solutions/Vectra XDR/Parsers/VectraEntityScoring.txt delete mode 100644 Solutions/Vectra XDR/Parsers/VectraHealth.txt delete mode 100644 Solutions/Vectra XDR/Parsers/VectraLockdown.txt delete mode 100644 Solutions/iboss/Parsers/ibossUrlEvent.txt diff --git a/Solutions/AIShield AI Security Monitoring/Parsers/AIShield.txt b/Solutions/AIShield AI Security Monitoring/Parsers/AIShield.txt deleted file mode 100644 index 95d9bcb2796..00000000000 --- a/Solutions/AIShield AI Security Monitoring/Parsers/AIShield.txt +++ /dev/null @@ -1,27 +0,0 @@ -// Title: AIShield Parser -// Author: AIShield -// Version: 1.0 -// Last Updated: 17/12/2021 -// Comment: Inital Release -// -// DESCRIPTION: -// This parser takes raw logs form AIShield and parses the data into a normalized schema. -// -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as AIShield. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. AIShield | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions - -AIShield_CL -| extend EventVendor = 'Bosch' -| extend EventProduct = 'AIShield' -| extend Severity = iff(probability_d between (0.85..1.0),"High",iff(probability_d between - (0.7..0.84), "Medium", iff(probability_d < (0.7),"Low","Unknown"))) -| project-rename - AttackName = attack_name_s, - Message = RawMessage_s, - ServiceName = service_name_s, - AssetId = asset_id_s, - EventTimestamp = timestamp_t, - SourceName = source_name_s -| project-away probability_d diff --git a/Solutions/Alsid For AD/Parsers/afad_parser.kql.txt b/Solutions/Alsid For AD/Parsers/afad_parser.kql.txt deleted file mode 100644 index f7b934cab81..00000000000 --- a/Solutions/Alsid For AD/Parsers/afad_parser.kql.txt +++ /dev/null @@ -1,124 +0,0 @@ -// Title: Alsid for Active Directory Data Parser -// Author: Alsid -// Version: 1.1 -// Last Updated: 03/23/2021 -// Comment: Add the Codename table mapping for IOAs -// -// DESCRIPTION: -// This parser takes raw Alsid for AD logs from the relevant connector's data stream and parses the data into a normalized schema -// -// USAGE: -// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. -// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name. -// In order for the Alsid for AD logs to work with pre-built queries and workbooks the Function Alias must be set to - afad_parser -// 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries -// -// -// REFERENCE: -// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// -// -let CodenameTable=datatable(Codename: string, Explanation: string) [ -"test-checker-codename", "This is a test checker", -"", "Not an alert", -"C-ADM-ACC-USAGE", "Recent use of the default administrator account", -"C-UNCONST-DELEG", "Dangerous delegation", -"C-PASSWORD-DONT-EXPIRE", "Accounts with never expiring passwords", -"C-USERS-CAN-JOIN-COMPUTERS", "Users allowed to join computers to the domain", -"C-CLEARTEXT-PASSWORD", "Potential clear-text password", -"C-PROTECTED-USERS-GROUP-UNUSED", "Protected Users group not used", -"C-PASSWORD-POLICY", "Weak password policies are applied on users", -"C-GPO-HARDENING", "Domain without computer-hardening GPOs", -"C-LAPS-UNSECURE-CONFIG", "Local administrative account management", -"C-AAD-CONNECT", "Verify permissions related to AAD Connect accounts", -"C-AAD-SSO-PASSWORD", "Verify AAD SSO account password last change", -"C-GPO-SD-CONSISTENCY", "Verify sensitive GPO objects and files permissions", -"C-DSHEURISTICS", "Domain using a dangerous backward-compatibility configuration", -"C-DOMAIN-FUNCTIONAL-LEVEL", "Domains have an outdated functional level", -"C-DISABLED-ACCOUNTS-PRIV-GROUPS", "Disabled accounts in privileged groups", -"C-DCSHADOW", "Rogue domain controllers", -"C-DC-ACCESS-CONSISTENCY", "Domain controllers managed by illegitimate users", -"C-DANGEROUS-TRUST-RELATIONSHIP", "Dangerous trust relationship", -"C-DANGEROUS-SENSITIVE-PRIVILEGES", "Dangerous sensitive privileges", -"C-DANG-PRIMGROUPID", "User Primary Group ID", -"C-BAD-PASSWORD-COUNT", "Brute-force attack detection", -"C-ADMINCOUNT-ACCOUNT-PROPS", "AdminCount attribute set on standard users", -"C-ACCOUNTS-DANG-SID-HISTORY", "Accounts having a dangerous SID History attribute", -"C-ABNORMAL-ENTRIES-IN-SCHEMA", "Dangerous rights in AD's schema", -"C-GPOLICY-DISABLED-UNLINKED", "Unlinked, disabled or orphan GPO", -"C-KERBEROS-CONFIG-ACCOUNT", "Kerberos configuration on user account", -"C-KRBTGT-PASSWORD", "KDC password last change", -"C-LAPS-UNSECURE-CONFIG", "Local administrative account management", -"C-NATIVE-ADM-GROUP-MEMBERS", "Native administrative group members", -"C-NETLOGON-SECURITY", "Unsecured configuration of Netlogon protocol", -"C-OBSOLETE-SYSTEMS", "Computers running an obsolete OS", -"C-PASSWORD-NOT-REQUIRED", "Account that might have an empty password", -"C-PKI-WEAK-CRYPTO", "Use of weak cryptography algorithms into Active Directory PKI", -"C-PRE-WIN2000-ACCESS-MEMBERS", "Accounts using a pre-Windows 2000 compatible access control", -"C-PRIV-ACCOUNTS-SPN", "Privileged accounts running Kerberos services", -"C-REVER-PWD-GPO", "Reversible passwords in GPO", -"C-ROOTOBJECTS-SD-CONSISTENCY", "Root objects permissions allowing DCSync-like attacks", -"C-SDPROP-CONSISTENCY", "Ensure SDProp consistency", -"C-SENSITIVE-CERTIFICATES-ON-USER", "Ensure SDProp consistency", -"C-SLEEPING-ACCOUNTS", "Sleeping accounts", -"C-USER-PASSWORD", "User account using old password", -"C-USERS-REVER-PWDS", "Reversible passwords", -// IOAs -"DCSync","The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.", -"I-DCSync","The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.", -"Golden Ticket","A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).", -"I-GoldenTicket","A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).", -"Password Guessing","A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.", -"I-Bruteforce","A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.", -"Password Spraying","Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \"low-and-slow\" method.", -"I-PasswordSpraying","Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \"low-and-slow\" method.", -"DCShadow","DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.", -"I-DCShadow","DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.", -"OS Credential Dumping: LSASS Memory","After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", -"I-ProcessInjectionLsass","After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).", -"Suspicious process","Attackers can use well-known tools to exploit a vulnerability.", -"I-ProcessExec","Attackers can use well-known tools to exploit a vulnerability.", -"Suspicious service","Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.", -"I-ServiceInstall","Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context." -]; -let Common = AlsidForADLog_CL -| parse RawData with - Time:datetime " " - Host:string " " - Product:string "[" - PID:int "]: \"" - MessageType:int "\" \"" - AlertID:int "\" \"" - Forest:string "\" \"" - Domain:string "\" " - DistinctPart:string; -let Deviances = Common -| where MessageType == 0 | parse DistinctPart with "\"" - Codename:string "\" \"" - Severity:string "\" \"" - ADObject:string "\" \"" - DevianceID:string "\" \"" - ProfileID:string "\" \"" - ReasonCodename:string "\" \"" - EventID:string "\"" - Attributes:string; -let Changes = Common -| where MessageType == 1 -| parse kind=regex DistinctPart with "\"" - ADObject:string "\" \"" - EventID:string "\" \"" - EventType:string "\" " - Attributes:string; -let Attacks = Common -| where MessageType == 2 -| parse DistinctPart with "\"" - Codename:string "\" \"" - Severity:string "\" \"" - SourceHostname:string "\" \"" - SourceIP:string "\" \"" - DestinationHostname:string "\" \"" - DestinationIP:string "\" \"" - Attributes:string; -union Changes, Deviances, Attacks -| project-away DistinctPart, Product, _ResourceId, _SubscriptionId -| lookup kind=leftouter CodenameTable on Codename; diff --git a/Solutions/Cisco SD-WAN/Parsers/CiscoSDWANNetflow.txt b/Solutions/Cisco SD-WAN/Parsers/CiscoSDWANNetflow.txt deleted file mode 100644 index 14674f9a589..00000000000 --- a/Solutions/Cisco SD-WAN/Parsers/CiscoSDWANNetflow.txt +++ /dev/null @@ -1,241 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. CiscoSDWANNetflow). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. CiscoSDWANNetflow | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let ConvertNetflowApplicationTag = (ApplicationTag: string) { - let raw_application_tag = todynamic(ApplicationTag); - let application_tag_number_0 = toint((raw_application_tag)[0]); - let application_tag_number_1 = toint((raw_application_tag)[1]); - let application_tag_number_2 = toint((raw_application_tag)[2]); - let application_tag_number_3 = toint((raw_application_tag)[3]); - let hex_application_tag = strcat(tohex(application_tag_number_1, 2), tohex(application_tag_number_2, 2), tohex(application_tag_number_3, 2)); - case(application_tag_number_0 == 0, strcat("Invalid", " : ", hex_application_tag), - application_tag_number_0 == 1, strcat("IANA-L3", " : ", hex_application_tag), - application_tag_number_0 == 2, strcat("PANA-L3", " : ", hex_application_tag), - application_tag_number_0 == 3, strcat("IANA-L4", " : ", hex_application_tag), - application_tag_number_0 == 4, strcat("PANA-L4", " : ", hex_application_tag), - application_tag_number_0 == 5, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 6, strcat("USER-Defined", " : ", hex_application_tag), - application_tag_number_0 == 7, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 8, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 9, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 10, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 11, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 12, strcat("PANA-L2", " : ", hex_application_tag), - application_tag_number_0 == 13, strcat("PANA-L7", " : ", hex_application_tag), - application_tag_number_0 == 14, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 15, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 16, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 17, strcat("Reserved", " : ", hex_application_tag), - application_tag_number_0 == 18, strcat("ETHERTYPE", " : ", hex_application_tag), - application_tag_number_0 == 19, strcat("LLC", " : ", hex_application_tag), - application_tag_number_0 == 20, strcat("PANA-L7-PEN", " : ", hex_application_tag), "unclassified"); -}; -let CiscoSDWANNetflow_view = view() { - CiscoSDWANNetflow_CL - | extend - EventVendor="CiscoSD-WAN", - EventProduct="Netflow", - ApplicationTag = coalesce(column_ifexists('netflow_application_tag_s', ''), column_ifexists('netflow_options_application_tag_s', ''), column_ifexists('netflow_scope_application_tag_s', '')), - NetflowBytesIn = column_ifexists('netflow_bytes_in_d', ''), - NetflowElement_9_2239 = coalesce(toint(column_ifexists('netflow_element_9_2239_d', '')), toint(column_ifexists('netflow_scope_element_9_2239_d', ''))), - NetflowEgressVRFID = column_ifexists('netflow_egress_vrf_id_d', '' ), - NetflowIngressVRFID = column_ifexists('netflow_ingress_vrf_id_d', ''), - NetflowExporterAddress = column_ifexists('netflow_exporter_address_s', ''), - NetflowExporterSourceID = column_ifexists('netflow_exporter_source_id_d', ''), - NetflowExporterTimestamp = column_ifexists('netflow_exporter_timestamp_t', ''), - NetflowExporterUptimeMillis = column_ifexists('netflow_exporter_uptime_millis_d', ''), - NetflowExporterVersion = column_ifexists('netflow_exporter_version_d', ''), - NetflowFirewallEvent = column_ifexists('netflow_firewall_event_d', ''), - NetflowFlowFieldDestDSAID = column_ifexists('netflow_flow_field_dst_dsa_id_d', ''), - NetflowFlowFieldSGT = column_ifexists('netflow_flow_field_sgt_d', ''), - NetflowFlowFieldSrcDSAID = column_ifexists('netflow_flow_field_src_dsa_id_d', ''), - NetflowFlowEndMilliseconds = column_ifexists('netflow_flow_end_milliseconds_t', ''), - NetflowFlowEndReason = column_ifexists('netflow_flow_end_reason_d', ''), - NetflowFlowStartMilliseconds = column_ifexists('netflow_flow_start_milliseconds_t', ''), - NetflowFwAction = coalesce(toint(column_ifexists('netflow_fw_action_d', '')), toint(column_ifexists('netflow_scope_fw_action_d', ''))), - NetflowFwDestAddrIpv4 = column_ifexists('netflow_fw_dest_addr_ipv4_s', ''), - NetflowFwDestPort = column_ifexists('netflow_fw_dest_port_d', ''), - NetflowFwEventTimeMsec = column_ifexists('netflow_fw_event_time_msec_d', ''), - NetflowFwICMPCode = column_ifexists('netflow_fw_icmp_code_d', ''), - NetflowFwICMPType = column_ifexists('netflow_fw_icmp_type_d', ''), - NetflowFwInitiatorOctets = column_ifexists('netflow_fw_initiator_octets_d', ''), - NetflowFwIpv4Ident = column_ifexists('netflow_fw_ipv4_ident_d', ''), - NetflowFwPolicy = coalesce(toint(column_ifexists('netflow_fw_policy_d', '')), toint(column_ifexists('netflow_options_fw_policy_d', '')), toint(column_ifexists('netflow_scope_fw_policy_d', ''))), - NetflowFwProtocol = column_ifexists('netflow_fw_protocol_d', ''), - NetflowFwResponderOctets = column_ifexists('netflow_fw_responder_octets_d', ''), - NetflowFwSrcAddrIpv4 = column_ifexists('netflow_fw_src_addr_ipv4_s', ''), - NetflowFwSrcPort = column_ifexists('netflow_fw_src_port_d', ''), - NetflowFwSummaryPktCnt = column_ifexists('netflow_fw_summary_pkt_cnt_d', ''), - NetflowFwTCPAck = column_ifexists('netflow_fw_tcp_ack_d', ''), - NetflowFwTCPFlags = column_ifexists('netflow_fw_tcp_flags_d', ''), - NetflowFwTCPSeq = column_ifexists('netflow_fw_tcp_seq_d', ''), - NetflowFwXlateDestAddrIpv4 = column_ifexists('netflow_fw_xlate_dst_addr_ipv4_s', ''), - NetflowFwXlateDestPort = column_ifexists('netflow_fw_xlate_dst_port_d', ''), - NetflowFwXlateSrcAddrIpv4 = column_ifexists('netflow_fw_xlate_src_addr_ipv4_s', ''), - NetflowFwXlateSrcPort = column_ifexists('netflow_fw_xlate_src_port_d', ''), - NetflowInputSNMPIDX = column_ifexists('netflow_input_snmpidx_d', ''), - NetflowOutputSNMPIDX = column_ifexists('netflow_output_snmpidx_d', ''), - NetflowIpDiffServCodePoint = column_ifexists('netflow_ip_diff_serv_code_point_d', ''), - NetflowApplicationDescription = column_ifexists('netflow_options_application_description_s', ''), - NetflowApplicationName = column_ifexists('netflow_options_application_name_s', ''), - NetflowEncryptedTechnology = column_ifexists('netflow_options_encrypted_technology_s', ''), - NetflowFwActionRule = column_ifexists('netflow_options_fw_action_rule_s', ''), - NetflowFwExtEvent = coalesce(toint(column_ifexists('netflow_fw_ext_event_d', '')), toint(column_ifexists('netflow_options_fw_ext_event_d', ''))), - NetflowFwExtEventDesc = column_ifexists('netflow_options_fw_ext_event_desc_s', ''), - NetflowFwPolicyRule = column_ifexists('netflow_options_fw_policy_rule_s', ''), - NetflowFwPolicyType = column_ifexists('netflow_options_fw_policy_type_s', ''), - NetflowFwZonepairID = coalesce(toint(column_ifexists('netflow_fw_zonepair_id_d', '')),toint(column_ifexists('netflow_options_fw_zonepair_id_d', ''))), - NetflowFwZonepairName = column_ifexists('netflow_options_fw_zonepair_name_s', ''), - NetflowInterfaceDescription = column_ifexists('netflow_options_interface_description_s', ''), - NetflowInterfaceName = column_ifexists('netflow_options_interface_name_s', ''), - NetflowP2pTechnology = column_ifexists('netflow_options_p2p_technology_s', ''), - NetflowTunnelTechnology = column_ifexists('netflow_options_tunnel_technology_s', ''), - NetflowPacketsIn = column_ifexists('netflow_packets_in_d', ''), - NetflowPostIpDiffServCodePoint = column_ifexists('netflow_post_ip_diff_serv_code_point_d', ''), - NetflowSrcTOS = column_ifexists('netflow_src_tos_d', ''), - NetflowType = column_ifexists('netflow_type_s', ''), - NetflowUsername = column_ifexists('netflow_username_s', ''), - NetworkCommunityID = column_ifexists('network_community_id_s', ''), - NetworkDirection = column_ifexists('network_direction_s', ''), - ObserverIp = column_ifexists('observer_ip_s', ''), - HostArchitecture = column_ifexists('host_architecture_s', ''), - HostContainerized = column_ifexists('host_containerized_b', ''), - NetflowHostname = coalesce(column_ifexists('host_hostname_s', ''), column_ifexists('host_name_s', '')), - HostID = column_ifexists('host_id_g', ''), - HostIp = column_ifexists('host_ip_s', ''), - HostMac = column_ifexists('host_mac_s', ''), - Hostname = column_ifexists('host_name_s', ''), - HostOSCodename = column_ifexists('host_os_codename_s', ''), - HostOSFamily = column_ifexists('host_os_family_s', ''), - HostOSKernel = column_ifexists('host_os_kernel_s', ''), - HostOSName = column_ifexists('host_os_name_s', ''), - HostOSPlatform = column_ifexists('host_os_platform_s', ''), - HostOSType = column_ifexists('host_os_type_s', ''), - HostOSVersion = column_ifexists('host_os_version_s', ''), - InputType = column_ifexists('input_type_s', ''), - Tags = column_ifexists('tags_s', ''), - TimeStamp = column_ifexists('_timestamp_t', ''), - Version = column_ifexists('_version_s', ''), - AgentEphemeralID = column_ifexists('agent_ephemeral_id_g', ''), - AgentID = column_ifexists('agent_id_g', ''), - AgentName = column_ifexists('agent_name_s', ''), - AgentType = column_ifexists('agent_type_s', ''), - AgentVersion = column_ifexists('agent_version_s', ''), - ECSVersion = column_ifexists('ecs_version_s', ''), - EventAction = column_ifexists('event_action_s', ''), - EventCategory = column_ifexists('event_category_s', ''), - EventCreated = column_ifexists('event_created_t', ''), - EventKind = column_ifexists('event_kind_s', ''), - EventType = column_ifexists('event_type_s', ''), - FlowID = column_ifexists('flow_id_s', ''), - FlowLocality = column_ifexists('flow_locality_s', '') - | extend NetflowApplicationTag = iff(isnotempty(ApplicationTag),ConvertNetflowApplicationTag(ApplicationTag), ApplicationTag) - | project - EventVendor, - EventProduct, - TimeStamp, - TimeGenerated = TimeStamp, - NetflowApplicationTag, - NetflowApplicationName, - NetflowApplicationDescription, - NetflowBytesIn, - NetflowElement_9_2239, - NetflowEgressVRFID, - NetflowIngressVRFID, - NetflowExporterAddress, - NetflowExporterSourceID, - NetflowExporterTimestamp, - NetflowExporterUptimeMillis, - NetflowExporterVersion, - NetflowFirewallEvent, - NetflowFlowFieldDestDSAID, - NetflowFlowFieldSGT, - NetflowFlowFieldSrcDSAID, - NetflowFlowEndMilliseconds, - NetflowFlowEndReason, - NetflowFlowStartMilliseconds, - NetflowFwAction, - NetflowFwDestAddrIpv4, - NetflowFwDestPort, - NetflowFwEventTimeMsec, - NetflowFwICMPCode, - NetflowFwICMPType, - NetflowFwInitiatorOctets, - NetflowFwResponderOctets, - NetflowFwIpv4Ident, - NetflowFwPolicy, - NetflowFwProtocol, - NetflowFwSrcAddrIpv4, - NetflowFwSrcPort, - NetflowFwSummaryPktCnt, - NetflowFwTCPAck, - NetflowFwTCPFlags, - NetflowFwTCPSeq, - NetflowFwXlateDestAddrIpv4, - NetflowFwXlateDestPort, - NetflowFwXlateSrcAddrIpv4, - NetflowFwXlateSrcPort, - NetflowInputSNMPIDX, - NetflowOutputSNMPIDX, - NetflowIpDiffServCodePoint, - NetflowEncryptedTechnology, - NetflowFwActionRule, - NetflowFwExtEvent, - NetflowFwExtEventDesc, - NetflowFwPolicyRule, - NetflowFwPolicyType, - NetflowFwZonepairID, - NetflowFwZonepairName, - NetflowInterfaceDescription, - NetflowInterfaceName, - NetflowP2pTechnology, - NetflowTunnelTechnology, - NetflowPacketsIn, - NetflowPostIpDiffServCodePoint, - NetflowSrcTOS, - NetflowType, - NetflowUsername, - NetworkCommunityID, - NetworkDirection, - ObserverIp, - HostArchitecture, - HostContainerized, - NetflowHostname, - HostID, - HostIp, - HostMac, - Hostname, - HostOSCodename, - HostOSFamily, - HostOSKernel, - HostOSName, - HostOSPlatform, - HostOSType, - HostOSVersion, - InputType, - Tags, - Version, - AgentEphemeralID, - AgentID, - AgentName, - AgentType, - AgentVersion, - Computer, - ECSVersion, - EventAction, - EventCategory, - EventCreated, - EventKind, - EventType, - FlowID, - FlowLocality, - RawData, - Type, - _ResourceId, - _SubscriptionId -}; -CiscoSDWANNetflow_view \ No newline at end of file diff --git a/Solutions/Cisco SD-WAN/Parsers/CiscoSyslogFW6LogSummary.txt b/Solutions/Cisco SD-WAN/Parsers/CiscoSyslogFW6LogSummary.txt deleted file mode 100644 index 31e4e53ac2a..00000000000 --- a/Solutions/Cisco SD-WAN/Parsers/CiscoSyslogFW6LogSummary.txt +++ /dev/null @@ -1,45 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. CiscoSyslogFW6LogSummary). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. CiscoSyslogFW6LogSummary | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let CiscoSyslogFW6LogSummary_view = view() { - Syslog - | where SyslogMessage has "%FW-6-LOG_SUMMARY:" - | extend FieldList = extract_all(@"\S{3}\s+\d{1,2}\s[^\s]+\s%(?P[^:\s]+).*TS:\d+\s%(?P[^:\s]+)[^\d]+(?P\d+)\s(?P\w+).*\s(?P\w+)\sfrom\s[^\s]+\s(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?P\d{1,5})[^\d]+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?P\d{1,5}).*\(target:class\)-\((?P[^\s\)\(:]+)\:(?P[^\s\:\)]+)", dynamic(['type', 'sub_type', 'packets', 'protocol', 'action', 'src_ip', 'src_port', 'dest_ip', 'dest_port', 'target', 'class']), SyslogMessage) - | extend - SyslogType = tostring(FieldList[0][0]), - SyslogSubType = tostring(FieldList[0][1]), - Packets = tostring(FieldList[0][2]), - Protocol = tostring(FieldList[0][3]), - Action = tostring(FieldList[0][4]), - SourceIP = tostring(FieldList[0][5]), - SourcePort = tostring(FieldList[0][6]), - DestinationIP = tostring(FieldList[0][7]), - DestinationPort = tostring(FieldList[0][8]), - SyslogTarget = tostring(FieldList[0][9]), - SyslogClass = tostring(FieldList[0][10]) - | extend - EventVendor="CiscoSD-WAN", - EventProduct="Syslog_FW-6-LOG_SUMMARY" - | project - EventVendor, - EventProduct, - Host = HostName, - TimeGenerated=EventTime, - SyslogType, - SyslogSubType, - Packets, - Protocol, - Action, - SourceIP, - SourcePort, - DestinationIP, - DestinationPort, - SyslogTarget, - SyslogClass, - SyslogMessage -}; -CiscoSyslogFW6LogSummary_view \ No newline at end of file diff --git a/Solutions/Cisco SD-WAN/Parsers/CiscoSyslogUTD.txt b/Solutions/Cisco SD-WAN/Parsers/CiscoSyslogUTD.txt deleted file mode 100644 index 4606a55fbcf..00000000000 --- a/Solutions/Cisco SD-WAN/Parsers/CiscoSyslogUTD.txt +++ /dev/null @@ -1,49 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. CiscoSyslogUTD). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. CiscoSyslogUTD | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let CiscoSyslogUTD_view = view() { - Syslog - | where SyslogMessage matches regex @"\[\*\*\].*\[\*\*\].*\[\*\*\][^-]*.*->" - | extend FieldList = extract_all(@"]\s(?P[^\s[]*)\s\[\S*\s[^{]*{(?P[^\s}]*)}\s(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?P\d{1,5})\s->\s(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?P\d{1,5})", dynamic(['action', 'protocol', 'src_ip', 'src_port', 'dest_ip', 'dest_port']), SyslogMessage) - | extend - Action = tostring(FieldList[0][0]), - Protocol = tostring(FieldList[0][1]), - SourceIP = tostring(FieldList[0][2]), - SourcePort = tostring(FieldList[0][3]), - DestinationIP = tostring(FieldList[0][4]), - DestinationPort = tostring(FieldList[0][5]) - | extend UTDWebfilter = extract(@"\sUTD\sWebFilter\s(?P[^\s]*)", 1, SyslogMessage) - | extend SignatureId = replace_string(extract(@"\[(?P\d+\:\d+)\:\d+\]",1,SyslogMessage),':','-') - | extend FileInspectionLogs = extract(@"UTD\sAMP\sDISPOSITION\s(?P[^\s]*)\s", 1, SyslogMessage) - | extend BracketData = SyslogMessage - | extend NonBracketData = SyslogMessage - | extend - EventVendor="CiscoSD-WAN", - EventProduct="Syslog_UTD" - | project - EventVendor, - EventProduct, - Host = HostName, - TimeGenerated = EventTime, - Action, - Protocol, - SourceIP, - SourcePort, - DestinationIP, - DestinationPort, - UTDWebfilter, - FileInspectionLogs, - BracketData, - NonBracketData, - SignatureId, - SyslogMessage - | parse-kv BracketData as (['Hostname'] : string, ['System_IP']: string, ['Instance_ID']: string, ['Classification']: string, ['Priority']: string, ['POLICY']: string, ['URL']: string, ['Category']: string, ['Reputation']: string) with (regex=@"\s\[([^\[\]:]*):\s([^\]]*)\]") - | project-away BracketData - | parse-kv NonBracketData as (['SHA']: string, ['Malware']: string, ['Filename']: string, ['Filetype']: string) with (regex=@"[\s|\{]([\w.:\/]+):\s([\w.]*)") - | project-away NonBracketData -}; -CiscoSyslogUTD_view \ No newline at end of file diff --git a/Solutions/Cisco SD-WAN/Parsers/MapNetflowUsername.txt b/Solutions/Cisco SD-WAN/Parsers/MapNetflowUsername.txt deleted file mode 100644 index b82446aa260..00000000000 --- a/Solutions/Cisco SD-WAN/Parsers/MapNetflowUsername.txt +++ /dev/null @@ -1,16 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. MapNetflowUsername). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. MapNetflowUsername | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -CiscoSyslogUTD -| join ( -CiscoSDWANNetflow -| where isnotempty(NetflowUsername) -| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4 -| distinct - ["Username"] = NetflowUsername, - ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP - | distinct SourceIP, Username \ No newline at end of file diff --git a/Solutions/Cloudflare/Parsers/Cloudflare.txt b/Solutions/Cloudflare/Parsers/Cloudflare.txt deleted file mode 100644 index addca822e3b..00000000000 --- a/Solutions/Cloudflare/Parsers/Cloudflare.txt +++ /dev/null @@ -1,216 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Cloudflare. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Cloudflare | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -Cloudflare_CL -| extend - BotScore_d=column_ifexists('BotScore_d', ''), - BotScoreSrc_s=column_ifexists('BotScoreSrc_s', ''), - CacheCacheStatus_s=column_ifexists('CacheCacheStatus_s', ''), - CacheResponseBytes_d=column_ifexists('CacheResponseBytes_d', ''), - CacheResponseStatus_d=column_ifexists('CacheResponseStatus_d', ''), - CacheTieredFill_b=column_ifexists('CacheTieredFill_b', ''), - ClientASN_d=column_ifexists('ClientASN_d', ''), - ClientCountry_s=column_ifexists('ClientCountry_s', ''), - ClientDeviceType_s=column_ifexists('ClientDeviceType_s', ''), - ClientIP_s=column_ifexists('ClientIP_s', ''), - ClientIPClass_s=column_ifexists('ClientIPClass_s', ''), - ClientRequestHost_s=column_ifexists('ClientRequestHost_s', ''), - ClientRequestMethod_s=column_ifexists('ClientRequestMethod_s', ''), - ClientRequestPath_s=column_ifexists('ClientRequestPath_s', ''), - ClientRequestProtocol_s=column_ifexists('ClientRequestProtocol_s', ''), - ClientRequestReferer_s=column_ifexists('ClientRequestReferer_s', ''), - ClientRequestURI_s=column_ifexists('ClientRequestURI_s', ''), - ClientRequestUserAgent_s=column_ifexists('ClientRequestUserAgent_s', ''), - ClientSSLCipher_s=column_ifexists('ClientSSLCipher_s', ''), - ClientSSLProtocol_s=column_ifexists('ClientSSLProtocol_s', ''), - ClientXRequestedWith_s=column_ifexists('ClientXRequestedWith_s', ''), - EdgeColoCode_s=column_ifexists('EdgeColoCode_s', ''), - EdgeColoID_d=column_ifexists('EdgeColoID_d', ''), - EdgeEndTimestamp_t=column_ifexists('EdgeEndTimestamp_t', ''), - EdgePathingOp_s=column_ifexists('EdgePathingOp_s', ''), - EdgePathingSrc_s=column_ifexists('EdgePathingSrc_s', ''), - EdgePathingStatus_s=column_ifexists('EdgePathingStatus_s', ''), - EdgeRateLimitAction_s=column_ifexists('EdgeRateLimitAction_s', ''), - EdgeRateLimitID_d=column_ifexists('EdgeRateLimitID_d', ''), - EdgeRequestHost_s=column_ifexists('EdgeRequestHost_s', ''), - EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', ''), - EdgeResponseCompressionRatio_d=column_ifexists('EdgeResponseCompressionRatio_d', ''), - EdgeResponseContentType_s=column_ifexists('EdgeResponseContentType_s', ''), - EdgeResponseStatus_d=column_ifexists('EdgeResponseStatus_d', ''), - EdgeServerIP_s=column_ifexists('EdgeServerIP_s', ''), - EdgeStartTimestamp_t=column_ifexists('EdgeStartTimestamp_t', ''), - FirewallMatchesActions_s=column_ifexists('FirewallMatchesActions_s', ''), - FirewallMatchesRuleIDs_s=column_ifexists('FirewallMatchesRuleIDs_s', ''), - FirewallMatchesSources_s=column_ifexists('FirewallMatchesSources_s', ''), - OriginIP_s=column_ifexists('OriginIP_s', ''), - OriginResponseBytes_d=column_ifexists('OriginResponseBytes_d', ''), - OriginResponseHTTPExpires_s=column_ifexists('OriginResponseHTTPExpires_s', ''), - OriginResponseHTTPLastModified_s=column_ifexists('OriginResponseHTTPLastModified_s', ''), - OriginResponseStatus_d=column_ifexists('OriginResponseStatus_d', ''), - OriginResponseTime_d=column_ifexists('OriginResponseTime_d', ''), - OriginSSLProtocol_s=column_ifexists('OriginSSLProtocol_s', ''), - ParentRayID_s=column_ifexists('ParentRayID_s', ''), - RayID_s=column_ifexists('RayID_s', ''), - SecurityLevel_s=column_ifexists('SecurityLevel_s', ''), - WAFAction_s=column_ifexists('WAFAction_s', ''), - WAFFlags_s=column_ifexists('WAFFlags_s', ''), - WAFMatchedVar_s=column_ifexists('WAFMatchedVar_s', ''), - WAFProfile_s=column_ifexists('WAFProfile_s', ''), - WAFRuleID_s=column_ifexists('WAFRuleID_s', ''), - WAFRuleMessage_s=column_ifexists('WAFRuleMessage_s', ''), - WorkerCPUTime_d=column_ifexists('WorkerCPUTime_d', ''), - WorkerStatus_s=column_ifexists('WorkerStatus_s', ''), - WorkerSubrequest_b=column_ifexists('WorkerSubrequest_b', ''), - WorkerSubrequestCount_d=column_ifexists('WorkerSubrequestCount_d', ''), - ZoneID_d=column_ifexists('ZoneID_d', ''), - Application_s=column_ifexists('Application_s', ''), - ClientMatchedIpFirewall_s=column_ifexists('ClientMatchedIpFirewall_s', ''), - ClientProto_s=column_ifexists('ClientProto_s', ''), - ClientTcpRtt_d=column_ifexists('ClientTcpRtt_d', ''), - ClientTlsCipher_s=column_ifexists('ClientTlsCipher_s', ''), - ClientTlsClientHelloServerName_s=column_ifexists('ClientTlsClientHelloServerName_s', ''), - ClientTlsProtocol_s=column_ifexists('ClientTlsProtocol_s', ''), - ClientTlsStatus_s=column_ifexists('ClientTlsStatus_s', ''), - ColoCode_s=column_ifexists('ColoCode_s', ''), - ConnectTimestamp_t=column_ifexists('ConnectTimestamp_t', ''), - DisconnectTimestamp_t=column_ifexists('DisconnectTimestamp_t', ''), - Event_s=column_ifexists('Event_s', ''), - IpFirewall_b=column_ifexists('IpFirewall_b', ''), - OriginBytes_d=column_ifexists('OriginBytes_d', ''), - OriginPort_d=column_ifexists('OriginPort_d', ''), - OriginProto_s=column_ifexists('OriginProto_s', ''), - OriginTcpRtt_d=column_ifexists('OriginTcpRtt_d', ''), - OriginTlsCipher_s=column_ifexists('OriginTlsCipher_s', ''), - OriginTlsFingerprint_s=column_ifexists('OriginTlsFingerprint_s', ''), - OriginTlsMode_s=column_ifexists('OriginTlsMode_s', ''), - OriginTlsProtocol_s=column_ifexists('OriginTlsProtocol_s', ''), - OriginTlsStatus_s=column_ifexists('OriginTlsStatus_s', ''), - ProxyProtocol_s=column_ifexists('ProxyProtocol_s', ''), - Status_d=column_ifexists('Status_d', ''), - Timestamp_t=column_ifexists('Timestamp_t', ''), - Action_s=column_ifexists('Action_s', ''), - ClientASNDescription_s=column_ifexists('ClientASNDescription_s', ''), - ClientRefererHost_s=column_ifexists('ClientRefererHost_s', ''), - ClientRefererPath_s=column_ifexists('ClientRefererPath_s', ''), - ClientRefererQuery_s=column_ifexists('ClientRefererQuery_s', ''), - ClientRefererScheme_s=column_ifexists('ClientRefererScheme_s', ''), - ClientRequestQuery_s=column_ifexists('ClientRequestQuery_s', ''), - ClientRequestScheme_s=column_ifexists('ClientRequestScheme_s', ''), - Datetime_t=column_ifexists('Datetime_t', ''), - Kind_s=column_ifexists('Kind_s', ''), - MatchIndex_d=column_ifexists('MatchIndex_d', ''), - OriginatorRayID_s=column_ifexists('OriginatorRayID_s', ''), - RuleID_s=column_ifexists('RuleID_s', ''), - Source_s=column_ifexists('Source_s', '') -| extend - SrcDvcType=iff(isempty(ClientDeviceType_s), iff(isempty(Source_s), '', Source_s), ClientDeviceType_s), - TlsCipher=iff(isempty(ClientSSLCipher_s), iff(isempty(ClientTlsCipher_s), '', ClientTlsCipher_s), ClientSSLCipher_s), - TlsVersion=iff(isempty(ClientSSLProtocol_s), iff(isempty(ClientTlsProtocol_s), '', ClientTlsProtocol_s), ClientSSLProtocol_s), - DvcAction=iff(isempty(FirewallMatchesActions_s), iff(isempty(Event_s), iff(isempty(Action_s), '', Action_s), Event_s), FirewallMatchesActions_s), - NetworkRuleName=iff(isempty(FirewallMatchesRuleIDs_s), iff(isempty(RuleID_s), '', RuleID_s), FirewallMatchesRuleIDs_s), - ClientRequestBytes_d=column_ifexists('ClientRequestBytes_d', column_ifexists('ClientBytes_d', '')), - ClientSrcPort_d=column_ifexists('ClientSrcPort_d', column_ifexists('ClientPort_d', '')), - EdgeResponseBytes_d=column_ifexists('EdgeResponseBytes_d', column_ifexists('OriginBytes_d', '')) -| project-rename - SrcBytes=ClientRequestBytes_d, - SrcPortNumber=ClientSrcPort_d, - DstBytes=EdgeResponseBytes_d, - BotScore=BotScore_d, - BotScoreSrc=BotScoreSrc_s, - CacheCacheStatus=CacheCacheStatus_s, - CacheResponseBytes=CacheResponseBytes_d, - CacheResponseStatus=CacheResponseStatus_d, - CacheTieredFill=CacheTieredFill_b, - ClientASN=ClientASN_d, - SrcGeoCountry=ClientCountry_s, - SrcIpAddr=ClientIP_s, - ClientIPClass=ClientIPClass_s, - HttpRequestHeaderHost=ClientRequestHost_s, - HttpRequestMethod=ClientRequestMethod_s, - ClientRequestPath=ClientRequestPath_s, - ClientRequestProtocol=ClientRequestProtocol_s, - HttpReferrerOriginal=ClientRequestReferer_s, - ClientRequestURI=ClientRequestURI_s, - HttpUserAgentOriginal=ClientRequestUserAgent_s, - ClientXRequestedWith=ClientXRequestedWith_s, - EdgeColoCode=EdgeColoCode_s, - EdgeColoID=EdgeColoID_d, - EdgeEndTimestamp=EdgeEndTimestamp_t, - EdgePathingOp=EdgePathingOp_s, - EdgePathingSrc=EdgePathingSrc_s, - EdgePathingStatus=EdgePathingStatus_s, - EdgeRateLimitAction=EdgeRateLimitAction_s, - EdgeRateLimitID=EdgeRateLimitID_d, - EdgeRequestHost=EdgeRequestHost_s, - EdgeResponseCompressionRatio=EdgeResponseCompressionRatio_d, - HttpContentType=EdgeResponseContentType_s, - EdgeResponseStatus=EdgeResponseStatus_d, - EdgeServerIP=EdgeServerIP_s, - EdgeStartTimestamp=EdgeStartTimestamp_t, - FirewallMatchesSources=FirewallMatchesSources_s, - DstIpAddr=OriginIP_s, - OriginResponseBytes=OriginResponseBytes_d, - OriginResponseHTTPExpires=OriginResponseHTTPExpires_s, - OriginResponseHTTPLastModified=OriginResponseHTTPLastModified_s, - HttpStatusCode=OriginResponseStatus_d, - OriginResponseTime=OriginResponseTime_d, - OriginSSLProtocol=OriginSSLProtocol_s, - ParentRayID=ParentRayID_s, - RayID=RayID_s, - SecurityLevel=SecurityLevel_s, - WAFAction=WAFAction_s, - WAFFlags=WAFFlags_s, - WAFMatchedVar=WAFMatchedVar_s, - WAFProfile=WAFProfile_s, - WAFRuleID=WAFRuleID_s, - WAFRuleMessage=WAFRuleMessage_s, - WorkerCPUTime=WorkerCPUTime_d, - WorkerStatus=WorkerStatus_s, - WorkerSubrequest=WorkerSubrequest_b, - WorkerSubrequestCount=WorkerSubrequestCount_d, - ZoneID=ZoneID_d, - Application=Application_s, - ClientMatchedIpFirewall=ClientMatchedIpFirewall_s, - NetworkProtocol=ClientProto_s, - ClientTcpRtt=ClientTcpRtt_d, - ClientTlsClientHelloServerName=ClientTlsClientHelloServerName_s, - ClientTlsStatus=ClientTlsStatus_s, - ColoCode=ColoCode_s, - ConnectTimestamp=ConnectTimestamp_t, - DisconnectTimestamp=DisconnectTimestamp_t, - IpFirewall=IpFirewall_b, - DstPortNumber=OriginPort_d, - OriginProto=OriginProto_s, - OriginTcpRtt=OriginTcpRtt_d, - OriginTlsCipher=OriginTlsCipher_s, - OriginTlsFingerprint=OriginTlsFingerprint_s, - OriginTlsMode=OriginTlsMode_s, - OriginTlsProtocol=OriginTlsProtocol_s, - OriginTlsStatus=OriginTlsStatus_s, - ProxyProtocol=ProxyProtocol_s, - EventResult=Status_d, - Timestamp=Timestamp_t, - ClientASNDescription=ClientASNDescription_s, - ClientRefererHost=ClientRefererHost_s, - ClientRefererPath=ClientRefererPath_s, - ClientRefererQuery=ClientRefererQuery_s, - ClientRefererScheme=ClientRefererScheme_s, - ClientRequestQuery=ClientRequestQuery_s, - ClientRequestScheme=ClientRequestScheme_s, - Datetime=Datetime_t, - EventSubType=Kind_s, - MatchIndex=MatchIndex_d, - OriginatorRayID=OriginatorRayID_s -| project-away - ClientDeviceType_s, - Source_s, - ClientSSLCipher_s, - ClientTlsCipher_s, - ClientSSLProtocol_s, - ClientTlsProtocol_s, - FirewallMatchesActions_s, - Event_s, - Action_s, - FirewallMatchesRuleIDs_s, - RuleID_s \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/Corelight.txt b/Solutions/Corelight/Parsers/Corelight.txt deleted file mode 100644 index 01a832f02b4..00000000000 --- a/Solutions/Corelight/Parsers/Corelight.txt +++ /dev/null @@ -1,645 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Corelight. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Corelight | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let Corelight_view = view () { - Corelight_CL | where isnotempty(Message) -| extend tmp = parse_json(Message) -| evaluate bag_unpack(tmp) - | extend - EventVendor="Corelight", - EventProduct="Corelight Sensor", - EventType=column_ifexists('_path',''), - DvcHostname=column_ifexists('_system_name', ''), - SrcDvcHostname=column_ifexists('hostname_s', ''), - EventEndTime=column_ifexists('ts', '') -}; -let Corelight_main_view = view () { - Corelight_view - | extend - Action=column_ifexists('action', ''), - Actions=column_ifexists('actions', ''), - AgentRemoteId=column_ifexists('agent_remote_id', ''), - AlertCategory=column_ifexists('alert.category', ''), - AlertGroupId=column_ifexists('alert.gid', ''), - AlertMetadata=column_ifexists('alert.metadata', ''), - AlertRevision=column_ifexists('alert.rev', ''), - AlertSeverity=column_ifexists('alert.severity', ''), - AlertSignature=column_ifexists('alert.signature', ''), - AlertSignatureId=column_ifexists('alert.signature_id', ''), - Analyzer=column_ifexists('analyzer', ''), - AuthAttempts=column_ifexists('auth_attempts', ''), - AuthSuccess=column_ifexists('auth_success', ''), - BasicConstraintsCa=column_ifexists('basic_constraints.ca', ''), - BasicConstraintsPathLen=column_ifexists('basic_constraints.path_len', ''), - Cc=column_ifexists('cc', ''), - CertificateCn=column_ifexists('certificate.cn', ''), - CertificateCurve=column_ifexists('certificate.curve', ''), - CertificateExponent=column_ifexists('certificate.exponent', ''), - CertificateHashSha1=column_ifexists('orig_certificate_sha1', ''), - CertificateIssuer=column_ifexists('certificate.issuer', column_ifexists('client_issuer', '')), - CertificateKeyAlg=column_ifexists('certificate.key_alg', ''), - CertificateKeyLength=column_ifexists('certificate.key_length', ''), - CertificateKeyType=column_ifexists('certificate.key_type', ''), - CertificateNotValidAfter=column_ifexists('certificate.not_valid_after', ''), - CertificateNotValidBefore=column_ifexists('certificate.not_valid_before', ''), - CertificateSerial=column_ifexists('certificate.serial', ''), - CertificateSigAlg=column_ifexists('certificate.sig_alg', ''), - CertificateSubject=column_ifexists('certificate.subject', column_ifexists('client_subject', '')), - CertificateVersion=column_ifexists('certificate.version', ''), - CipherAlg=column_ifexists('cipher_alg', ''), - Client=column_ifexists('client', ''), - ClientMessage=column_ifexists('client_message', ''), - ClientSoftware=column_ifexists('client_software', ''), - CompileTs=column_ifexists('compile_ts', ''), - CompressionAlg=column_ifexists('compression_alg', ''), - Cshka=column_ifexists('cshka', ''), - DataChannelOrigH=column_ifexists('data_channel.orig_h', ''), - DataChannelPassive=column_ifexists('data_channel.passive', ''), - DataChannelRespH=column_ifexists('data_channel.resp_h', ''), - DataChannelRespP=column_ifexists('data_channel.resp_p', ''), - Date=column_ifexists('date', ''), - Depth=column_ifexists('depth', ''), - DhcpAssignedIpAddr=column_ifexists('assigned_addr', ''), - DhcpCircuitId=column_ifexists('circuit_id', ''), - DhcpLeaseTime=column_ifexists('lease_time', ''), - DhcpRequestedIpAddr=column_ifexists('requested_addr', ''), - DhcpSubscriberId=column_ifexists('subscriber_id', ''), - Direction=column_ifexists('direction', ''), - Dnp3FunctionReply=column_ifexists('fc_reply', ''), - Dnp3FunctionRequest=column_ifexists('fc_request', ''), - Dnp3Iin=column_ifexists('iin', ''), - DnsAdditionalAuthoritativeName=column_ifexists('auth', ''), - DnsAdditionalName=column_ifexists('addl', ''), - DnsFlagsAuthoritative=column_ifexists('AA', ''), - DnsFlagsRecursionAvailable=column_ifexists('RA', ''), - DnsFlagsRecursionDesired=column_ifexists('RD', ''), - DnsFlagsTruncated=column_ifexists('TC', ''), - DnsFlagsZ=column_ifexists('Z', ''), - DnsQueryClass=column_ifexists('qclass', ''), - DnsQueryClassName=column_ifexists('qclass_name', ''), - DnsQueryName=column_ifexists('query', ''), - DnsQueryType=column_ifexists('qtype', ''), - DnsQueryTypeName=column_ifexists('qtype_name', ''), - DnsRejected=column_ifexists('rejected', ''), - DnsResponseCode=column_ifexists('rcode', ''), - DnsResponseCodeName=column_ifexists('rcode_name', ''), - DnsResponseName=column_ifexists('answers', ''), - DnsResponseTtl=column_ifexists('TTLs', ''), - DnsRtt=column_ifexists('rtt', ''), - DnsTransactionId=column_ifexists('trans_id', ''), - Domainname=column_ifexists('domainname', ''), - Dropped=column_ifexists('dropped', ''), - Dst=column_ifexists('dst', ''), - DstBytes=column_ifexists('resp_bytes', ''), - DstCertificateIssuerName=column_ifexists('issuer', ''), - DstCertificateSha1=column_ifexists('resp_certificate_sha1', ''), - DstCertificateSubjectName=column_ifexists('subject', ''), - DstHostName=column_ifexists('http_header_host', column_ifexists('tls_server_name', '')), - DstIpAddr=column_ifexists('id.resp_h', column_ifexists('server_addr', column_ifexists('tx_hosts', ''))), - DstIpBytes=column_ifexists('resp_ip_bytes', ''), - DstMac=column_ifexists('resp_l2_addr', ''), - DstPackets=column_ifexists('resp_pkts', ''), - DstPort=column_ifexists('id.resp_p', ''), - Duration=column_ifexists('duration', ''), - EmailBodySections=column_ifexists('email_body_sections', ''), - EventDuration=column_ifexists('duration', ''), - EventUid=column_ifexists('z_Enrichment', column_ifexists('zeek_id_uids', column_ifexists('uid', ''))), - FailureReason=column_ifexists('failure_reason', ''), - FileAccessedTime=column_ifexists('times_accessed', ''), - FileChangedTime=column_ifexists('times_changed', ''), - FileCreationTime=column_ifexists('times_created', ''), - FileDesc=column_ifexists('file_desc', ''), - FileDirectory=column_ifexists('cwd', ''), - FileMimeType=column_ifexists('file_mime_type', column_ifexists('mime_type', column_ifexists('resp_mime_types', ''))), - FileModifiedTime=column_ifexists('times_modified', ''), - FileName=column_ifexists('filename', column_ifexists('resp_filenames', '')), - FilePath=column_ifexists('file_name', ''), - FilePreviousName=column_ifexists('prev_name', ''), - FileSize=column_ifexists('file_size', column_ifexists('total_bytes', column_ifexists('size', ''))), - FileSystemType=column_ifexists('native_file_system', ''), - FingerprintNetworkCommunityId=column_ifexists('community_id', ''), - FirstReceived=column_ifexists('first_received', ''), - FlowId=column_ifexists('flow_id', ''), - From=column_ifexists('from', ''), - FtpCommandLine=column_ifexists('arg', ''), - FtpPassive=column_ifexists('ftp_passive', ''), - FtpProcessName=column_ifexists('command', ''), - Fuid=column_ifexists('fuid', ''), - Fuids=column_ifexists('fuids', ''), - HasCertTable=column_ifexists('has_cert_table', ''), - HasDebugData=column_ifexists('has_debug_data', ''), - HasExportTable=column_ifexists('has_export_table', ''), - HasImportTable=column_ifexists('has_import_table', ''), - HashJa3=column_ifexists('ja3', ''), - HashJa3s=column_ifexists('ja3s', ''), - HashMd5=column_ifexists('md5', ''), - HashSha1=column_ifexists('sha1', ''), - HashSha256=column_ifexists('sha256', ''), - Hassh=column_ifexists('hassh', ''), - Hasshalgorithms=column_ifexists('hasshAlgorithms', ''), - Hasshserver=column_ifexists('hasshServer', ''), - Hasshserveralgorithms=column_ifexists('hasshServerAlgorithms', ''), - Hasshversion=column_ifexists('hasshVersion', ''), - Helo=column_ifexists('helo', ''), - Host=column_ifexists('host', ''), - HostKey=column_ifexists('host_key', ''), - HostKeyAlg=column_ifexists('host_key_alg', ''), - HostP=column_ifexists('host_p', ''), - Hostname=column_ifexists('hostname', ''), - HttpCookieVariables=column_ifexists('cookie_vars', ''), - HttpInformationalCode=column_ifexists('info_code', ''), - HttpInformationalMessage=column_ifexists('info_msg', ''), - HttpProxiedHeaders=column_ifexists('proxied', ''), - HttpReferrerOriginal=column_ifexists('referrer', ''), - HttpRequestBodyBytes=column_ifexists('request_body_len', ''), - HttpRequestHeaderHost=column_ifexists('host', ''), - HttpRequestHeaderNames=column_ifexists('client_header_names', ''), - HttpRequestHeaderOrigin=column_ifexists('origin', ''), - HttpRequestMethod=column_ifexists('method', ''), - HttpResponseBodyBytes=column_ifexists('response_body_len', ''), - HttpResponseBodyOriginal=column_ifexists('post_body', ''), - HttpResponseHeaderNames=column_ifexists('server_header_names', ''), - HttpStatusCode=column_ifexists('status_code', ''), - HttpStatusMessage=column_ifexists('status_msg', ''), - HttpVersion=column_ifexists('version', ''), - Id=column_ifexists('id', ''), - InReplyTo=column_ifexists('in_reply_to', ''), - Is64bit=column_ifexists('is_64bit', ''), - IsExe=column_ifexists('is_exe', ''), - IsOrig=column_ifexists('is_orig', ''), - IsWebmail=column_ifexists('is_webmail', ''), - KexAlg=column_ifexists('kex_alg', ''), - LastReply=column_ifexists('last_reply', ''), - LocalOrig=column_ifexists('local_orig', ''), - Logcert=column_ifexists('logcert', ''), - MacAlg=column_ifexists('mac_alg', ''), - Machine=column_ifexists('machine', ''), - Mailfrom=column_ifexists('mailfrom', ''), - Matched=column_ifexists('matched', ''), - MimeType=column_ifexists('mime_type', ''), - Msg=column_ifexists('msg', ''), - MsgId=column_ifexists('msg_id', ''), - MsgOrig=column_ifexists('msg_orig', ''), - MsgTypes=column_ifexists('msg_types', ''), - N=column_ifexists('n', ''), - Name=column_ifexists('name', ''), - NetworkApplication=column_ifexists('service', ''), - NetworkConnectionHistory=column_ifexists('history', ''), - NetworkConnectionState=column_ifexists('conn_state', ''), - NetworkInnerVlanId=column_ifexists('inner_vlan', ''), - NetworkMissedBytes=column_ifexists('missed_bytes', ''), - NetworkOuterVlanId=column_ifexists('vlan', ''), - NetworkProtocol=case(EventType == "smb_files" or EventType == "smb_mapping" or EventType == "ssl" or EventType == "ssl_red" or EventType == "http" or EventType == "http_red", "tcp",EventType == "dhcp", "udp",column_ifexists('proto','')), - Node=column_ifexists('node', ''), - Note=column_ifexists('note', ''), - Notice=column_ifexists('notice', ''), - Os=column_ifexists('os', ''), - OscpValidationStatus=column_ifexists('ocsp_status', ''), - P=column_ifexists('p', ''), - PacketSegment=column_ifexists('packet_segment', ''), - Path=column_ifexists('path', ''), - PcapCount=column_ifexists('pcap_cnt', ''), - Peer=column_ifexists('peer', ''), - PeerDescr=column_ifexists('peer_descr', ''), - Rcptto=column_ifexists('rcptto', ''), - RemoteLocationCity=column_ifexists('remote_location.city', ''), - RemoteLocationCountryCode=column_ifexists('remote_location.country_code', ''), - RemoteLocationLatitude=column_ifexists('remote_location.latitude', ''), - RemoteLocationLongitude=column_ifexists('remote_location.longitude', ''), - RemoteLocationRegion=column_ifexists('remote_location.region', ''), - ReplyCode=column_ifexists('reply_code', ''), - ReplyMsg=column_ifexists('reply_msg', ''), - ReplyTo=column_ifexists('reply_to', ''), - SanDns=column_ifexists('san.dns', ''), - SanEmail=column_ifexists('san.email', ''), - SanIp=column_ifexists('san.ip', ''), - SanUri=column_ifexists('san.uri', '') , - SecondReceived=column_ifexists('second_received', ''), - SectionNames=column_ifexists('section_names', ''), - SeenIndicator=column_ifexists('seen.indicator', ''), - SeenIndicatorType=column_ifexists('seen.indicator_type', ''), - SeenWhere=column_ifexists('seen.where', ''), - Server=column_ifexists('server', ''), - ServerDnsComputerName=column_ifexists('server_dns_computer_name', ''), - ServerMessage=column_ifexists('server_message', ''), - ServerNbComputerName=column_ifexists('server_nb_computer_name', ''), - ServerSoftware=column_ifexists('server_software', ''), - ServerTreeName=column_ifexists('server_tree_name', ''), - Service=column_ifexists('service', ''), - ShareName=column_ifexists('path', ''), - ShareRelativeTargetName=column_ifexists('name', ''), - ShareType=column_ifexists('share_type', ''), - SmbAction=column_ifexists('action', ''), - SoftwareFlashVersionOriginal=column_ifexists('flash_version', ''), - SoftwareType=column_ifexists('software_type', ''), - Source=column_ifexists('source', ''), - Sources=column_ifexists('sources', ''), - Src=column_ifexists('src', ''), - SrcBytes=column_ifexists('orig_bytes', ''), - SrcDomain=column_ifexists('domain', ''), - SrcFileName=column_ifexists('orig_filenames', ''), - SrcFilePath=column_ifexists('src_file_name', ''), - SrcFqdn=column_ifexists('client_fqdn', ''), - SrcHostName=column_ifexists('host_name', ''), - SrcIpAddr=column_ifexists('id.orig_h', column_ifexists('rx_hosts', column_ifexists('client_addr', ''))), - SrcIpBytes=column_ifexists('orig_ip_bytes', ''), - SrcMac=column_ifexists('mac', column_ifexists('orig_l2_addr', '')), - SrcMimeType=column_ifexists('orig_mime_types', ''), - SrcPackets=column_ifexists('orig_pkts', ''), - SrcPort=column_ifexists('id.orig_p', ''), - Sub=column_ifexists('sub', ''), - Subject=column_ifexists('subject', ''), - SubpressFor=column_ifexists('subpress_for', ''), - Subsystem=column_ifexists('subsystem', ''), - Success=column_ifexists('success', ''), - SuricataId=column_ifexists('suri_id', ''), - SuricataIds=column_ifexists('suri_ids', ''), - Tls=column_ifexists('tls', ''), - TlsCertificateValidationStatus=column_ifexists('validation_status', ''), - TlsCipher=column_ifexists('cipher', ''), - TlsCurve=column_ifexists('curve', ''), - TlsEstablished=column_ifexists('established', ''), - TlsLastAlert=column_ifexists('last_alert', ''), - TlsNextProtocol=column_ifexists('next_protocol', ''), - TlsNotaryResponse=column_ifexists('notary', ''), - TlsResumed=column_ifexists('resumed', ''), - TlsServerName=column_ifexists('server_name', ''), - TlsVersion=column_ifexists('version', ''), - TlsVersionNumber=column_ifexists('version_num', ''), - To=column_ifexists('to', ''), - TransactionId=column_ifexists('tx_id', ''), - TransDepth=column_ifexists('trans_depth', ''), - TunnelType=column_ifexists('tunnel_type', ''), - UnparsedVersion=column_ifexists('unparsed_version', ''), - Url=column_ifexists('url', ''), - UrlOriginal=column_ifexists('uri', ''), - UrlQueryValues=column_ifexists('uri_vars', ''), - UserAgent=column_ifexists('user_agent', ''), - UserAgentOriginal=column_ifexists('user_agent', ''), - UserName=column_ifexists('user', column_ifexists('username', '')), - UserPassword=column_ifexists('password', ''), - Username=column_ifexists('username', ''), - UsesAslr=column_ifexists('uses_aslr', ''), - UsesCodeIntegrity=column_ifexists('uses_code_integrity', ''), - UsesDep=column_ifexists('uses_dep', ''), - UsesSeh=column_ifexists('uses_seh', ''), - ValidCtLogs=column_ifexists('valid_ct_logs', ''), - ValidCtOperators=column_ifexists('valid_ct_operators', ''), - ValidCtOperatorsList=column_ifexists('valid_ct_operators_list', ''), - Version=column_ifexists('version', ''), - VersionAddl=column_ifexists('version.addl', ''), - VersionMajor=column_ifexists('version.major', ''), - VersionMinor2=column_ifexists('version.minor2', ''), - VersionMinor3=column_ifexists('version.minor3', ''), - VersionMinor=column_ifexists('version.minor', ''), - X509=column_ifexists('x509', ''), - XOriginatingIp=column_ifexists('x_originating_ip', ''), - ZeekConnLocalDst=column_ifexists('local_resp', ''), - ZeekConnLocalSrc=column_ifexists('local_orig', ''), - ZeekFilesAnalyzers=column_ifexists('analyzers', ''), - ZeekFilesEntropy=column_ifexists('entropy', ''), - ZeekFilesExtracted=column_ifexists('extracted', ''), - ZeekFilesExtractedCutoff=column_ifexists('extracted_cutoff', ''), - ZeekFilesExtractedSize=column_ifexists('extracted_size', ''), - ZeekFilesMissingBytes=column_ifexists('missing_bytes', ''), - ZeekFilesOverflowBytes=column_ifexists('overflow_bytes', ''), - ZeekFilesSeenBytes=column_ifexists('seen_bytes', ''), - ZeekFilesTimedout=column_ifexists('timedout', ''), - ZeekHttpOmniture=column_ifexists('omniture', ''), - ZeekHttpTags=column_ifexists('tags', ''), - ZeekHttpTransDepth=column_ifexists('trans_depth', ''), - ZeekIdCertChainFuids=column_ifexists('cert_chain_fuids', ''), - ZeekIdClientCertChainFuids=column_ifexists('client_cert_chain_fuids', ''), - ZeekIdConnUids=column_ifexists('conn_uids', ''), - ZeekIdFuid=column_ifexists('fuid', ''), - ZeekIdOrigFuids=column_ifexists('orig_fuids', ''), - ZeekIdParentFuid=column_ifexists('parent_fuid', ''), - ZeekIdRespFuids=column_ifexists('resp_fuids', ''), - ZeekIdTunnelParents=column_ifexists('tunnel_parents', ''), - ZeekIdUids=column_ifexists('uids', ''), - ZeekMetaDstIpAddrHostName=column_ifexists('id.resp_h_name.vals', ''), - ZeekMetaDstIpAddrSource=column_ifexists('id.resp_h_name.src', ''), - ZeekMetaSrcIpAddrHostName=column_ifexists('id.orig_h_name.vals', ''), - ZeekMetaSrcIpAddrSource=column_ifexists('id.orig_h_name.src', ''), - ZeekOrigCc=column_ifexists('orig_cc', ''), - ZeekRespCc=column_ifexists('resp_cc', '') - | project - DvcHostname, - SrcDvcHostname, - EventEndTime, - Message, - TimeGenerated, - EventType, - EventVendor, - EventProduct, - Action, - Actions, - AgentRemoteId, - AlertCategory, - AlertGroupId, - AlertMetadata, - AlertRevision, - AlertSeverity, - AlertSignature, - AlertSignatureId, - Analyzer, - AuthAttempts, - AuthSuccess, - BasicConstraintsCa, - BasicConstraintsPathLen, - Cc, - CertificateCn, - CertificateCurve, - CertificateExponent, - CertificateHashSha1, - CertificateIssuer, - CertificateKeyAlg, - CertificateKeyLength, - CertificateKeyType, - CertificateNotValidAfter, - CertificateNotValidBefore, - CertificateSerial, - CertificateSigAlg, - CertificateSubject, - CertificateVersion, - CipherAlg, - Client, - ClientMessage, - ClientSoftware, - CompileTs, - CompressionAlg, - Cshka, - DataChannelOrigH, - DataChannelPassive, - DataChannelRespH, - DataChannelRespP, - Date, - Depth, - DhcpAssignedIpAddr, - DhcpCircuitId, - DhcpLeaseTime, - DhcpRequestedIpAddr, - DhcpSubscriberId, - Direction, - Dnp3FunctionReply, - Dnp3FunctionRequest, - Dnp3Iin, - DnsAdditionalAuthoritativeName, - DnsAdditionalName, - DnsFlagsAuthoritative, - DnsFlagsRecursionAvailable, - DnsFlagsRecursionDesired, - DnsFlagsTruncated, - DnsFlagsZ, - DnsQueryClass, - DnsQueryClassName, - DnsQueryName, - DnsQueryType, - DnsQueryTypeName, - DnsRejected, - DnsResponseCode, - DnsResponseCodeName, - DnsResponseName, - DnsResponseTtl, - DnsRtt, - DnsTransactionId, - Domainname, - Dropped, - Dst, - DstBytes, - DstCertificateIssuerName, - DstCertificateSha1, - DstCertificateSubjectName, - DstHostName, - DstIpAddr, - DstIpBytes, - DstMac, - DstPackets, - DstPort, - Duration, - EmailBodySections, - EventDuration, - EventUid, - FailureReason, - FileAccessedTime, - FileChangedTime, - FileCreationTime, - FileDesc, - FileDirectory, - FileMimeType, - FileModifiedTime, - FileName, - FilePath, - FilePreviousName, - FileSize, - FileSystemType, - FingerprintNetworkCommunityId, - FirstReceived, - FlowId, - From, - FtpCommandLine, - FtpPassive, - FtpProcessName, - Fuid, - Fuids, - HasCertTable, - HasDebugData, - HasExportTable, - HasImportTable, - HashJa3, - HashJa3s, - HashMd5, - HashSha1, - HashSha256, - Hassh, - Hasshalgorithms, - Hasshserver, - Hasshserveralgorithms, - Hasshversion, - Helo, - Host, - HostKey, - HostKeyAlg, - HostP, - Hostname, - HttpCookieVariables, - HttpInformationalCode, - HttpInformationalMessage, - HttpProxiedHeaders, - HttpReferrerOriginal, - HttpRequestBodyBytes, - HttpRequestHeaderHost, - HttpRequestHeaderNames, - HttpRequestHeaderOrigin, - HttpRequestMethod, - HttpResponseBodyBytes, - HttpResponseBodyOriginal, - HttpResponseHeaderNames, - HttpStatusCode, - HttpStatusMessage, - HttpVersion, - Id, - InReplyTo, - Is64bit, - IsExe, - IsOrig, - IsWebmail, - KexAlg, - LastReply, - LocalOrig, - Logcert, - MacAlg, - Machine, - Mailfrom, - Matched, - MimeType, - Msg, - MsgId, - MsgOrig, - MsgTypes, - N, - Name, - NetworkApplication, - NetworkConnectionHistory, - NetworkConnectionState, - NetworkInnerVlanId, - NetworkMissedBytes, - NetworkOuterVlanId, - NetworkProtocol, - Node, - Note, - Notice, - Os, - OscpValidationStatus, - P, - PacketSegment, - Path, - PcapCount, - Peer, - PeerDescr, - Rcptto, - RemoteLocationCity, - RemoteLocationCountryCode, - RemoteLocationLatitude, - RemoteLocationLongitude, - RemoteLocationRegion, - ReplyCode, - ReplyMsg, - ReplyTo, - SanDns, - SanEmail, - SanIp, - SanUri, - SecondReceived, - SectionNames, - SeenIndicator, - SeenIndicatorType, - SeenWhere, - Server, - ServerDnsComputerName, - ServerMessage, - ServerNbComputerName, - ServerSoftware, - ServerTreeName, - Service, - ShareName, - ShareRelativeTargetName, - ShareType, - SmbAction, - SoftwareFlashVersionOriginal, - SoftwareType, - Source, - Sources, - Src, - SrcBytes, - SrcDomain, - SrcFileName, - SrcFilePath, - SrcFqdn, - SrcHostName, - SrcIpAddr, - SrcIpBytes, - SrcMac, - SrcMimeType, - SrcPackets, - SrcPort, - Sub, - Subject, - SubpressFor, - Subsystem, - Success, - SuricataId, - SuricataIds, - Tls, - TlsCertificateValidationStatus, - TlsCipher, - TlsCurve, - TlsEstablished, - TlsLastAlert, - TlsNextProtocol, - TlsNotaryResponse, - TlsResumed, - TlsServerName, - TlsVersion, - TlsVersionNumber, - To, - TransactionId, - TransDepth, - TunnelType, - UnparsedVersion, - Url, - UrlOriginal, - UrlQueryValues, - UserAgent, - UserAgentOriginal, - UserName, - UserPassword, - Username, - UsesAslr, - UsesCodeIntegrity, - UsesDep, - UsesSeh, - ValidCtLogs, - ValidCtOperators, - ValidCtOperatorsList, - Version, - VersionAddl, - VersionMajor, - VersionMinor2, - VersionMinor3, - VersionMinor, - X509, - XOriginatingIp, - ZeekConnLocalDst, - ZeekConnLocalSrc, - ZeekFilesAnalyzers, - ZeekFilesEntropy, - ZeekFilesExtracted, - ZeekFilesExtractedCutoff, - ZeekFilesExtractedSize, - ZeekFilesMissingBytes, - ZeekFilesOverflowBytes, - ZeekFilesSeenBytes, - ZeekFilesTimedout, - ZeekHttpOmniture, - ZeekHttpTags, - ZeekHttpTransDepth, - ZeekIdCertChainFuids, - ZeekIdClientCertChainFuids, - ZeekIdConnUids, - ZeekIdFuid, - ZeekIdOrigFuids, - ZeekIdParentFuid, - ZeekIdRespFuids, - ZeekIdTunnelParents, - ZeekIdUids, - ZeekMetaDstIpAddrHostName, - ZeekMetaDstIpAddrSource, - ZeekMetaSrcIpAddrHostName, - ZeekMetaSrcIpAddrSource, - ZeekOrigCc, - ZeekRespCc -}; -Corelight_main_view - diff --git a/Solutions/CyberArkEPM/Parsers/CyberArkEPM.txt b/Solutions/CyberArkEPM/Parsers/CyberArkEPM.txt deleted file mode 100644 index 32bffc9faa9..00000000000 --- a/Solutions/CyberArkEPM/Parsers/CyberArkEPM.txt +++ /dev/null @@ -1,92 +0,0 @@ -// Usage Instructions: -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as CyberArkEPM and specifying Legacy Category. -// This function maps CyberArk EPM events to Azure Sentinel Information Model (ASIM) (https://docs.microsoft.com/azure/sentinel/normalization). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. CyberArkEPM | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -CyberArkEPM_CL -| extend EventVendor = 'CyberArk', - EventProduct = 'Endpoint Privilege Manager', - EventSchemaVersion = '0.1', - EventCount=case(event_type_s == 'raw_event', agentEventCount_d, totalEvents_d), - EventMessage=case(event_type_s == 'raw_event', displayName_s, lastEventDisplayName_s), - ActingProcessFileInternalName=case(event_type_s == 'raw_event', fileName_s, lastEventFileName_s), - Justification=case(event_type_s == 'raw_event', justification_s, lastEventJustification_s), - EventSourceName=case(event_type_s == 'raw_event', sourceName_s, lastEventSourceName_s), - EventSourceType=case(event_type_s == 'raw_event', sourceType_s, lastEventSourceType_s), - ActorUsername=case(event_type_s == 'raw_event', userName_s, pack_array(firstEventUserName_s, lastEventUserName_s)) -| project-rename AccessAction=accessAction_s, - AccessTargetName=accessTargetName_s, - AccessTargetType=accessTargetType_s, - AffectedComputers=affectedComputers_d, - AffectedUsers=affectedUsers_d, - AdminTaskId=adminTaskId_s, - BundleId=bundleId_s, - BundleName=bundleName_s, - BundleVersion=bundleVersion_s, - DvcId=agentId_g, - AggregatedBy=aggregatedBy_s, - AppType=applicationType_s, - ApplicationSubType=applicationSubType_s, - AppPackageDisplayName=appPackageDisplayName_s, - CLSID=CLSID_s, - ActingProcessFileCompany=company_s, - DeceptionType=deceptionType_d, - DefenceActionId=defenceActionId_d, - EventType=event_type_s, - EventSubType=eventType_s, - Evidences=evidences_s, - FileAccessPermission=fileAccessPermission_s, - ActingProcessFileDescription=fileDescription_s, - FileLocation=fileLocation_s, - ActingProcessName=filePath_s, - FileQualifier=fileQualifier_s, - ActingProcessFileSize=fileSize_d, - ActingProcessFileVersion=fileVersion_s, - EventStartTime=firstEventDate_t, - Hash=hash_s, - JustificationEmail=justificationEmail_s, - LastAgentId=lastAgentId_g, - EventEndTime=lastEventDate_t, - LogonAttemptTypeId=logonAttemptTypeId_d, - LogonStatusId=logonStatusId_d, - SrcFileMimeType=mimeType_s, - ModificationTime=modificationTime_t, - ActingProcessFileOriginalName=originalFileName_s, - Owner=owner_s, - PackageName=packageName_s, - PolicyId=policyId_d, - PolicyName=policyName_s, - ActingProcessGuid=processCommandLine_g, - ActingProcessCommandLine=processCommandLine_s, - ActingProcessFileProduct=productName_s, - ProductVersion=productVersion_s, - Publisher=publisher_s, - SetName=set_name_s, - Skipped=skipped_b, - SkippedCount=skippedCount_d, - SrcProcessCommandLine=sourceProcessCommandLine_s, - SrcProcessHash=sourceProcessHash_s, - SrcProcessPublisher=sourceProcessPublisher_s, - SrcProcessSigner=sourceProcessSigner_s, - SrcProcessUsername=sourceProcessUsername_s, - ThreatDetectionAction=threatDetectionAction_s, - ThreatProtectionAction=threatProtectionAction_s, - UrlOriginal=url_s, - UserIsAdmin=userIsAdmin_b, - WinEventRecordId=winEventRecordId_d, - WinEventType=winEventType_d -| project-away agentEventCount_d, - totalEvents_d, - displayName_s, - lastEventDisplayName_s, - fileName_s, - lastEventFileName_s, - justification_s, - lastEventJustification_s, - sourceName_s, - lastEventSourceName_s, - sourceType_s, - lastEventSourceType_s, - userName_s, - firstEventUserName_s, - lastEventUserName_s \ No newline at end of file diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSActivities.txt b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSActivities.txt deleted file mode 100644 index 572d20c2ace..00000000000 --- a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSActivities.txt +++ /dev/null @@ -1,23 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as LookoutCSActivities. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. LookoutCSActivities | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -LookoutCloudSecurity_CL -| extend timeStamp = timeStamp_t -| extend eventType = eventType_s -| extend actionType = actionType_s -| extend activityType = activityType_s -| extend appName = appName_s -| extend contentName = column_ifexists('contentName_s','') -| extend contentUrl = column_ifexists('contentUrl_s', '') -| extend eventId = eventId_g -| where eventType == 'Activity' -| project - timeStamp, - eventType, - actionType, - activityType, - appName, - contentName, - contentUrl, - eventId diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSAnomalies.txt b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSAnomalies.txt deleted file mode 100644 index 994e26ab864..00000000000 --- a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSAnomalies.txt +++ /dev/null @@ -1,31 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as LookoutCSAnomalies. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. LookoutCSAnomalies | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -LookoutCloudSecurity_CL -| extend timeStamp = timeStamp_t -| extend eventType = eventType_s -| extend actionType = actionType_s -| extend anomalyType = column_ifexists('anomalyType_s', '') -| extend appName = appName_s -| extend userEmail = column_ifexists('userEmail_s','') -| extend anomalyName = column_ifexists('anomalyName_s', '') -| extend currentCity = column_ifexists('currentCity_s', '') -| extend currentTimestamp = column_ifexists('currentTimestamp_t', '') -| extend previousTimestamp = column_ifexists('previousTimestamp_t', '') -| extend currentEventId = column_ifexists('currentEventId_g', '') -| extend previousEventId = column_ifexists('previousEventId_g', '') -| where eventType == 'Anomaly' -| project - timeStamp, - eventType, - actionType, - anomalyType, - appName, - userEmail, - anomalyName, - currentCity, - currentTimestamp, - previousTimestamp, - currentEventId, - previousEventId diff --git a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSViolations.txt b/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSViolations.txt deleted file mode 100644 index ec15521e4f1..00000000000 --- a/Solutions/Lookout Cloud Security Platform for Microsoft Sentinel/Parsers/LookoutCSViolations.txt +++ /dev/null @@ -1,34 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as LookoutCSViolations. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. LookoutCSViolations | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -LookoutCloudSecurity_CL -| extend timeStamp = timeStamp_t -| extend eventType = eventType_s -| extend actionType = actionType_s -| extend activityType = activityType_s -| extend appName = appName_s -| extend cloudType = column_ifexists('cloudType_s','') -| extend contentName = column_ifexists('contentName_s','') -| extend contentUrl = column_ifexists('contentUrl_s', '') -| extend eventId = eventId_g -| extend externalCollaborators = column_ifexists('externalCollaborators_s', '') -| extend policyName = column_ifexists('policyName_s','') -| extend scanType = column_ifexists('scanType_s', '') -| extend userEmail = column_ifexists('userEmail_s','') -| extend violation = column_ifexists('violation_s','') -| where eventType == 'Violation' -| project timeStamp, - eventType, - actionType, - activityType, - appName, - cloudType, - contentName, - contentUrl, - eventId, - externalCollaborators, - policyName, - scanType, - userEmail, - violation diff --git a/Solutions/Lookout/Parsers/LookoutEvents.txt b/Solutions/Lookout/Parsers/LookoutEvents.txt deleted file mode 100644 index deba30ad567..00000000000 --- a/Solutions/Lookout/Parsers/LookoutEvents.txt +++ /dev/null @@ -1,84 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. LookoutEvents). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. LookoutEvents | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let LookoutEvents_view = view () { - Lookout_CL - | extend - EventVendor="Lookout", - EventProduct="Lookout Sentinel", - EnterpriseName=column_ifexists('enterprise_name_s', ''), - DetailsActivationStatus=column_ifexists('details_activationStatus_s', ''), - DetailsSecurityStatus=column_ifexists('details_securityStatus_s', ''), - DetailsProtectionStatus=column_ifexists('details_protectionStatus_s', ''), - UpdatedDetails=column_ifexists('updatedDetails_s', ''), - DetailsDescription=column_ifexists('details_description_s', ''), - DetailsApplicationName=column_ifexists('details_applicationName_s', ''), - DetailsPackageName=column_ifexists('details_packageName_s', ''), - DetailsPath=column_ifexists('details_path_s', ''), - DetailsFileName=column_ifexists('details_fileName_s', ''), - DetailsPackageSha=column_ifexists('details_packageSha_s', ''), - DetailsAttributeChanges=column_ifexists('details_attributeChanges_s', ''), - Type=column_ifexists('type_s', ''), - ID=column_ifexists('id_s', ''), - EventStartTime=column_ifexists('eventTime_t', ''), - EventEndTime=column_ifexists('eventTime_t', ''), - ChangeType=column_ifexists('changeType_s', ''), - ActorType=column_ifexists('actor_type_s', ''), - ActorId=column_ifexists('actor_id_g', ''), - DetailsType=column_ifexists('details_type_s', ''), - DetailsId=column_ifexists('details_id_g', ''), - DetailsAction=column_ifexists('details_action_s', ''), - DetailsSeverity=column_ifexists('details_severity_s', ''), - DetailsClassifications=column_ifexists('details_classifications_s', ''), - DetailsAssessments=column_ifexists('details_assessments_s', ''), - DetailsPcpReportingReason=column_ifexists('details_pcpReportingReason_s', ''), - DetailsPcpDeviceResponse=column_ifexists('details_pcpDeviceResponse_s', ''), - TargetType=column_ifexists('target_type_s', ''), - TargetId=column_ifexists('target_id_g', ''), - TargetEmailAddress=column_ifexists('target_emailAddress_s', ''), - TargetPlatform=column_ifexists('target_platform_s', ''), - TargetOSVersion=column_ifexists('target_osVersion_s', ''), - TargetManufacturer=column_ifexists('target_manufacturer_s', ''), - TargetModel=column_ifexists('target_model_s', '') - | project - TimeGenerated, - Type, - EnterpriseName, - ID, - EventStartTime, - EventEndTime, - ChangeType, - ActorType, - ActorId, - TargetType, - DetailsSeverity, - DetailsClassifications, - DetailsActivationStatus, - DetailsSecurityStatus, - DetailsProtectionStatus, - UpdatedDetails, - DetailsDescription, - DetailsApplicationName, - DetailsPackageName, - DetailsPath, - DetailsFileName, - DetailsPackageSha, - DetailsAttributeChanges, - DetailsType, - DetailsId, - DetailsAction, - DetailsAssessments, - DetailsPcpReportingReason, - DetailsPcpDeviceResponse, - TargetId, - TargetEmailAddress, - TargetPlatform, - TargetOSVersion, - TargetManufacturer, - TargetModel -}; -LookoutEvents_view diff --git a/Solutions/Morphisec/Parsers/Morphisec b/Solutions/Morphisec/Parsers/Morphisec deleted file mode 100644 index 499482949c2..00000000000 --- a/Solutions/Morphisec/Parsers/Morphisec +++ /dev/null @@ -1,23 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Morphisec -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Morphisec | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions - -CommonSecurityLog -| where DeviceVendor == 'Morphisec' -| extend Start = coalesce( - todatetime(extract("start=([^;]+)",1,AdditionalExtensions)), - todatetime(column_ifexists("StartTime", "")) - ) -, AttackedModule = extract("AttackedModule=([^;]+)",1,AdditionalExtensions) -, MorphisecVersion = extract("MorphisecVersion=([^;]+)",1,AdditionalExtensions) -, AttackName = extract("AttackName=([^;]+)",1,AdditionalExtensions) -, AttackCategory = extract("AttackCategory=([^;]+)",1,AdditionalExtensions) -, Attackdescription = extract("Attackdescription=([^;]+)",1,AdditionalExtensions) -, ProcessSignature = extract("ProcessSignature=([^;]+)",1,AdditionalExtensions) -, ParentSignature = extract("ParentSignature=([^;]+)",1,AdditionalExtensions) -, LastStackFunctionCall = extract("LastStackFunctionCall=([^;]+)",1,AdditionalExtensions) -, LastModuleLoaded = extract("LastModuleLoaded=([^;]+)",1,AdditionalExtensions) -, CommandLine = extract("CommandLine=([^;]+)",1,AdditionalExtensions) -, ParentProcessCommandLine = extract("ParentProcessCommandLine=([^;]+)",1,AdditionalExtensions) -, CodeProcessed = extract("CodeProcessed=([^;]+)",1,AdditionalExtensions) \ No newline at end of file diff --git a/Solutions/NXLogAixAudit/Parsers/NXLog_parsed_AIX_Audit_view.txt b/Solutions/NXLogAixAudit/Parsers/NXLog_parsed_AIX_Audit_view.txt deleted file mode 100644 index 73c75a2fc60..00000000000 --- a/Solutions/NXLogAixAudit/Parsers/NXLog_parsed_AIX_Audit_view.txt +++ /dev/null @@ -1,33 +0,0 @@ -// Usage Instructions: -// Paste the query below into the Log Analytics query editor. -// Click the "Save" button and select "Save as function". -// Enter "NXLog_parsed_AIX_Audit_view" in the "Function name" field. -// For "Legacy category:" enter "AIX Security Audit". -// "Paramters" are not needed. -// Function usually takes 10-15 minutes to activate. -// You can then use this function from any other queries (e.g. NXLog_parsed_AIX_Audit_view | take 10). -// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let NXLog_parsed_AIX_Audit_view = view () { - AIX_Audit_CL - | project-rename - CommandLine=Command_s, - EventReceivedTime=EventReceivedTime_t, - EventEndTime=EventTime_t, - EventType=EventType_s, - DvcHostname=Hostname_s, - Username=Login_s, - UserId=LoginUID_d, - MessageSourceAddress=MessageSourceAddress_s, - ParentProcessId=ParentPID_d, - ProcessId=PID_d, - RealUsername=Real_s, - RealUserId=RealUID_d, - SourceModuleName=SourceModuleName_s, - SourceModuleType=SourceModuleType_s, - EventResultDetails=Status_d, - Thread=Thread_d, - Verbose=Verbose_s, - WPARkey=WPARkey_d, - WPARname=WPARname_s -}; -NXLog_parsed_AIX_Audit_view(); \ No newline at end of file diff --git a/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.txt b/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.txt deleted file mode 100644 index b2fcbea1508..00000000000 --- a/Solutions/NXLogDnsLogs/Parsers/ASimDnsMicrosoftNXLog.txt +++ /dev/null @@ -1,236 +0,0 @@ -// Usage Instructions: -// Paste the query below into the Log Analytics query editor. -// Click the "Save" button and select "Save as function". -// Enter "ASimDnsMicrosoftNXLog" in the "Function name" field. -// For "Legacy category:" enter "DNS Server logs". -// "Parameters" are not needed. -// Function usually takes 10-15 minutes to activate. -// You can then use this function from any other queries (e.g. ASimDnsMicrosoftNXLog | take 10). -// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let ASimDnsMicrosoftNXLog = view () { - let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[ - 256, 'Query' - , 257, 'Query' - , 258, 'Query' - , 259, 'Query' - , 260, 'Query' - , 261, 'Query' - , 262, 'Query' - , 263, 'Dynamic update' - , 264, 'Dynamic update' - , 265, 'Zone XFR' - , 266, 'Zone XFR' - , 267, 'Zone XFR' - , 268, 'Zone XFR' - , 269, 'Zone XFR' - , 270, 'Zone XFR' - , 271, 'Zone XFR' - , 272, 'Zone XFR' - , 273, 'Zone XFR' - , 274, 'Zone XFR' - , 275, 'Zone XFR' - , 276, 'Zone XFR' - , 277, 'Dynamic update' - , 278, 'Dynamic update' - , 279, 'Query' - , 280, 'Query' - ]; - let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[ - 256, 'request' - , 257, 'response' - , 258, 'response' - , 259, 'response' - , 260, 'request' - , 261, 'response' - , 262, 'response' - , 263, 'request' - , 264, 'response' - , 265, 'request' - , 266, 'request' - , 267, 'response' - , 268, 'response' - , 269, 'request' - , 270, 'request' - , 271, 'response' - , 272, 'response' - , 273, 'request' - , 274, 'request' - , 275, 'response' - , 276, 'response' - , 277, 'request' - , 278, 'response' - , 279, 'NA' - , 280, 'NA' - ]; - let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[ - 256, 'NA' - , 257, 'Success' - , 258, 'Failure' - , 259, 'Failure' - , 260, 'NA' - , 261, 'NA' - , 262, 'Failure' - , 263, 'NA' - , 264, 'Based on RCODE' - , 265, 'NA' - , 266, 'NA' - , 267, 'Based on RCODE' - , 268, 'Based on RCODE' - , 269, 'NA' - , 270, 'NA' - , 271, 'Based on RCODE' - , 272, 'Based on RCODE' - , 273, 'NA' - , 274, 'NA' - , 275, 'Success' - , 276, 'Success' - , 277, 'NA' - , 278, 'Based on RCODE' - , 279, 'NA' - , 280, 'NA' - ]; - let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[ - 0,'NOERROR' - , 1,'FORMERR' - , 2,'SERVFAIL' - , 3,'NXDOMAIN' - , 4,'NOTIMP' - , 5,'REFUSED' - , 6,'YXDOMAIN' - , 7,'YXRRSET' - , 8,'NXRRSET' - , 9,'NOTAUTH' - , 10,'NOTZONE' - , 11,'DSOTYPENI' - , 16,'BADVERS' - , 16,'BADSIG' - , 17,'BADKEY' - , 18,'BADTIME' - , 19,'BADMODE' - , 20,'BADNAME' - , 21,'BADALG' - , 22,'BADTRUNC' - , 23,'BADCOOKIE' - ]; - let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[ - 0, 'Reserved' - , 1, 'A' - , 2, 'NS' - , 3, 'MD' - , 4, 'MF' - , 5, 'CNAME' - , 6, 'SOA' - , 7, 'MB' - , 8 ,'MG' - , 9 ,'MR' - , 10,'NULL' - , 11,'WKS' - , 12,'PTR' - , 13,'HINFO' - , 14,'MINFO' - , 15,'MX' - , 16,'TXT' - , 17,'RP' - , 18,'AFSDB' - , 19,'X25' - , 20,'ISDN' - , 21,'RT' - , 22,'NSAP' - , 23,'NSAP-PTR' - , 24,'SIG' - , 25,'KEY' - , 26,'PX' - , 27,'GPOS' - , 28,'AAAA' - , 29,'LOC' - , 30,'NXT' - , 31,'EID' - , 32,'NIMLOC' - , 33,'SRV' - ]; - NXLog_DNS_Server_CL - | where EventID_d < 281 - | project-rename - DnsFlags=Flags_s, - DnsQuery=QNAME_s, - DnsQueryType=QTYPE_s, - DnsResponseCode=RCODE_s, - DnsResponseName=PacketData_s, - Dvc=Hostname_s, - DvcIpAddr=HostIP_s, - EventOriginalType=EventID_d, - EventOriginalUid=GUID_g, - EventStartTime=EventTime_t, - SrcPortNumber=Port_s, - SrcIpAddr=Source_s - | extend - DnsQuery=trim_end(".",DnsQuery), - DnsQueryType=toint(DnsQueryType), - DnsResponseCode=toint(DnsResponseCode), - DvcHostname=Dvc, - EventEndTime=EventStartTime, - EventProduct="Microsoft DNS Server", - EventSchemaVersion="0.1.1", - EventVendor="Microsoft", - NetworkProtocol=iff(TCP_s == "0","UDP","TCP"), - TransactionIdHex=tohex(toint(XID_s)) - | lookup EventTypeTable on EventOriginalType - | lookup EventSubTypeTable on EventOriginalType - | lookup EventResultTable on EventOriginalType - | lookup RCodeTable on DnsResponseCode - | lookup QTypeTable on DnsQueryType - | extend - EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName - , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use' - , 'Unassigned') - | extend - Domain=DnsQuery, - DnsResponseCodeName=EventResultDetails, - DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName - , DnsQueryType between (66 .. 98), 'Unassigned' - , DnsQueryType between (110 .. 248), 'Unassigned' - , DnsQueryType between (261 .. 32767), 'Unassigned' - , 'Unassigned'), - EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult) - | project-away - AA_s, - AD_s, - AdditionalInfo_s, - BufferSize_s, - AccountName_s, - AccountType_s, - CacheScope_s, - ChannelID_d, - Destination_s, - DNSSEC_s, - Domain_s, - ElapsedTime_s, - EventReceivedTime_t, - EventType_s, - ExecutionProcessID_d, - ExecutionThreadID_d, - InterfaceIP_s, - Keywords_s, - OpcodeValue_d, - PolicyName_s, - ProviderGuid_g, - QXID_s, - RD_s, - Reason_s, - RecursionDepth_s, - RecursionScope_s, - ResponseCodeName, - Scope_s, - Severity_s, - SeverityValue_d, - SourceModuleName_s, - SourceModuleType_s, - SourceName_s, - TaskValue_d, - TCP_s, - UserID_s, - Version_d, - XID_s, - Zone_s -}; -ASimDnsMicrosoftNXLog(); \ No newline at end of file diff --git a/Solutions/Onapsis Platform/Parsers/OnapsisLookup.txt b/Solutions/Onapsis Platform/Parsers/OnapsisLookup.txt deleted file mode 100644 index 682b6044d2e..00000000000 --- a/Solutions/Onapsis Platform/Parsers/OnapsisLookup.txt +++ /dev/null @@ -1,128 +0,0 @@ -// Author: Onapsis -// Version: 1.0 -// Last Updated: 11/18/2020 -// -// DESCRIPTION: -// This lookup table enriches incidents detected by the Onapsis platform by giving them a description and solution. This is used in the Onapsis Alarms Workbook to help Security Analysts understand what they need to do in response to an incident. -// -// USAGE: -// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. -// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name. -// Set the function alias to incident_lookup so this function can be used in the workbook. -// -// REFERENCES: -// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions - -let IncidentLookup = datatable(IncidentName:string, RootCause:string, Solution:string) -[ -"Access to authenticated URL without credentials","This incident triggered because a vulnerable authenticated HANA URL was accessed without credentials. \n\nThe URI is vulnerable because it allows the corresponding (backend) SAP software component to be accessed without providing any credentials. This unauthenticated access provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Code Injection vulnerability in Visual Composer 04s iViews","This incident triggered because a URI vulnerable to code injection was accessed with malicious looking parameters. \n\nThe vulnerability allows attackers to inject malicious code into the back-end application by sending a web request by means of a specially crafted URL. By fooling end users to access this URL, unwanted applications could potentially be started on the client machine by an attacker, resulting in remote code execution.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Cross-Site Scripting (XSS) vulnerability in backup function of SAP HANA cockpit","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Dangerous Report Execution","This incident triggered because a vulnerable report was executed. \n\nAn SAP report is an executable program that reads data from the database and generates output based on the filter criteria selected by the end user. \n\nThe fact that a vulnerable report was run may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Dangerous RFC Execution","This incident triggered because a vulnerable Remote Function Call (RFC) was executed. \n\nA Remote Function Call (RFC) is the call or remote execution of a Remote Function Module in an external system. In the SAP system, these functions are provided by the RFC interface system. The RFC interface system enables function calls between two SAP systems. Communication between applications of different systems in the SAP environment includes connections between SAP systems as well as between SAP systems and non-SAP systems. \n\nThe fact that a vulnerable RFC was performed may indicate, but not necessarily confirm, that an attacker is abusing a vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Dangerous Transaction Execution","This incident triggered because a vulnerable transaction code was executed. \n\nEach function in the SAP system has a transaction code (t-code) associated with it. A transaction code consists of letters, numbers, or both. A transaction code is used to access functions or running programs in the SAP application more rapidly. By entering a t-code instead of using the menu, navigation and execution are combined into a single step. \n\nThe fact that a vulnerable transaction code was run may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Hardcoded Credential in Report","This incident triggered because a vulnerable report was called with a suspicious username. \n\nA report is a presentation of data in an organized structure. The report interface allows users to call reports from other SAP application components. \n\nIn this case the called report's program code contains a hard-coded credential. By calling the report with the hard-coded username, malicious users can be successfully authenticated and access parts of the systems not intended for them. \n\nThe fact that the report was called with a hard-coded username may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Host Header injection in SAP HANA","This incident triggered because an URI vulnerable to SQL injection was accessed. \n\nThe vulnerability concerns one of several vulnerabilities in the HANA User Self Service (USS) functionality. Through successful exploitation of these vulnerabilities, an unauthenticated attacker would be able to impersonate other users, even those of high privileged accounts. If exploited, these vulnerabilities allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password. This level of access allows an attacker to take over business information and processes supported by HANA. This included creating, stealing, altering, and/or deleting sensitive information. If this risk is exploited, organizations may face severe business consequences. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Information disclosure using the 'Download Snapshot' service of HANA cockpit for offline administration","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can discover information relating to the system. This information may be used by an attacker to specialize their attack and target security-relevant data. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"J2EE Invoker Servlet","This incident triggered because the Invoker Servlet was accessed. \n\nThe SAP Java 2 Platform Enterprise Edition (J2EE) Application Server has a wide set of built-in functionality, providing a comprehensive framework of libraries and services to support the development and deployment of Java applications. One of these functionalities is the Invoker Servlet, which is part of the standard J2EE specification of Sun (now Oracle). It was conceived as a rapid development instrument, allowing developers to test their custom Java applications very quickly. \n\nWhen enabled, this feature allows anyone to call specific applications without requiring authentication, which implies a security risk. The Invoker Servlet attack (sometimes referred to as the Invoker Servlet Detour) is the vulnerability caused by the previously mentioned feature and allows remote malicious hackers to bypass authentication mechanisms and perform unauthorized business activities via the vulnerable SAP applications. The potential impact of its exploitation is the complete compromise of the SAP system.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Missing XML Validation in Composite Application Framework Authorization Tool","This incident triggered because a vulnerable URI was accessed. \n\nThe vulnerable component which is accessed through the URI does not sufficiently validate an XML document coming from a possibly untrusted source. This programming error allows malicious users to submit XML files containing content that can cause harm to the system, for instance by disrupting service(s) or disclosing information that is is intended to remain private. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Missing XML Validation vulnerability in TranslationSupport application","This incident triggered because a vulnerable URI was accessed. \n\nThe vulnerable component which is accessed through the URI does not sufficiently validate an XML document coming from a possibly untrusted source. This programming error allows malicious users to submit XML files containing content that can cause harm to the system, for instance by disrupting service(s) or disclosing information that is is intended to remain private. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"OS Command Injection vulnerability in Report for Terminology Export","This incident triggered because a report vulnerable to OS command injection was accessed. \n\nThe system contains code that permits the execution of (possibly arbitrary) operating system commands of the user's choice. An attacker can therefore control the behavior of the system, or can potentially escalate privileges by executing malicious code, without having their own legitimate credentials.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Path traversal using the 'Download Snapshot' service of HANA cockpit for offline administration", "This incident triggered because a URI was accessed which is vulnerable to directory traversal. \n\nThe vulnerability allows an attacker to exploit the insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file access APIs. This allows a malicious user to potentially read, write and delete arbitrary files on the remote server, possibly disclosing confidential information, corrupting data or altering system behavior. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential Directory Traversal in a UserAdmin Application","This incident triggered because a URI was accessed which is vulnerable to directory traversal. \n\nThe vulnerability allows an attacker to exploit the insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file access APIs. This allows a malicious user to potentially read, write and delete arbitrary files on the remote server, possibly disclosing confidential information, corrupting data or altering system behavior. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential Directory Traversal or XML Validation vulnerability in Log Viewer","This incident triggered because a URI was accessed which is vulnerable to directory traversal. \n\nThe vulnerability allows an attacker to exploit the insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file access APIs. This allows a malicious user to potentially read, write and delete arbitrary files on the remote server, possibly disclosing confidential information, corrupting data or altering system behavior. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential execution of buffer overflow attack in EXECUTE_SEARCH_RULESET stored procedure","This incident triggered because a stored procedure containing a buffer overflow vulnerability was called. \n\nA stored procedure is prepared SQL code that can be called and therefore reused repeatedly on the system. A remote authenticated attacker could exploit a vulnerability existing in a stored procedure by overwriting the memory buffer out of its bounds, thereby rendering the SAP HANA Platform unavailable to other users until the next process restart.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential exploitation of Buffer overflow vulnerability with a long username to SAP HANA","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can overwrite the memory buffer of the system. By doing this, the attacker can access and/or manipulate parts of system that should be restricted. This can allow the attacker to execute malicious code or cause the system to crash. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential information disclosure relating to Real Time Collaboration Chat","This incident triggered because a vulnerable Web Dynpro URI was accessed. \n\nWeb Dynpro is the SAP standard UI technology for developing web applications in the ABAP environment. Certain components of Web Dynpro have been found to be vulnerable. By approaching Web Dynpro through certain URI's attackers can access information which should otherwise be restricted. \n\nThe fact that a vulnerable Web Dynpro URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential information disclosure relating to Transaction SCI (Code Inspector)","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can discover information relating to the system. This information may be used by an attacker to specialize their attack and target security-relevant data. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential log injection in SAP HANA","This incident triggered because an attempt to exploit a log injection vulnerability was detected. \n\nDuring an attempted user login an attacker can inject information into the system log. Inserting events into the log could disrupt (forensic) analysis of the log or otherwise cause confusion.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential Log injection in SAP HANA XS","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can inject information into the system log. Inserting events into the log could disrupt (forensic) analysis of the log or otherwise cause confusion. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential modif./disclosure of persisted data in BC-ESI-UDDI","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential XSRF attack","This incident triggered because a URI vulnerable to Cross-site Request Forgery (XSRF) was accessed. \n\nEnd users may be fooled by an attacker to access a specially crafted URL, consisting of the vulnerable URL with certain added parameters. If they do, certain system functions may be executed with the executing user's rights. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential XSS attack","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Potential XSS attack in PI Message Display Tool","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"PotentialXXE vulnerability in SAP UDDI","This incident triggered because a URI with an XML eXternal Entity type vulnerability was accessed. \n\nUntrusted XML input parsing is possible in SAP UDDI (Universal Description, Discovery and Integration). The vulnerability allows a malicious user to send specially crafted XML content to perform a Denial of Service or retrieve data from the affected SAP System..","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Reflected File Download attempt in AFPServlet","This incident triggered because a URI vulnerable to Reflected File Download attacks was accessed with malicious looking parameters. \n\nThe vulnerability allows attackers to inject malicious code into a specially crafted URL. By fooling end users to access this URL, a seemingly trusted file is offered for download coming from a trusted domain. Once downloaded and opened by the client, unwanted applications could potentially be started on the client machine by an attacker, resulting in remote code execution.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"SAP HANA Daemon Execution of Administrative Method","This incident triggered because a vulnerable HANA daemon administrative method was executed. \n\nThe daemon service in a SAP HANA landscape is used to start, stop and restart all SAP HANA services. It was reported by SAP that communication encryption was not being enabled for the daemon service on unpatched systems. This means potential attackers could cause denial of service by stopping/restarting the instance if they either gain access to the operating system of the SAP HANA system with an authorized user or can access the network configured for SAP HANA internal network configuration. \n\nThe fact that a vulnerable HANA daemon administrative method was executed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"SAP HANA global.ini settings SQL Injection","This incident triggered because a URI was accessed which is vulnerable to an SQL-injection attack. \n\nThe vulnerability allows an attacker to execute crafted database queries, giving him the ability to execute admin level operations on database and thereby exposing the backend database. Some well-known effects of an SQL injection vulnerability are the ability to read, modify or delete sensitive data from the database. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"SAP HANA User Self Service SQL Injection in ACTIVATE USER query","This incident triggered because an URI vulnerable to SQL injection was accessed. \n\nThe vulnerability concerns one of several vulnerabilities in the HANA User Self Service (USS) functionality. Through successful exploitation of these vulnerabilities, an unauthenticated attacker would be able to impersonate other users, even those of high privileged accounts. If exploited, these vulnerabilities allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password. This level of access allows an attacker to take over business information and processes supported by HANA. This included creating, stealing, altering, and/or deleting sensitive information. If this risk is exploited, organizations may face severe business consequences. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"SAP HANA User Self Service SQL Injection in SET PASSWORD query","This incident triggered because a URI was accessed which is vulnerable to an SQL-injection attack. \n\nThe vulnerability allows an attacker to execute crafted database queries, giving him the ability to execute admin level operations on database and thereby exposing the backend database. Some well-known effects of an SQL injection vulnerability are the ability to read, modify or delete sensitive data from the database. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"SAP J2EE Verb tampering","This incident triggered because a vulnerable URI was accessed with an unexpected HTTP method. \n\nThe HTTP specification includes request methods other than the standard GET and POST requests. A standards compliant web server may respond to these alternative methods (verbs) in ways not anticipated by developers. An attacker may subsequently leverage these methods for malicious objectives, for example by obtaining unauthorized access to restricted resources from arbitrary network locations. \n\nCertain URI's have been found to be vulnerable to these verb tampering attacks.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Security vulnerabilities in an ICF service belonging to SAP ITS Mobile","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Successful login of EARLYWATCH user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Successful login with DDIC user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Successful login with SAPCPIC user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Successful login, via RFC, with TMSADM user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"System Landscape Directory Information Disclosure","This incident triggered because a vulnerable Web Dynpro URI was accessed. \n\nWeb Dynpro is the SAP standard UI technology for developing web applications in the ABAP environment. Certain components of Web Dynpro have been found to be vulnerable. By approaching Web Dynpro through certain URI's attackers can access information which should otherwise be restricted. \n\nThe fact that a vulnerable Web Dynpro URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"TrexNet Method Execution From Untrusted Host","This incident triggered because a TrexNet method was executed from a possibly untrusted host \n\nUsing the multiple methods available in the TrexNet protocol, a remote unauthenticated attacker could execute arbitrary operating system commands, python modules, read, write and delete files and directories, read environment information and also completely shut down the SAP HANA instance. Furthermore, the attacker could send TMS queries to the NameSever component, which could allow him to retrieve technical information about the remote system such as configuration files. \n\nAlthough OSP cannot determine if the host is malicious or not, it is important to validate its origin and purpose.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Web Dynpro JAVA Guided Procedures Information Disclosure","This incident triggered because a vulnerable Web Dynpro URI was accessed. \n\nWeb Dynpro is the SAP standard UI technology for developing web applications in the ABAP environment. Certain components of Web Dynpro have been found to be vulnerable. By approaching Web Dynpro through certain URI's attackers can access information which should otherwise be restricted. \n\nThe fact that a vulnerable Web Dynpro URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in Enterprise Portal - GenericSemanticTest component","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in LogPortalComponent","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in NavigationRequestSniffer","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in NavigationURLTester","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in Notification Topic Creation","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in PI Message Display Tool","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in SAP Java Web Application saml2_sp","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in SAP NetWeaver Central Technical Configuration","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in SAP NetWeaver Composite Application Framework and Business Warehouse Test Integration","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in SAP NetWeaver Java Archiving Framework","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in SAP Netweaver Portal Error section","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in UpdateVersionPortalComponent","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Access to SOAP RFC service","This incident gets triggered when OSP detects users attempting to access the SOAP RFC service. The SOAP RFC service has been marked as dangerous by SAP and should be deactivated.","Disable the SOAP RFC service in transaction SICM if not required.", -"Assignment of S_DEVELOP authorization object to single role","This incident gets triggered when OSP detects the assignment of S_DEVELOP authorization object. Using this object, you can assign access authorizations for all the workbench components. This should never occur on production systems","1. Remove the S_DEVELOP privilege from the user. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate. 3. Investigate who assigned that privilege to the user and why.", -"Assignment of SAP_ALL profile to user","This incident gets triggered when OSP detects the assignment of SAP_ALL profile to a user. This should happen only under extraordinary circumstances.","1. Remove the SAP_ALL privilege from the user. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate. 3. Investigate who assigned that privilege to the user and why.", -"Dangerous execution of j2ee CTC servlet administrative method","This incident gets triggered when OSP detects potentially dangerous administrative requests being made to Central Technical Configuration servlet.","Work with the BASIS team to prioritize applying the applicable note.", -"Potential exploitation of Buffer overflow vulnerability with a long username","This incident gets triggered when OSP detects an attacker using HTTP buffer overrun authentication request that attempts to exploit a vulnerability in SAP HANA.","Work with the BASIS team to prioritize applying the applicable note.", -"Potential information disclosure trough SQL command IMPORT FROM","This incident gets triggered when OSP detects a SQL IMPORT FROM command that could result in being able to gain unauthorized access to data.","Work with the BASIS team to prioritize applying the applicable note.", -"Potential untrusted application server registered in the SAP Message Server","This incident gets triggered when OSP detects the registration of an unknown application server in the SAP Message Server. This should happen only under extraordinary circumstances.","Make sure your Message Server ACL is properly configured. The path of the ACL file can be found in profile parameter ms/acl info. Make sure the SAP Message Server internal port is only accessible from the corresponding sources.", -"Registering of Potential Dangerous RFC Server","This incident gets triggered when OSP detects the registration of sensitive programs in the SAP Gateway. These programs should never be accessed over RFC.","Make sure your reg info ACL is properly configured. The path of the ACL file can be found in profile parameter gw/reg_info. Make sure the registered server is only accessible from the corresponding sources.", -"Starting of Potentially dangerous RFCEXEC server from untrusted host","This incident gets triggered when OSP detects execution of RFCEXEC from a remote machine.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info. Make sure the program can only be executed from the corresponding sources.", -"Starting of Potentially dangerous SAPXPG server from untrusted host","This incident gets triggered when OSP detects execution of SAPXGP from a remote machine.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info Make sure the program can only be executed from the corresponding sources.", -"Successful login via RFC with SAP* user and default password","This incident gets triggered when OSP detects an RFClogin by the SAP* user using the default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.", -"Successful login with (SAP*:PASS) in a client with users already configured","This incident gets triggered when OSP detects a login by the SAP* user using the default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.", -"Successful login with (SAP*:PASS) in a client without users configured","This incident gets triggered when OSP detects a login by the SAP* user using the default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.", -"Successful login with SAP* user and a non-default password","This incident gets triggered when OSP detects a login by the SAP* user using a non-default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.", -"Unlocking of User DDIC","This incident gets triggered when OSP detects the DDIC user account being unlocked. DDIC is a default user with high privilege authorizations.","1. Lock the DDIC user account. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate.", -"Unlocking of User EARLYWATCH","This incident gets triggered when OSP detects the EARLYWATCH user account being unlocked. EARLYWATCH is a default user with high privileges.","1. Lock the EARLYWATCH user account. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate.", -"Unlocking of User SAP*","This incident gets triggered when OSP detects the SAP* user account being unlocked. SAP* is a default user with SAP_ALL authorizations.","Block the SAP* user. If necessary, use the corresponding emergency super user.", -"User SAP* deleted and profile parameter login/no_automatic_sap_star set to 0","This incident gets triggered when OSP detects the SAP* deleted while a profile parameter preventing login with the default password is disabled. In this case, if the user master record of the user SAP* is deleted, it is possible to log on with SAP* using the default password.","1. Create an emergency super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.", -"10KBLAZE Public Exploit Used to Started SAPXPG server","This incident gets triggered when OSP detects execution of SAPXGP from a remote machine.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info Make sure the program can only be executed from the corresponding sources.", -"Assignment of high privilege profile to user","This incident gets triggered when OSP detects the addition of high privileges to an SAP users. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Assignment of SAP_NEW profile to user","This incident gets triggered when OSP detects the addition of high privileges to an SAP users. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Attempt to disable authorization objects globally","This incident gets triggered when OSP detects an attempt to change a critical SAP parameter that could be used to elevate privileges. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Attempt to set insecure configuration blocked","This incident gets triggered when OSP detects a user trying to change a critical configuration that the organization is protecting using Onapsis Enforce and Protect","Follow up with the triggering user to understand the business intent of the change", -"Deactivation of Security Audit Log (SAL) in SAP system","This incident gets triggered when OSP detects an attempt to change a critical SAP parameter that could be used by an attacker to evade detection. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Debugging in non-production system by a non-developer user","This incident gets triggered when OSP detects a non developer SAP user activating debug - this could be used by an attacker as reconaissance for an attack. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Debugging in production system","This incident gets triggered when OSP detects an SAP user activating debug in a production system - this could be used by an attacker as reconaissance for an attack. This is an unusual developer activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Field content changed in debugging in production system","This incident gets triggered when OSP detects an SAP user activating debug in a production system - this could be used by an attacker as reconaissance for an attack. This is an unusual developer activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Jump to ABAP debugging in production system","This incident gets triggered when OSP detects an SAP user activating debug in a production system - this could be used by an attacker as reconaissance for an attack. This is an unusual developer activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Non existing users login failed","This inincdent gets triggered when OSP detects a new SAP user failing t logon to the system. This could be indicative of an attacker trying to take advantage of administrative process failures","Follow up with the triggering user to understand the business intent of the activity", -"OSP Unauthenticated Scan or Audit Started RFCEXEC server","This incident gets triggered when OSP detects execution of RFCEXEC as part of an Onapsis Security Platform unauthenticated scan","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info. Make sure the program can only be executed from the corresponding sources.", -"OSP Unauthenticated Scan or Audit Started SAPXPG server","This incident gets triggered when OSP detects execution of SAPXPG from as part of an Onapsis Security Platform unauthenticated scan.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info. Make sure the program can only be executed from the corresponding sources.", -"Parameter set to an insecure configuration","This incident gets triggered when OSP detects a user changing a critical configuration that the organization is monitoring using Onapsis Enforce and Protect","Follow up with the triggering user to understand the business intent of the change", -"Parameter set to an insecure configuration approved by OSP User","This incident gets triggered when OSP detects an approved user changing a critical configuration that the organization is monitoring using Onapsis Enforce and Protect","Follow up with the triggering user to understand the business intent of the change", -"Removed standard user from SUPER group","This incident gets triggered when OSP detects the removal of a user from a highly privileged group. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change", -"Successful login of a Solution Manager default user with standard password","This incident gets triggered when OSP login to a crtiical SAP administrative function using a default user with a default password. This is an unusual administrative activity that needs follow up. Also review processes around disabling and changing default users and passwords","Follow up with the triggering user to understand the business intent of the activity", -"Successful login of a user with SAP_ALL profile in production client","This incident gets triggered when OSP login to an SAP production system by a highly privileged user. This is an unusual administrative activity that needs follow up. Also review processes around disabling and changing default users and passwords","Follow up with the triggering user to understand the business intent of the activity", -"XSS in Java Web Application tc~sec~saml~ssodemoapp","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack.\n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"XSS in SAP Netweaver Portal Download section","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack.\n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.", -"Onapsis OSP_Test for ACD (Authorization Change Documents) extractor validation","This is a test rule."," Take no action.", -"Onapsis OSP_Test for HANA - Audit Trail extractor validation","This is a test rule."," Take no action.", -"Onapsis OSP_Test for HANA - HTTP Access Log extractor validation","This is a test rule."," Take no action.", -"Onapsis OSP_Test for ICM Access Log extractor validation","This is a test rule."," Take no action.", -"Onapsis OSP_Test for JAVA_HTTP extractor validation","This is a test rule."," Take no action.", -"Onapsis OSP_Test for login extraction from SAL","This is a test rule."," Take no action.", -"Onapsis OSP_Test for Message Server (MsgServer) extractor validation","This is a test rule."," Take no action.", -"Onapsis OSP_Test for STAD extractor validation","This is a test rule."," Take no action.", -"Onapsis Zero Day Incident test rule","This is a test rule."," Take no action.", -"OP_Shipped_Sec_SAP_ALL / SAP_NEW assigned","This alarm, provided by Onapsis, alerts when SAP_ALL or SAP_NEW user is assigned. SAP_ALL/SAP_NEW are highly privileged roles within an SAP System and should be managed with the utmost care.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_ABAP T-Code Permission Denied","This alarm, provided by Onapsis, alerts when transaction SU01 has been denied. SU01 is an SAP transaction for managing users and profiles. Someone trying and failing to use this transaction could be indicative of an attacker trying to gain high privilege within the system.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_Attempt to Open Client","This alarm, provided by Onapsis, alerts when there was an attempt to open client. A client is an independent logical database that stores all the business database separately. Any major system change needs to be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_Attempt to Close Client","This alarm, provided by Onapsis, alerts when there was an attempt to close client. A client is an independent logical database that stores all the business database separately. Any major system change needs to be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_RFC Destination Deleted","This alarm, provided by Onapsis, alerts when an RFC Destination is deleted. RFC Destination is connectivity between SAP and an internal/external system. These systems are often sources of attacks, and changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_RFC Destination Created","This alarm, provided by Onapsis, alerts when an RFC Destination is created. RFC Destination is connectivity between SAP and an internal/external system. These systems are often sources of attacks, and changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_RFC Destination Changed","This alarm, provided by Onapsis, alerts when an RFC Destination is changed. RFC Destination is connectivity between SAP and an internal/external system. These systems are often sources of attacks, and changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_Sec_Deletion of a T-Code","This alarm, provided by Onapsis, alerts when a transaction code is deleted. Transaction code is a command, and each function in SAP has an associated transaction code. By cloning transaction codes, you can evade detection. These changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.", -"OP_Shipped_ Sec_Changes/Creation_of_T-Code","This alarm, provided by Onapsis, alerts when a transaction code is changed. Transaction code is a command, and each function in SAP has an associated transaction code. By cloning transaction codes, you can evade detection. These changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action." -]; -IncidentLookup \ No newline at end of file diff --git a/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.txt b/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.txt deleted file mode 100644 index 254e1eccce3..00000000000 --- a/Solutions/Semperis Directory Services Protector/Parsers/dsp_parser.txt +++ /dev/null @@ -1,53 +0,0 @@ -// Title: Semperis Directory Services Protector (DSP) Data Parser -// Author: Semperis -// Version: 1.0 -// Last Updated: 04/14/2021 -// Comment: version 1.0 -// -// DESCRIPTION: -// This parser takes Semperis DSP Windows event logs from the relevant connector's data stream and parses the data into a normalized schema -// -// USAGE: -// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. -// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name. -// In order for the Semperis DSP Windows Event logs to work with pre-built queries and workbooks the Function Alias must be set to - dsp_parser -// 3. Function App usually take 5-10 minutes to activate. You can then use Function Alias for other queries -// -// -// REFERENCE: -// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// -// -Event -| where Source == "Semperis-DSP-Security" -| where EventID in ("9211","9212","9208") -| parse EventData with - '' DSPData '' -| parse DSPData with - * - '' FirstFound '' - * -| parse DSPData with - '' GenerationTime '' - '' SecurityIndicatorName '' - '' Result '' - * - '' Score '' - '' ForestName '' - '' Domains '' - '' Severity '' - '' Weight '' - '' SecurityFrameworkTags '' - '' SecurityIndicatorDescription '' - '' LikelihoodOfCompromise '' - '' ResultMessage '' - '' NumberOfResults '' - '' Remediation '' - '' Schedule '' - * -| extend SecurityFrameworkTagsCsv = replace(@' Mitre:', @'', tostring(SecurityFrameworkTags)) -| extend SecurityFrameworkTagsCsv = replace(@'Mitre:', @'', tostring(SecurityFrameworkTagsCsv)) -| extend SecurityFrameworkTags = replace(@'Mitre:', @'', tostring(SecurityFrameworkTags)) diff --git a/Solutions/TenableIO/Parsers/TenableIOAssets.txt b/Solutions/TenableIO/Parsers/TenableIOAssets.txt deleted file mode 100644 index cfb55fae6ed..00000000000 --- a/Solutions/TenableIO/Parsers/TenableIOAssets.txt +++ /dev/null @@ -1,125 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as TenableIOAssets. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. TenableIOAssets | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions - -Tenable_IO_Assets_CL -| extend - EventVendor="TenableIO", - EventProduct="Assets", - EventType='AssetExport', - AgentName=column_ifexists('agent_names_s', ''), - AgentUUID=column_ifexists('agent_uuid_g', ''), - AWSAvailabilityZone=column_ifexists('aws_availability_zone_s', ''), - AWSEC2InstanceAMI=column_ifexists('aws_ec2_instance_ami_id_s', ''), - AWSEC2InstanceGroupName=column_ifexists('aws_ec2_instance_group_name_s', ''), - AWSEC2InstanceID=column_ifexists('aws_ec2_instance_id_s', ''), - AWSEC2InstanceStateName=column_ifexists('aws_ec2_instance_state_name_s', ''), - AWSEC2InstanceType=column_ifexists('aws_ec2_instance_type_s', ''), - AWSOwnerID=column_ifexists('aws_owner_id_s', ''), - AWSRegion=column_ifexists('aws_region_s', ''), - AWSSubnetID=column_ifexists('aws_subnet_id_s', ''), - AWSVPCID=column_ifexists('aws_vpc_id_s', ''), - AzureResourceID=column_ifexists('azure_resource_id_s', ''), - AzureVMID=column_ifexists('azure_vm_id_g', ''), - BIOSUUID=strcat(bios_uuid_g, bios_uuid_s), - Computer=column_ifexists('Computer', ''), - CreatedAtTime=column_ifexists('created_at_t', ''), - DeletedAtTime=column_ifexists('deleted_at_t', ''), - DeletedBy=column_ifexists('deleted_by_g', ''), - FirstScanTime=column_ifexists('first_scan_time_t', ''), - FirstSeen=column_ifexists('first_seen_t', ''), - FQDNs=column_ifexists('fqdns_s', ''), - GCPInstanceID=column_ifexists('gcp_instance_id_s', ''), - GCPProjectID=column_ifexists('gcp_project_id_s', ''), - GCPZone=column_ifexists('gcp_zone_s', ''), - HasAgent=column_ifexists('has_agent_b', ''), - HasPluginResults=column_ifexists('has_plugin_results_b', ''), - ID=column_ifexists('id_g', ''), - InstalledSoftware=column_ifexists('installed_software_s', ''), - IPV4s=column_ifexists('ipv4s_s', ''), - IPV6s=column_ifexists('ipv6s_s', ''), - LastAuthenticatedScanDate=column_ifexists('last_authenticated_scan_date_t', ''), - LastLicensedScanDate=column_ifexists('last_licensed_scan_date_t', ''), - LastScanID=strcat(last_scan_id_g, last_scan_id_s), - LastScanDate=column_ifexists('last_scan_time_t', ''), - LastScheduleID=column_ifexists('last_schedule_id_s', ''), - LastSeenDate=column_ifexists('last_seen_t', ''), - MACAddresses=column_ifexists('mac_addresses_s', ''), - ManufacturerTPMIDs=column_ifexists('manufacturer_tpm_ids_s', ''), - NetBIOSNames=column_ifexists('netbios_names_s', ''), - NetworkID=column_ifexists('network_id_g', ''), - NetworkInterfaces=column_ifexists('network_interfaces_s', ''), - NetworkName=column_ifexists('network_name_s', ''), - OperatingSystems=column_ifexists('operating_systems_s', ''), - QualysAssetIDs=column_ifexists('qualys_asset_ids_s', ''), - QualysHostIDs=column_ifexists('qualys_host_ids_s', ''), - ServiceNowSysID=column_ifexists('servicenow_sysid_g', ''), - Sources=column_ifexists('sources_s', ''), - SSHFingerprints=column_ifexists('ssh_fingerprints_s', ''), - SymantecEPHardwareKeys=column_ifexists('symantec_ep_hardware_keys_s', ''), - SystemTypes=column_ifexists('system_types_s', ''), - Tags=column_ifexists('tags_s', ''), - TerminatedAt=column_ifexists('terminated_at_t', ''), - TerminatedBy=column_ifexists('terminated_by_s', ''), - UpdatedAt=column_ifexists('updated_at_t', '') -| project - FQDNs, - AzureResourceID, - AzureVMID, - OperatingSystems, - IPV4s, - NetworkName, - InstalledSoftware, - FirstSeen, - LastSeenDate, - FirstScanTime, - LastScanDate, - LastAuthenticatedScanDate, - LastLicensedScanDate, - HasPluginResults, - HasAgent, - TimeGenerated, - EventVendor, - EventProduct, - EventType, - AgentName, - AgentUUID, - AWSAvailabilityZone, - AWSEC2InstanceAMI, - AWSEC2InstanceGroupName, - AWSEC2InstanceID, - AWSEC2InstanceStateName, - AWSEC2InstanceType, - AWSOwnerID, - AWSRegion, - AWSSubnetID, - AWSVPCID, - BIOSUUID, - Computer, - CreatedAtTime, - DeletedAtTime, - DeletedBy, - GCPInstanceID, - GCPProjectID, - GCPZone, - ID, - IPV6s, - LastScanID, - LastScheduleID, - MACAddresses, - ManufacturerTPMIDs, - NetBIOSNames, - NetworkID, - NetworkInterfaces, - QualysAssetIDs, - QualysHostIDs, - ServiceNowSysID, - Sources, - SSHFingerprints, - SymantecEPHardwareKeys, - SystemTypes, - Tags, - TerminatedAt, - TerminatedBy, - UpdatedAt \ No newline at end of file diff --git a/Solutions/TenableIO/Parsers/TenableIOVulnerabilities.txt b/Solutions/TenableIO/Parsers/TenableIOVulnerabilities.txt deleted file mode 100644 index 38098e8a9f2..00000000000 --- a/Solutions/TenableIO/Parsers/TenableIOVulnerabilities.txt +++ /dev/null @@ -1,215 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as TenableIOVulnerabilities. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. TenableIOVulnerabilities | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -Tenable_IO_Vuln_CL -| extend - EventVendor="TenableIO", - EventProduct="Vulnerabilities", - EventType='VulnerabilityExport', - AssetAgentUUID=column_ifexists('asset_agent_uuid_g', ''), - AssetBIOSUUID=column_ifexists('asset_bios_uuid_g', ''), - AssetDeviceType=column_ifexists('asset_device_type_s', ''), - AssetFQDN=column_ifexists('asset_fqdn_s', ''), - AssetHostname=column_ifexists('asset_hostname_s', ''), - AssetIPV4=column_ifexists('asset_ipv4_s', ''), - AssetIPV6=column_ifexists('asset_ipv6_s', ''), - AssetLastAuthenticatedScanDate=column_ifexists('asset_last_authenticated_results_t', ''), - AssetLastUnauthenticatedScanDate=column_ifexists('asset_last_unauthenticated_results_t', ''), - AssetMACAddress=column_ifexists('asset_mac_address_s', ''), - AssetNetBIOSName=column_ifexists('asset_netbios_name_s', ''), - AssetNetworkID=column_ifexists('asset_network_id_g', ''), - AssetOperatingSystem=column_ifexists('asset_operating_system_s', ''), - AssetTracked=column_ifexists('asset_tracked_b', ''), - AssetUUID=column_ifexists('asset_uuid_g', ''), - Computer=column_ifexists('Computer', ''), - FirstFoundDate=column_ifexists('first_found_t', ''), - IndexedDate=column_ifexists('indexed_t', ''), - LastFixedDate=column_ifexists('last_fixed_t', ''), - LastFoundDate=column_ifexists('last_found_t', ''), - Output=column_ifexists('output_s', ''), - PluginBugtraqID=column_ifexists('plugin_bid_s', ''), - PluginCanvasPackage=column_ifexists('plugin_canvas_package_s', ''), - PluginChecksForDefaultAccount=column_ifexists('plugin_checks_for_default_account_b', ''), - PluginChecksForMalware=column_ifexists('plugin_checks_for_malware_b', ''), - PluginCPE=column_ifexists('plugin_cpe_s', ''), - PluginCVE=column_ifexists('plugin_cve_s', ''), - PluginCVSS3BaseScore=column_ifexists('plugin_cvss3_base_score_d', ''), - PluginCVSS3TemporalScore=column_ifexists('plugin_cvss3_temporal_score_d', ''), - PluginCVSS3TemporalVectorExploitability=column_ifexists('plugin_cvss3_temporal_vector_exploitability_s', ''), - PluginCVSS3TemporalVectorRaw=column_ifexists('plugin_cvss3_temporal_vector_raw_s', ''), - PluginCVSS3TemporalVectorRemediationLevel=column_ifexists('plugin_cvss3_temporal_vector_remediation_level_s', ''), - PluginCVSS3TemporalVectorReportConfidence=column_ifexists('plugin_cvss3_temporal_vector_report_confidence_s', ''), - PluginCVSS3VectorAccessComplexity=column_ifexists('plugin_cvss3_vector_access_complexity_s', ''), - PluginCVSS3VectorAccessVector=column_ifexists('plugin_cvss3_vector_access_vector_s', ''), - PluginCVSS3VectorAvailabilityImpact=column_ifexists('plugin_cvss3_vector_availability_impact_s', ''), - PluginCVSS3VectorConfidentialityImpact=column_ifexists('plugin_cvss3_vector_confidentiality_impact_s', ''), - PluginCVSS3VectorIntegrityImpact=column_ifexists('plugin_cvss3_vector_integrity_impact_s', ''), - PluginCVSS3VectorRaw=column_ifexists('plugin_cvss3_vector_raw_s', ''), - PluginCVSSBaseScore=column_ifexists('plugin_cvss_base_score_d', ''), - PluginCVSSTemporalScore=column_ifexists('plugin_cvss_temporal_score_d', ''), - PluginCVSSTemporalVectorRemediationLevel=column_ifexists('plugin_cvss_temporal_vector_remediation_level_s', ''), - PluginCVSSTemporalVectorReportConfidence=column_ifexists('plugin_cvss_temporal_vector_report_confidence_s', ''), - PluginCVSSVectorAccessComplexity=column_ifexists('plugin_cvss_vector_access_complexity_s', ''), - PluginCVSSVectorAccessVector=column_ifexists('plugin_cvss_vector_access_vector_s', ''), - PluginCVSSVectorAuthentication=column_ifexists('plugin_cvss_vector_authentication_s', ''), - PluginCVSSVectorAvailabilityImpact=column_ifexists('plugin_cvss_vector_availability_impact_s', ''), - PluginCVSSVectorConfidentialityImpact=column_ifexists('plugin_cvss_vector_confidentiality_impact_s', ''), - PluginCVSSVectorIntegrityImpact=column_ifexists('plugin_cvss_vector_integrity_impact_s', ''), - PluginCVSSVectorRaw=column_ifexists('plugin_cvss_vector_raw_s', ''), - PluginDescription=column_ifexists('plugin_description_s', ''), - PluginExploitabilityEase=column_ifexists('plugin_exploitability_ease_s', ''), - PluginExploitedByMalware=column_ifexists('plugin_exploited_by_malware_b', ''), - PluginExploitedByNessus=column_ifexists('plugin_exploited_by_nessus_b', ''), - PluginExploitAvailable=column_ifexists('plugin_exploit_available_b', ''), - PluginExploitFrameworkCanvas=column_ifexists('plugin_exploit_framework_canvas_b', ''), - PluginExploitFrameworkMetasploit=column_ifexists('plugin_exploit_framework_metasploit_b', ''), - PluginFamilyID=column_ifexists('plugin_family_id_d', ''), - PluginFamily=column_ifexists('plugin_family_s', ''), - PluginHasPatch=column_ifexists('plugin_has_patch_b', ''), - PluginID=column_ifexists('plugin_id_d', ''), - PluginInTheNews=column_ifexists('plugin_in_the_news_b', ''), - PluginMetasploitName=column_ifexists('plugin_metasploit_name_s', ''), - PluginMicrosoftBulletin=column_ifexists('plugin_ms_bulletin_s', ''), - PluginName=column_ifexists('plugin_name_s', ''), - PluginPatchPublicationDate=column_ifexists('plugin_patch_publication_date_t', ''), - PluginPublicationDate=column_ifexists('plugin_publication_date_t', ''), - PluginRiskFactor=column_ifexists('plugin_risk_factor_s', ''), - PluginSeeAlso=column_ifexists('plugin_see_also_s', ''), - PluginSolution=column_ifexists('plugin_solution_s', ''), - PluginSTIGSeverity=column_ifexists('plugin_stig_severity_s', ''), - PluginSynopsis=column_ifexists('plugin_synopsis_s', ''), - PluginType=column_ifexists('plugin_type_s', ''), - PluginUnsupportedByVendor=column_ifexists('plugin_unsupported_by_vendor_b', ''), - PluginUbuntuSecurityNotice=column_ifexists('plugin_usn_s', ''), - PluginVersion=column_ifexists('plugin_version_s', ''), - PluginVPRDriversAgeOfVulnLowerBound=column_ifexists('plugin_vpr_drivers_age_of_vuln_lower_bound_d', ''), - PluginVPRDriversAgeOfVulnUpperBound=column_ifexists('plugin_vpr_drivers_age_of_vuln_upper_bound_d', ''), - PluginVPRDriversCVSS3ImpactScore=column_ifexists('plugin_vpr_drivers_cvss3_impact_score_d', ''), - PluginVPRDriversCVSSImpactScorePredicted=column_ifexists('plugin_vpr_drivers_cvss_impact_score_predicted_b', ''), - PluginVPRDriversExploitCodeMaturity=column_ifexists('plugin_vpr_drivers_exploit_code_maturity_s', ''), - PluginVPRDriversProductCoverage=column_ifexists('plugin_vpr_drivers_product_coverage_s', ''), - PluginVPRDriversThreatIntensityLast28=column_ifexists('plugin_vpr_drivers_threat_intensity_last28_s', ''), - PluginVPRDriversThreatRecencyLowerBound=column_ifexists('plugin_vpr_drivers_threat_recency_lower_bound_d', ''), - PluginVPRDriversThreatRecencyUpperBound=column_ifexists('plugin_vpr_drivers_threat_recency_upper_bound_d', ''), - PluginVPRDriversThreatSourcesLast28=column_ifexists('plugin_vpr_drivers_threat_sources_last28_s', ''), - PluginVPRScore=column_ifexists('plugin_vpr_score_d', ''), - PluginVPRUpdatedDate=column_ifexists('plugin_vpr_updated_t', ''), - PluginVPRPublicationDate=column_ifexists('plugin_vuln_publication_date_t', ''), - PluginXRefs=column_ifexists('plugin_xrefs_s', ''), - PortNumber=column_ifexists('port_port_d', ''), - PortProtocol=column_ifexists('port_protocol_s', ''), - PortService=column_ifexists('port_service_s', ''), - ScanCompletedAtTime=column_ifexists('scan_completed_at_t', ''), - ScanScheduleUUID=column_ifexists('scan_schedule_uuid_s', ''), - ScanID=column_ifexists('scan_uuid_g', ''), - SeverityDefaultID=column_ifexists('severity_default_id_d', ''), - SeverityID=column_ifexists('severity_id_d', ''), - SeverityModificationType=column_ifexists('severity_modification_type_s', ''), - Severity=column_ifexists('severity_s', ''), - State=column_ifexists('state_s', '') -| project - AssetFQDN, - AssetIPV4, - AssetOperatingSystem, - Severity, - State, - PluginID, - PluginName, - PluginCVE, - PluginCPE, - PluginVPRScore, - PluginCVSS3BaseScore, - PluginCVSSBaseScore, - PluginFamily, - PluginDescription, - PluginSolution, - FirstFoundDate, - IndexedDate, - LastFixedDate, - LastFoundDate, - AssetLastAuthenticatedScanDate, - AssetLastUnauthenticatedScanDate, - AssetAgentUUID, - AssetBIOSUUID, - AssetDeviceType, - AssetHostname, - AssetIPV6, - AssetMACAddress, - AssetNetBIOSName, - AssetNetworkID, - AssetTracked, - AssetUUID, - Computer, - Output, - PluginBugtraqID, - PluginCanvasPackage, - PluginChecksForDefaultAccount, - PluginChecksForMalware, - PluginCVSS3TemporalScore, - PluginCVSS3TemporalVectorExploitability, - PluginCVSS3TemporalVectorRaw, - PluginCVSS3TemporalVectorRemediationLevel, - PluginCVSS3TemporalVectorReportConfidence, - PluginCVSS3VectorAccessComplexity, - PluginCVSS3VectorAccessVector, - PluginCVSS3VectorAvailabilityImpact, - PluginCVSS3VectorConfidentialityImpact, - PluginCVSS3VectorIntegrityImpact, - PluginCVSS3VectorRaw, - PluginCVSSTemporalScore, - PluginCVSSTemporalVectorRemediationLevel, - PluginCVSSTemporalVectorReportConfidence, - PluginCVSSVectorAccessComplexity, - PluginCVSSVectorAccessVector, - PluginCVSSVectorAuthentication, - PluginCVSSVectorAvailabilityImpact, - PluginCVSSVectorConfidentialityImpact, - PluginCVSSVectorIntegrityImpact, - PluginCVSSVectorRaw, - PluginExploitabilityEase, - PluginExploitedByMalware, - PluginExploitedByNessus, - PluginExploitAvailable, - PluginExploitFrameworkCanvas, - PluginExploitFrameworkMetasploit, - PluginFamilyID, - PluginHasPatch, - PluginInTheNews, - PluginMetasploitName, - PluginMicrosoftBulletin, - PluginPatchPublicationDate, - PluginPublicationDate, - PluginRiskFactor, - PluginSeeAlso, - PluginSTIGSeverity, - PluginSynopsis, - PluginType, - PluginUnsupportedByVendor, - PluginUbuntuSecurityNotice, - PluginVersion, - PluginVPRDriversAgeOfVulnLowerBound, - PluginVPRDriversAgeOfVulnUpperBound, - PluginVPRDriversCVSS3ImpactScore, - PluginVPRDriversCVSSImpactScorePredicted, - PluginVPRDriversExploitCodeMaturity, - PluginVPRDriversProductCoverage, - PluginVPRDriversThreatIntensityLast28, - PluginVPRDriversThreatRecencyLowerBound, - PluginVPRDriversThreatRecencyUpperBound, - PluginVPRDriversThreatSourcesLast28, - PluginVPRUpdatedDate, - PluginVPRPublicationDate, - PluginXRefs, - PortNumber, - PortProtocol, - PortService, - ScanCompletedAtTime, - ScanScheduleUUID, - ScanID, - SeverityDefaultID, - SeverityID, - SeverityModificationType, - EventVendor, - EventProduct, - EventType diff --git a/Solutions/Trend Micro Deep Security/Parsers/TrendMicroDeepSecurity b/Solutions/Trend Micro Deep Security/Parsers/TrendMicroDeepSecurity deleted file mode 100644 index a610b9c4bc5..00000000000 --- a/Solutions/Trend Micro Deep Security/Parsers/TrendMicroDeepSecurity +++ /dev/null @@ -1,34 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as TrendMicroDeepSecurity. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. TrendMicroDeepSecurity | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions - -CommonSecurityLog -| where DeviceVendor has_any ("TrendMicro", "Trend Micro") -| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", long(null)),DeviceCustomNumber1), - DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2), - DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3) -| extend DeepSecurityHostID = DeviceCustomNumber1 -| extend DeepSecurityModuleName = -iff(toint(DeviceEventClassID) in (20,21,100,850,851,852,853,854),"Firewall", -iff(toint(DeviceEventClassID)>=1000000 and toint(DeviceEventClassID)<2000000,"Intrusion Prevention", -iff(toint(DeviceEventClassID)>=2000000 and toint(DeviceEventClassID)<3000000,"Integrity Monitoring", -iff(toint(DeviceEventClassID)>=3000000 and toint(DeviceEventClassID)<4000000,"Log Inspection", -iff(toint(DeviceEventClassID)>=4000000 and toint(DeviceEventClassID)<5000000,"Anti-Malware", -iff(toint(DeviceEventClassID)>=5000000 and toint(DeviceEventClassID)<6000000,"Web Reputation", -iff(toint(DeviceEventClassID)>=6000000 and toint(DeviceEventClassID)<7000000,"Application Control","System"))))))) -| extend actionReason = iff(DeepSecurityModuleName == "Application Control", DeviceCustomString1, "") -| extend sha1 = iff(DeepSecurityModuleName == "Application Control", DeviceCustomString2, "") -| extend md5 = iff(DeepSecurityModuleName == "Application Control", DeviceCustomString3, "") -| parse AdditionalExtensions with * "target=" target ";" * -| extend LIDescription = iff (DeepSecurityModuleName == "Log Inspection", DeviceCustomString1, "") -| extend FragmentationBits = iff (DeepSecurityModuleName == "Firewall", DeviceCustomString3, "") -| extend TCPFlags = iff (DeepSecurityModuleName == "Firewall" or DeepSecurityModuleName == "Intrusion Prevention", DeviceCustomString2, "") -| extend InfectedResource = iff(DeepSecurityModuleName == "Anti-Malware", DeviceCustomString3, "") -| extend ResourceType = iff(DeepSecurityModuleName == "Anti-Malware", DeviceCustomString4, "") -| extend RiskLevel = iff(DeepSecurityModuleName == "Anti-Malware", DeviceCustomString5, "") -| extend DPIStreamPosition = iff(DeepSecurityModuleName == "Intrusion Prevention", DeviceCustomString5, "") -| extend DPIFlags = iff(DeepSecurityModuleName == "Intrusion Prevention", DeviceCustomString6, "") -| extend DPIPacketPosition = iff(DeepSecurityModuleName == "Intrusion Prevention", DeviceCustomNumber3, 0) -| where DeviceProduct startswith "Deep Security" -| project-away DeviceCustomNumber1, DeviceCustomNumber1Label, DeviceCustomNumber2, DeviceCustomNumber2Label, DeviceCustomNumber3, DeviceCustomNumber3Label, DeviceCustomString1, DeviceCustomString1Label, DeviceCustomString2, DeviceCustomString2Label, DeviceCustomString3, DeviceCustomString3Label, DeviceCustomString4, DeviceCustomString4Label, DeviceCustomString5, DeviceCustomString5Label, DeviceCustomString6, DeviceCustomString6Label \ No newline at end of file diff --git a/Solutions/Vectra AI Stream/Parsers/VectraStream_function.kql b/Solutions/Vectra AI Stream/Parsers/VectraStream_function.kql deleted file mode 100644 index 728cf493a2e..00000000000 --- a/Solutions/Vectra AI Stream/Parsers/VectraStream_function.kql +++ /dev/null @@ -1,462 +0,0 @@ -// Title: Vectra AI Stream Parser -// Author: Fabien Guillot -// Version: 1.1 -// Last Updated: 10/04/2022 -// Comment: new attributes added -// -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as VectraStream -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. VectraStream | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// -VectraStream_CL -| extend - EventVendor="Vectra AI", - EventProduct="Vectra Stream", - EventEndTime=column_ifexists('ts_d', ''), - metadata_type_s = column_ifexists('metadata_type_s', ''), - community_id_s = column_ifexists('community_id_s', ''), - id_ip_ver_s = column_ifexists('id_ip_ver_s', ''), - id_orig_h_s = column_ifexists('id_orig_h_s', ''), - id_orig_p_d = column_ifexists('id_orig_p_d', ''), - id_resp_h_s = column_ifexists('id_resp_h_s', ''), - id_resp_p_d = column_ifexists('id_resp_p_d', ''), - resp_hostname_s = column_ifexists('resp_hostname_s', ''), - local_orig_b = column_ifexists('local_orig_b', ''), - local_resp_b = column_ifexists('local_resp_b', ''), - orig_huid_s = column_ifexists('orig_huid_s', ''), - orig_hostname_s = column_ifexists('orig_hostname_s', ''), - orig_sluid_s = column_ifexists('orig_sluid_s', ''), - resp_huid_s = column_ifexists('resp_huid_s', ''), - resp_sluid_s = column_ifexists('resp_sluid_s', ''), - sensor_uid_s = column_ifexists('sensor_uid_s', ''), - uid_s = column_ifexists('uid_s', ''), - ts_d = column_ifexists('ts_d', ''), - error_s = column_ifexists('error_s', ''), - conn_state_s = column_ifexists('conn_state_s', ''), - duration_d = column_ifexists('duration_d', ''), - service_s = column_ifexists('service_s', ''), - proto_d = column_ifexists('proto_d', ''), - protoName_s = column_ifexists('protoName_s', ''), - orig_ip_bytes_d = column_ifexists('orig_ip_bytes_d', ''), - resp_ip_bytes_d = column_ifexists('resp_ip_bytes_d', ''), - orig_pkts_d = column_ifexists('orig_pkts_d', ''), - resp_pkts_d = column_ifexists('resp_pkts_d', ''), - session_start_time_d = column_ifexists('session_start_time_d', ''), - resp_domain_s = column_ifexists('resp_domain_s', ''), - orig_vlan_id_d = column_ifexists('orig_vlan_id_d', ''), - resp_vlan_id_d = column_ifexists('resp_vlan_id_d', ''), - first_orig_resp_data_pkt_s = column_ifexists('first_orig_resp_data_pkt_s', ''), - first_resp_orig_data_pkt_s = column_ifexists('first_resp_orig_data_pkt_s', ''), - first_orig_resp_data_pkt_time_d = column_ifexists('first_orig_resp_data_pkt_time_d', ''), - first_resp_orig_data_pkt_time_d = column_ifexists('first_resp_orig_data_pkt_time_d', ''), - first_orig_resp_pkt_time_d = column_ifexists('first_orig_resp_pkt_time_d', ''), - first_resp_orig_pkt_time_d = column_ifexists('first_resp_orig_pkt_time_d', ''), - resp_multihomed_b = column_ifexists('resp_multihomed_b', ''), - dir_confidence_d = column_ifexists('dir_confidence_d', ''), - //beacon specific attributes - beacon_type_s = column_ifexists('beacon_type_s', ''), - beacon_uid_s = column_ifexists('beacon_uid_s', ''), - first_event_time_d = column_ifexists('first_event_time_d', ''), - last_event_time_d = column_ifexists('last_event_time_d', ''), - resp_domains_s = column_ifexists('resp_domains_s', ''), - session_count_d = column_ifexists('session_count_d', ''), - //dcerpc - rtt_s = column_ifexists('rtt_s', ''), - endpoint_s = column_ifexists('endpoint_s', ''), - username_s = column_ifexists('username_s', ''), - hostname_s = column_ifexists('hostname_s', ''), - domain_s = column_ifexists('domain_s', ''), - operation_s = column_ifexists('operation_s', ''), - //dhcp - mac_s = column_ifexists('mac_s', ''), - assigned_ip_s = column_ifexists('assigned_ip_s', ''), - lease_time_d = column_ifexists('lease_time_d', ''), - trans_id_s = column_ifexists('trans_id_s', ''), - dhcp_server_ip_s = column_ifexists('dhcp_server_ip_s', ''), - dns_server_ips_s = column_ifexists('dns_server_ips_s', ''), - //dns - trans_id_d = column_ifexists('trans_id_d', ''), - query_s = column_ifexists('query_s', ''), - qclass_d = column_ifexists('qclass_d', ''), - qclass_name_s = column_ifexists('qclass_name_s', ''), - qtype_d = column_ifexists('qtype_d', ''), - qtype_name_s = column_ifexists('qtype_name_s', ''), - rcode_d = column_ifexists('rcode_d', ''), - rcode_name_s = column_ifexists('rcode_name_s', ''), - AA_b = column_ifexists('AA_b', ''), - TC_b = column_ifexists('TC_b', ''), - RD_b = column_ifexists('RD_b', ''), - RA_b = column_ifexists('RA_b', ''), - answers_s = column_ifexists('answers_s', ''), - TTLs_s = column_ifexists('TTLs_s', ''), - auth_s = column_ifexists('auth_s', ''), - total_answers_d = column_ifexists('total_answers_d', ''), - total_replies_d = column_ifexists('total_replies_d', ''), - rejected_b = column_ifexists('rejected_b', ''), - saw_query_b = column_ifexists('saw_query_b', ''), - saw_reply_b = column_ifexists('saw_reply_b', ''), - values_s = column_ifexists('values_s', ''), - //http - method_s = column_ifexists('method_s', ''), - host_s = column_ifexists('host_s', ''), - uri_s = column_ifexists('uri_s', ''), - referrer_s = column_ifexists('referrer_s', ''), - user_agent_s = column_ifexists('user_agent_s', ''), - request_body_len_d = column_ifexists('request_body_len_d', ''), - response_body_len_d = column_ifexists('response_body_len_d', ''), - orig_mime_types_s = column_ifexists('orig_mime_types_s', ''), - resp_mime_types_s = column_ifexists('resp_mime_types_s', ''), - status_code_d = column_ifexists('status_code_d', ''), - status_msg_s = column_ifexists('status_msg_s', ''), - proxied_s = column_ifexists('proxied_s', ''), - cookie_s = column_ifexists('cookie_s', ''), - cookie_vars_s = column_ifexists('cookie_vars_s', ''), - request_cache_control_s = column_ifexists('request_cache_control_s', ''), - response_cache_control_s = column_ifexists('response_cache_control_s', ''), - response_expires_s = column_ifexists('response_expires_s', ''), - request_header_count_d = column_ifexists('request_header_count_d', ''), - response_header_count_d = column_ifexists('response_header_count_d', ''), - is_proxied_b = column_ifexists('is_proxied_b', ''), - host_multihomed_b = column_ifexists('host_multihomed_b', ''), - resp_filename_s = column_ifexists('resp_filename_s', ''), - response_content_disposition_s = column_ifexists('response_content_disposition_s', ''), - //Kerberos - client_s = column_ifexists('client_s', ''), - data_source_s = column_ifexists('data_source_s', ''), - success_b = column_ifexists('success_b', ''), - error_code_s = column_ifexists('error_code_s', ''), - error_msg_s = column_ifexists('error_msg_s', ''), - request_type_s = column_ifexists('request_type_s', ''), - protocol_s = column_ifexists('protocol_s', ''), - reply_timestamp_d = column_ifexists('reply_timestamp_d', ''), - orig_host_observed_privilege_d = column_ifexists('orig_host_observed_privilege_d', ''), - req_ciphers_s = column_ifexists('req_ciphers_s', ''), - rep_cipher_s = column_ifexists('rep_cipher_s', ''), - //ldap - message_id_d = column_ifexists('message_id_d', ''), - base_object_s = column_ifexists('base_object_s', ''), - query_scope_s = column_ifexists('query_scope_s', ''), - result_s = column_ifexists('result_s', ''), - matched_dn_s = column_ifexists('matched_dn_s', ''), - attributes_s = column_ifexists('attributes_s', ''), - bind_error_count_d = column_ifexists('bind_error_count_d', ''), - encrypted_sasl_payload_count_d = column_ifexists('encrypted_sasl_payload_count_d', ''), - logon_failure_error_count_s = column_ifexists('logon_failure_error_count_s', ''), - response_bytes_s = column_ifexists('response_bytes_s', ''), - request_bytes_s = column_ifexists('request_bytes_s', ''), - result_code_s = column_ifexists('result_code_s', ''), - result_count_d = column_ifexists('result_count_d', ''), - is_query_b = column_ifexists('is_query_b', ''), - is_close_b = column_ifexists('is_close_b', ''), - //ntlm - status_d = column_ifexists('status_d', ''), - //rdp - keyboard_layout_s = column_ifexists('keyboard_layout_s', ''), - client_build_s = column_ifexists('client_build_s', ''), - date_s = column_ifexists('date_s', ''), - client_dig_protocol_id_d = column_ifexists('client_dig_protocol_id_d', ''), - client_dig_product_id_d = column_ifexists('client_dig_product_id_d', ''), - client_name_s = column_ifexists('client_name_s', ''), - desktop_width_d = column_ifexists('desktop_width_d', ''), - desktop_height_d = column_ifexists('desktop_height_d', ''), - //smbfiles - action_s = column_ifexists('action_s', ''), - delete_on_close_b = column_ifexists('delete_on_close_b', ''), - path_s = column_ifexists('path_s', ''), - name_s = column_ifexists('name_s', ''), - prev_name_s = column_ifexists('prev_name_s', ''), - version_s = column_ifexists('version_s', ''), - //smtp - helo_s = column_ifexists('helo_s', ''), - mail_from_s = column_ifexists('mail_from_s', ''), - rcpt_to_s = column_ifexists('rcpt_to_s', ''), - date_d = column_ifexists('date_d', ''), - from_s = column_ifexists('from_s', ''), - to_s = column_ifexists('to_s', ''), - cc_s = column_ifexists('cc_s', ''), - reply_to_s = column_ifexists('reply_to_s', ''), - msgid_d = column_ifexists('msgid_d', ''), - in_reply_to_s = column_ifexists('in_reply_to_s', ''), - subject_s = column_ifexists('subject_s', ''), - x_originating_ip_s = column_ifexists('x_originating_ip_s', ''), - first_received_s = column_ifexists('first_received_s', ''), - second_received_s = column_ifexists('second_received_s', ''), - useragent_s = column_ifexists('useragent_s', ''), - tls_s = column_ifexists('tls_s', ''), - spf_helo_s = column_ifexists('spf_helo_s', ''), - spf_mailfrom_s = column_ifexists('spf_mailfrom_s', ''), - dkim_status_s = column_ifexists('dkim_status_s', ''), - dmarc_status_s = column_ifexists('dmarc_status_s', ''), - //ssh - server_s = column_ifexists('server_s', ''), - cipher_alg_s = column_ifexists('cipher_alg_s', ''), - mac_alg_s = column_ifexists('mac_alg_s', ''), - compression_alg_s = column_ifexists('compression_alg_s', ''), - kex_alg_s = column_ifexists('kex_alg_s', ''), - host_key_alg_s = column_ifexists('host_key_alg_s', ''), - host_key_s = column_ifexists('host_key_s', ''), - hassh_g = column_ifexists('hassh_g', ''), - hasshServer_g = column_ifexists('hasshServer_g', ''), - //ssl - server_name_s = column_ifexists('server_name_s', ''), - established_b = column_ifexists('established_b', ''), - next_protocol_s = column_ifexists('next_protocol_s', ''), - cipher_s = column_ifexists('cipher_s', ''), - version_num_d = column_ifexists('version_num_d', ''), - curve_s = column_ifexists('curve_s', ''), - issuer_s = column_ifexists('issuer_s', ''), - client_issuer_s = column_ifexists('client_issuer_s', ''), - client_subject_s = column_ifexists('client_subject_s', ''), - client_version_num_d = column_ifexists('client_version_num_d', ''), - client_version_s = column_ifexists('client_version_s', ''), - client_extension_s = column_ifexists('client_extension_s', ''), - client_ec_point_format_s = column_ifexists('client_ec_point_format_s', ''), - client_curve_num_s = column_ifexists('client_curve_num_s', ''), - ja3_g = column_ifexists('ja3_g', ''), - ja3s_g = column_ifexists('ja3s_g', ''), - server_extensions_s = column_ifexists('server_extensions_s', ''), - //x509 - certificate_version_d = column_ifexists('certificate_version_d', ''), - certificate_serial_s = column_ifexists('certificate_serial_s', ''), - certificate_serial_g = column_ifexists('certificate_serial_g', ''), - certificate_subject_s = column_ifexists('certificate_subject_s', ''), - certificate_issuer_s = column_ifexists('certificate_issuer_s', ''), - certificate_key_alg_s = column_ifexists('certificate_key_alg_s', ''), - certificate_key_length_s = column_ifexists('certificate_key_length_s', ''), - certificate_key_type_s = column_ifexists('certificate_key_type_s', ''), - certificate_not_valid_after_d = column_ifexists('certificate_not_valid_after_d', ''), - certificate_not_valid_before_d = column_ifexists('certificate_not_valid_before_d', ''), - certificate_exponent_s = column_ifexists('certificate_exponent_s', ''), - certificate_sig_alg_s = column_ifexists('certificate_sig_alg_s', ''), - certificate_self_issued_b = column_ifexists('certificate_self_issued_b', ''), - certificate_curve_s = column_ifexists('certificate_curve_s', ''), - certificate_cn_s = column_ifexists('certificate_cn_s', ''), - san_dns_s = column_ifexists('san_dns_s', ''), - san_email_s = column_ifexists('san_email_s', ''), - san_ip_s = column_ifexists('san_ip_s', ''), - san_other_fields_b = column_ifexists('san_other_fields_b', ''), - basic_constraints_ca_b = column_ifexists('basic_constraints_ca_b', ''), - basic_constraints_path_len_d = column_ifexists('basic_constraints_path_len_d', ''), - certificate_serial = case(isnotempty(certificate_serial_s), certificate_serial_s, isnotempty(certificate_serial_g), certificate_serial_g, '') -| project-rename - metadata_type = metadata_type_s, - community_id = community_id_s, - id_ip_ver = id_ip_ver_s, - id_orig_h = id_orig_h_s, - id_orig_p = id_orig_p_d, - id_resp_h = id_resp_h_s, - id_resp_p = id_resp_p_d, - resp_hostname = resp_hostname_s, - local_orig = local_orig_b, - local_resp = local_resp_b, - orig_huid = orig_huid_s, - orig_hostname = orig_hostname_s, - orig_sluid = orig_sluid_s, - resp_huid = resp_huid_s, - resp_sluid = resp_sluid_s, - sensor_uid = sensor_uid_s, - uid = uid_s, - ts = ts_d, - error = error_s, - conn_state = conn_state_s, - duration = duration_d, - service = service_s, - proto = proto_d, - protoName = protoName_s, - orig_ip_bytes = orig_ip_bytes_d, - resp_ip_bytes = resp_ip_bytes_d, - orig_pkts = orig_pkts_d, - resp_pkts = resp_pkts_d, - session_start_time = session_start_time_d, - resp_domain = resp_domain_s, - orig_vlan_id = orig_vlan_id_d, - resp_vlan_id = resp_vlan_id_d, - first_orig_resp_data_pkt = first_orig_resp_data_pkt_s, - first_resp_orig_data_pkt = first_resp_orig_data_pkt_s, - first_orig_resp_data_pkt_time = first_orig_resp_data_pkt_time_d, - first_resp_orig_data_pkt_time = first_resp_orig_data_pkt_time_d, - first_orig_resp_pkt_time = first_orig_resp_pkt_time_d, - first_resp_orig_pkt_time = first_resp_orig_pkt_time_d, - resp_multihomed = resp_multihomed_b, - dir_confidence = dir_confidence_d, - //beacon specific attributes - beacon_type = beacon_type_s, - beacon_uid = beacon_uid_s, - first_event_time = first_event_time_d, - last_event_time = last_event_time_d, - resp_domains = resp_domains_s, - session_count = session_count_d, - //dcerpc - rtt = rtt_s, - endpoint = endpoint_s, - username = username_s, - hostname = hostname_s, - domain = domain_s, - operation = operation_s, - //dhcp - mac = mac_s, - assigned_ip = assigned_ip_s, - lease_time = lease_time_d, - dhcp_server_ip = dhcp_server_ip_s, - dns_server_ips = dns_server_ips_s, - //dns - trans_id = trans_id_d, - query = query_s, - qclass = qclass_d, - qclass_name = qclass_name_s, - qtype = qtype_d, - qtype_name = qtype_name_s, - rcode = rcode_d, - rcode_name = rcode_name_s, - AA = AA_b, - TC = TC_b, - RD = RD_b, - RA = RA_b, - answers = answers_s, - TTLs = TTLs_s, - auth = auth_s, - total_answers = total_answers_d, - total_replies = total_replies_d, - rejected = rejected_b, - saw_query = saw_query_b, - saw_reply = saw_reply_b, - values = values_s, - //http - method = method_s, - host = host_s, - uri = uri_s, - referrer = referrer_s, - user_agent = user_agent_s, - request_body_len = request_body_len_d, - response_body_len = response_body_len_d, - orig_mime_types = orig_mime_types_s, - resp_mime_types = resp_mime_types_s, - status_code = status_code_d, - status_msg = status_msg_s, - proxied = proxied_s, - cookie = cookie_s, - cookie_vars = cookie_vars_s, - request_cache_control = request_cache_control_s, - response_cache_control = response_cache_control_s, - response_expires = response_expires_s, - request_header_count = request_header_count_d, - response_header_count = response_header_count_d, - is_proxied = is_proxied_b, - host_multihomed = host_multihomed_b, - resp_filename = resp_filename_s, - response_content_disposition = response_content_disposition_s, - //Kerberos - client = client_s, - data_source = data_source_s, - success = success_b, - error_code = error_code_s, - error_msg = error_msg_s, - request_type = request_type_s, - protocol = protocol_s, - reply_timestamp = reply_timestamp_d, - orig_host_observed_privilege = orig_host_observed_privilege_d, - req_ciphers = req_ciphers_s, - rep_cipher = rep_cipher_s, - //ldap - message_id = message_id_d, - base_object = base_object_s, - query_scope = query_scope_s, - result = result_s, - matched_dn = matched_dn_s, - attributes = attributes_s, - bind_error_count = bind_error_count_d, - encrypted_sasl_payload_count = encrypted_sasl_payload_count_d, - logon_failure_error_count = logon_failure_error_count_s, - response_bytes = response_bytes_s, - request_bytes = request_bytes_s, - result_code = result_code_s, - result_count = result_count_d, - is_query = is_query_b, - is_close = is_close_b, - //ntlm - status = status_d, - //rdp - keyboard_layout = keyboard_layout_s, - client_build = client_build_s, - client_dig_protocol_id = client_dig_protocol_id_d, - client_dig_product_id = client_dig_product_id_d, - client_name = client_name_s, - desktop_width = desktop_width_d, - desktop_height = desktop_height_d, - //smbfiles - action = action_s, - delete_on_close = delete_on_close_b, - path = path_s, - name = name_s, - prev_name = prev_name_s, - version = version_s, - //smtp - helo = helo_s, - mail_from = mail_from_s, - rcpt_to = rcpt_to_s, - date_msg = date_d, - from = from_s, - to_msg = to_s, - cc = cc_s, - reply_to = reply_to_s, - msgid = msgid_d, - in_reply_to = in_reply_to_s, - subject = subject_s, - x_originating_ip = x_originating_ip_s, - first_received = first_received_s, - second_received = second_received_s, - useragent = useragent_s, - tls = tls_s, - spf_helo = spf_helo_s, - spf_mailfrom = spf_mailfrom_s, - dkim_status = dkim_status_s, - dmarc_status = dmarc_status_s, - //ssh - server = server_s, - cipher_alg = cipher_alg_s, - mac_alg = mac_alg_s, - compression_alg = compression_alg_s, - kex_alg = kex_alg_s, - host_key_alg = host_key_alg_s, - host_key = host_key_s, - hassh = hassh_g, - hasshServer = hasshServer_g, - //ssl - server_name = server_name_s, - established = established_b, - next_protocol = next_protocol_s, - cipher = cipher_s, - version_num = version_num_d, - curve = curve_s, - issuer = issuer_s, - client_issuer = client_issuer_s, - client_subject = client_subject_s, - client_version_num = client_version_num_d, - client_version = client_version_s, - client_extension = client_extension_s, - client_ec_point_format = client_ec_point_format_s, - client_curve_num = client_curve_num_s, - ja3 = ja3_g, - ja3s = ja3s_g, - server_extensions = server_extensions_s, - //x509 - certificate_version = certificate_version_d, - certificate_subject = certificate_subject_s, - certificate_issuer = certificate_issuer_s, - certificate_key_alg = certificate_key_alg_s, - certificate_key_length = certificate_key_length_s, - certificate_key_type = certificate_key_type_s, - certificate_not_valid_after = certificate_not_valid_after_d, - certificate_not_valid_before = certificate_not_valid_before_d, - certificate_exponent = certificate_exponent_s, - certificate_sig_alg = certificate_sig_alg_s, - certificate_self_issued = certificate_self_issued_b, - certificate_curve = certificate_curve_s, - certificate_cn = certificate_cn_s, - san_dns = san_dns_s, - san_email = san_email_s, - san_ip = san_ip_s, - san_other_fields = san_other_fields_b, - basic_constraints_ca = basic_constraints_ca_b, - basic_constraints_path_len = basic_constraints_path_len_d \ No newline at end of file diff --git a/Solutions/Vectra XDR/Parsers/VectraAudits.txt b/Solutions/Vectra XDR/Parsers/VectraAudits.txt deleted file mode 100644 index b994bf41d06..00000000000 --- a/Solutions/Vectra XDR/Parsers/VectraAudits.txt +++ /dev/null @@ -1,46 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. VectraAudits). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. VectraAudits | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let VectraAudits_view = view () { - Audits_Data_CL - | extend - EventVendor="VectraAudits", - EventProduct="VectraAudits", - ID = column_ifexists('id_d', ''), - ["User ID"] = column_ifexists('user_id_d', ''), - Username = column_ifexists('username_s', ''), - ["User Type"] = column_ifexists('user_type_s', ''), - ["User Role"] = column_ifexists('user_role_s', ''), - Version = column_ifexists('version_s', ''), - ["Source IP"] = column_ifexists('source_ip_s', ''), - ["Event Timestamp"] = column_ifexists('event_timestamp_t', ''), - Message = column_ifexists('Message', ''), - Status = column_ifexists('result_status_s', ''), - ["Event Data"] = column_ifexists('event_data_s', ''), - ["Event Object"] = column_ifexists('event_object_s', ''), - ["Event Action"] = column_ifexists('event_action_s', ''), - ["API Client ID"] = column_ifexists('api_client_id_g', '') - | project - TimeGenerated, - EventVendor, - EventProduct, - ID, - ['User ID'], - Username, - ['User Type'], - ["User Role"], - Version, - ['Source IP'], - ['Event Timestamp'], - Message, - Status, - ["Event Data"], - ['Event Object'], - ['Event Action'], - ['API Client ID'] -}; -VectraAudits_view \ No newline at end of file diff --git a/Solutions/Vectra XDR/Parsers/VectraDetections.txt b/Solutions/Vectra XDR/Parsers/VectraDetections.txt deleted file mode 100644 index c7b61fd88ed..00000000000 --- a/Solutions/Vectra XDR/Parsers/VectraDetections.txt +++ /dev/null @@ -1,61 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. VectraDetections). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. VectraDetections | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let VectraDetections_view = view () { - Detections_Data_CL - | extend - EventVendor="VectraDetections", - EventProduct="VectraDetections", - ID = column_ifexists('id_d', ''), - ["Detection Category"] = column_ifexists('Category', ''), - ["Is Triaged"] = column_ifexists('triaged_b', ''), - ["Detection Name"] = column_ifexists('detection_type_s', ''), - ["D Type Vname"] = column_ifexists('d_type_vname_s', ''), - ["Detection ID"] = column_ifexists('detection_id_d', ''), - ["Vectra Pivot"] = column_ifexists('detection_href_s', ''), - ["Entity ID"] = toint(column_ifexists('entity_id_d', '')), - URL = column_ifexists('url_s', ''), - ["Entity UID"] = column_ifexists('entity_uid_s', ''), - ["Last Updated"] = column_ifexists('event_timestamp_t', ''), - ["Details"] = column_ifexists('detail_s', ''), - Severity = column_ifexists('Severity', ''), - ["Source IP"] = column_ifexists('src_ip_s', ''), - ["Detection Details"] = column_ifexists('d_detection_details_s', ''), - ["Normal Domains"] = column_ifexists('normal_domains_s', ''), - ["Is Targeting Key Asset"] = column_ifexists('is_targeting_key_asset_s', ''), - ["Source Host"] = column_ifexists('src_host_s', ''), - Summary = column_ifexists('summary_s', ''), - ["Grouped Details"] = column_ifexists('grouped_details_s', '') - | extend - ["Vectra Pivot"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], "&pivot=Vectra-Sentinel-1.0.0"), ['Vectra Pivot']), - URL = case(isnotempty(URL), strcat(URL, "?pivot=Vectra-Sentinel-1.0.0"), URL) - | project - TimeGenerated, - EventVendor, - EventProduct, - ID, - ["Detection Category"], - ["Is Triaged"], - ["Detection Name"], - ["D Type Vname"], - ["Detection ID"], - ["Vectra Pivot"], - ["Entity ID"], - URL, - ["Entity UID"], - ["Last Updated"], - ["Details"], - Severity, - ["Source IP"], - ["Detection Details"], - ["Normal Domains"], - ["Is Targeting Key Asset"], - ["Source Host"], - Summary, - ["Grouped Details"] -}; -VectraDetections_view \ No newline at end of file diff --git a/Solutions/Vectra XDR/Parsers/VectraEntityScoring.txt b/Solutions/Vectra XDR/Parsers/VectraEntityScoring.txt deleted file mode 100644 index 00c25e93705..00000000000 --- a/Solutions/Vectra XDR/Parsers/VectraEntityScoring.txt +++ /dev/null @@ -1,57 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. VectraEntityScoring). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. VectraEntityScoring | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let VectraEntityScoring_view = view () { - Entity_Scoring_Data_CL - | extend - EventVendor="VectraEntityScoring", - EventProduct="VectraEntityScoring", - ID = column_ifexists('id_d', ''), - ["Entity ID"] = column_ifexists('entity_id_d', ''), - ["Active Detection Types"] = column_ifexists('active_detection_types_s', ''), - ["Breadth Contrib"] = column_ifexists('breadth_contrib_d', ''), - Category = column_ifexists('Category', ''), - Importance = column_ifexists('importance_d', ''), - Type = column_ifexists('type_s', ''), - ["Last Updated"] = column_ifexists('event_timestamp_t', ''), - ["Is Prioritized"] = column_ifexists('is_prioritized_b', ''), - ["Last Detection ID"] = column_ifexists('last_detection_id_d', ''), - ["Last Detection Type"] = column_ifexists('last_detection_type_s', ''), - ["Last Detection URL"] = column_ifexists('last_detection_url_s', ''), - ["Last Detection"] = column_ifexists('last_detection_s', ''), - Name = column_ifexists('name_s', ''), - Severity = column_ifexists('severity_s', ''), - ["Urgency Score"] = column_ifexists('urgency_score_d', ''), - ["Vectra Pivot"] = column_ifexists('url_s', ''), - Velocity = column_ifexists('velocity_contrib_d', ''), - ["Attack Rating"] = column_ifexists('attack_rating_d', '') - | extend ["Vectra Pivot"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], "?pivot=Vectra-Sentinel-1.0.0"), ['Vectra Pivot']) - | project - TimeGenerated, - EventVendor, - EventProduct, - ID, - ["Entity ID"], - Name, - Importance, - Type, - ["Is Prioritized"], - Severity, - ["Urgency Score"], - ["Vectra Pivot"], - Category, - ["Last Detection URL"], - ["Last Detection Type"], - ["Last Detection ID"], - ["Last Detection"], - ["Active Detection Types"], - ["Last Updated"], - ["Breadth Contrib"], - Velocity, - ["Attack Rating"] -}; -VectraEntityScoring_view \ No newline at end of file diff --git a/Solutions/Vectra XDR/Parsers/VectraHealth.txt b/Solutions/Vectra XDR/Parsers/VectraHealth.txt deleted file mode 100644 index c3f815d2fed..00000000000 --- a/Solutions/Vectra XDR/Parsers/VectraHealth.txt +++ /dev/null @@ -1,44 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. VectraHealth). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. VectraHealth | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let VectraHealth_view = view () { - Health_Data_CL - | extend - EventVendor="VectraHealth", - EventProduct="VectraHealth", - ['Last Updated'] = column_ifexists('system_version_last_update_s', ''), - ['CPU Usage - User (%)'] = column_ifexists('cpu_user_percent_d', ''), - ['CPU Usage - System (%)'] = column_ifexists('cpu_system_percent_d', ''), - ['CPU Usage - Idle (%)'] = column_ifexists('cpu_idle_percent_d', ''), - ['Disk Utilization (%)'] = column_ifexists('disk_disk_utilization_usage_percent_d', ''), - ['Memory Utilization (%)'] = column_ifexists('memory_usage_percent_d', ''), - ['Power Status'] = column_ifexists('power_status_s', ''), - ['Power Error'] = column_ifexists('power_error_s', ''), - Network = column_ifexists('network_s', ''), - Sensors = column_ifexists('sensors_s', ''), - Connectivity_Sensors = column_ifexists('connectivity_sensors_s', ''), - System_Version_Last_Update = column_ifexists('system_version_last_update_s', ''), - Trafficdrop_Sensors = column_ifexists('trafficdrop_sensors_s', '') - | project - TimeGenerated, - EventVendor, - EventProduct, - System_Version_Last_Update, - ['Last Updated'], - ['CPU Usage - User (%)'], - ['CPU Usage - System (%)'], - ['CPU Usage - Idle (%)'], - ['Disk Utilization (%)'], - ['Memory Utilization (%)'], - ['Power Status'], - ['Power Error'], - Network, - Sensors, - Connectivity_Sensors, - Trafficdrop_Sensors -}; -VectraHealth_view() \ No newline at end of file diff --git a/Solutions/Vectra XDR/Parsers/VectraLockdown.txt b/Solutions/Vectra XDR/Parsers/VectraLockdown.txt deleted file mode 100644 index 2fef70455de..00000000000 --- a/Solutions/Vectra XDR/Parsers/VectraLockdown.txt +++ /dev/null @@ -1,34 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. VectraLockdown). -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. VectraLockdown | take 10). -// References : -// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381 -// -let VectraLockdown_view = view () { - Lockdown_Data_CL - | extend - EventVendor="VectraLockdown", - EventProduct="VectraLockdown", - ID = column_ifexists('id_d', ''), - ["Entity ID"] = column_ifexists('entity_id_d', ''), - ["Entity Name"] = column_ifexists('entity_name_s', ''), - ["Entity Type"] = column_ifexists('entity_type_s ', ''), - Type = column_ifexists('type_s', ''), - ["Locked Date"] = column_ifexists('lock_event_timestamp_t', ''), - ["Unlock Date"] = column_ifexists('unlock_event_timestamp_t', ''), - ["Locked By"] = column_ifexists('locked_by_s', '') - | project - TimeGenerated, - EventVendor, - EventProduct, - ID, - ["Entity ID"], - ["Entity Name"], - ["Entity Type"], - Type, - ["Locked Date"], - ["Unlock Date"], - ["Locked By"] -}; -VectraLockdown_view() \ No newline at end of file diff --git a/Solutions/iboss/Parsers/ibossUrlEvent.txt b/Solutions/iboss/Parsers/ibossUrlEvent.txt deleted file mode 100644 index fbda45f59a4..00000000000 --- a/Solutions/iboss/Parsers/ibossUrlEvent.txt +++ /dev/null @@ -1,37 +0,0 @@ -// Usage Instructions: -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as ibossUrlEvent and specifying Legacy Category. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ibossUrlEvent | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -CommonSecurityLog -| where DeviceVendor == "iboss" and FlexString2 == "URL" -| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", long(null)),DeviceCustomNumber1), - DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2) -| project-rename EventVendor=DeviceVendor - , EventProduct=DeviceProduct - , EventProductVersion=DeviceVersion - , EventResult=DeviceEventClassID - , EventResultDetails=FlexNumber1 - , DvcAction=DeviceAction - , RuleName=FlexString1 - , SrcPortNumber=SourcePort - , SrcIpAddr=SourceIP - , SrcMacAddr=SourceMACAddress - , SrcUsername=SourceUserName - , SrcBytes=SentBytes - , DstPortNumber=DestinationPort - , DstIpAddr=DestinationIP - , DstBytes=ReceivedBytes - , Domain=DestinationHostName - , Url=RequestURL - , UrlCategory=DeviceCustomString2 - , HttpRequestMethod=RequestMethod - , HttpUserAgent=RequestClientApplication - , FileSHA256=DeviceCustomString3 - , ThreatName=DeviceCustomString1 - , MalwareDetected=DeviceCustomNumber1 - , CNCDetected=DeviceCustomNumber2 -| extend NetworkBytes=SrcBytes+DstBytes - , EventTime=todatetime(DeviceCustomDate1) -| project-away DeviceCustom* - , FlexNumber* - , FlexString*